AWS Audit Manager helps you continuously audit your AWS usage to simplify how you assess risk and compliance with regulations and industry standards. Audit Manager makes it easier to assess if your policies, procedures, and activities, also known as controls, are operating effectively. Audit Manager offers prebuilt frameworks with controls that are mapped to common industry standards and regulations, full customization of frameworks and controls, and automated collection and organization of evidence from your AWS usage as defined by each control requirement. When it is time for an audit, AWS Audit Manager helps you manage stakeholder reviews of your controls and enables you to build audit-ready reports with much less manual effort.
AWS Audit Manager offers prebuilt frameworks that cover a range of compliance standards, and they are developed with AWS best practices in mind. These frameworks help map your AWS resources to the requirements for industry standards and regulations. Examples of prebuilt frameworks in AWS Audit Manager include AWS Control Tower, AWS License Manager, CIS AWS Foundations Benchmark 1.2.0 & 1.3.0, CIS Controls v7.1 Implementation Group 1, FedRAMP Moderate, the General Data Protection Regulation (GDPR), GxP 21 CFR part 11, the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS) v3.2.1, the Service Organization Control 2 (SOC 2), and NIST 800-53 (Rev 5). AWS Audit Manager also provides a prebuilt framework to help gain visibility into how your generative AI implementation on Amazon Bedrock is working against AWS recommended best practices. Refer to the full list of supported frameworks in AWS Audit Manager documentation.
Custom frameworks and controls
AWS Audit Manager enables you to build your own framework using either custom controls or AWS-managed controls which help you meet your audit requirements. Customizing an Audit Manager framework helps you evaluate controls in your existing framework for compliance with your particular business requirements. You can define custom controls to collect evidence from specific data sources to help show you are meeting internal audit and compliance requirements. Each piece of evidence becomes a record containing the information you need to demonstrate compliance with requirements specified by a control.
Automated evidence collection
Once an assessment has been defined and launched, AWS Audit Manager automatically collects data for the AWS account and services you have defined to be in scope for an audit. The evidence contains both the data captured from that resource as well as metadata that indicates which control the data supports to help you demonstrate security, change management, business continuity, and software licensing compliance. Audit Manager collects and organizes evidence from AWS CloudTrail and other AWS services you may be using, such as AWS Config, AWS Security Hub, and AWS License Manager. You can also manually upload other evidence, such as policy documents, training transcripts, and architecture diagrams, to stay organized.
Multi-account evidence collection
AWS Audit Manager supports multiple accounts via integration with AWS Organizations. Audit Manager assessments can run over multiple accounts and will collect and consolidate evidence into a delegated administrator account in AWS Organizations.
You can delegate control sets to team members who are specialized in certain topic areas, such as network infrastructure, identity management, software licensing, or personnel policies. The delegation feature enables the support team members to review the control set and related evidence, add comments, upload additional evidence, and update the status of each control.
Audit Manager more easily allows you to sift through thousands of pieces of collected evidence from multiple disparate sources, using search filters and groupings to identify trends and cross-reference issues. This will help you deep dive into issues identified via flagged compliance checks in the service, either in assessments – an automated data collection process against a specific set of controls – or on the Audit Manager dashboard. To start searching through your evidence, go to the left navigation menu in the Audit Manager console and select the ‘Evidence Finder’ page, choose the assessment and time-range you want to search through, and then select the parameters and filters for your search. Enabling this feature triggers ingestion and storage of Audit Manager evidence into AWS CloudTrail Lake. CloudTrail Lake pricing applies.
AWS Audit Manager automates evidence collect and organizes the evidence as defined by the control set in the framework you selected. You and your team can review evidence, comment on evidence, upload other supporting evidence, and update the status of each control. You then select the relevant evidence to include in your assessment report and generate a final assessment report to share with your auditors. The final assessment report contains a summary file on your assessment and provides links to an organized set of folders containing related evidence, which are named and organized as defined by the control set in each framework. The Audit Manager assessment report uses cryptographic verification to help you ensure the integrity of the assessment report.
Third-party risk assessment
AWS Audit Manager provides features that help reduce the manual effort of third-party risk assessment. One example is the framework-sharing feature that allows you to share custom frameworks with your vendors in accordance with your organization's compliance requirements. Vendors can then gain access to these customized frameworks and use them to create assessments. In Audit Manager, an assessment is used to collect evidence for controls within the scope of your audit. Using the shared framework as a starting point, vendors can create an assessment that collects evidence for the controls in that framework.
Additionally, you can create vendor risk assessment questions and share them with your vendors and partners to collect audit evidence through text responses or documentation. These third parties can then package their responses, along with any uploaded files and automated evidence collected, into an assessment report and share them back with you.
Vendors can also export all of the automated evidence collected in their AWS accounts as a CSV file in evidence finder, making it simpler for them to share evidence with you in a widely supported format.