Compliance Frameworks
BETA// Beta Mapping Disclaimer
Framework mappings are currently in beta. These references are generated based on technical specifications and common industry alignments. Mappings may be incomplete or inaccurate; always consult with a qualified auditor for official compliance validation.
Overview
Use AWS Artifact to access AWS-issued security and compliance reports (SOC 2, ISO 27001, PCI DSS, FedRAMP) and attach them as evidence to AWS Audit Manager, a GRC or audit tool, providing auditors with a unified view of both AWS-managed and customer-managed controls under the Shared Responsibility Model.
AWS Artifact provides on-demand, NDA-gated access to AWS's own third-party audit reports. These documents serve as evidence for the 'Security of the Cloud' layer in the Shared Responsibility Model - i.e., the physical, network, and hypervisor controls that AWS operates on the customer's behalf. Linking these reports AWS Audit Manager, a GRC or audit tool ensures that internal and external auditors have a complete and traceable evidence package. AWS typically publishes updated SOC 1 and SOC 2 reports every six months; ISO and PCI reports are updated on their respective certification cycles. Organizations should establish a tracking mechanism to detect when new report versions are published and refresh their evidence accordingly.
Auditors require documented proof that the underlying cloud infrastructure meets applicable compliance standards. Without current AWS Artifact reports, organizations cannot demonstrate the 'Security of the Cloud' component of their compliance posture, which can result in audit findings or certification failures regardless of the quality of customer-managed controls.
Remediation Strategy
On a quarterly basis, review AWS Artifact for newly published report versions relevant to your compliance scope. Accept any updated NDAs, download the reports, and attach them as manual evidence to AWS Audit Manager, a GRC or audit tool.
Log in to the AWS Management Account or a delegated administrator account with Artifact access permissions.
Navigate to AWS Artifact > Reports and filter by the compliance frameworks in scope (e.g., SOC 2, ISO 27001, PCI DSS).
Review the publication date of each report and compare against the version currently stored in AWS Audit Manager, a GRC or audit tool.
Accept any updated NDAs for newly published report versions.
Download the latest reports and upload them as Manual Evidence to the relevant AWS Audit Manager, GRC or audit tool.
Record the retrieval date and report version in AWS Audit Manager, GRC or audit tool.
# List all published reports available in AWS Artifact
aws artifact list-reports \
--query "reports[?state=='PUBLISHED'].{Name:name, Category:category, PeriodStart:periodStart}" \
--output table