Skip to main content

AWS Audit Manager Documentation

Prebuilt frameworks

AWS Audit Manager offers prebuilt frameworks that cover a range of compliance standards, and they are developed with AWS best practices in mind. These frameworks help map your AWS resources to the requirements for industry standards and regulations.

Frameworks and controls

AWS Audit Manager enables you to build your own framework using either custom controls or AWS-managed controls which help you meet your audit requirements. You can define custom controls to collect evidence from specific data sources.

AWS Audit Manager is designed to offer a library of controls that help you navigate the replication of your own enterprise controls. All the relevant AWS data sources for evidence are designed to map to these controls.

Evidence collection

Once an assessment has been defined and launched, AWS Audit Manager is designed to collect data for the AWS account and services you have defined to be in scope for an audit. The evidence is designed to contain both the data captured from that resource as well as metadata that indicates which control the data supports to help you demonstrate security, change management, business continuity, and software licensing compliance. Audit Manager is designed to collect and organize evidence from certain AWS services you may be using. You can also manually upload other evidence, such as policy documents, training transcripts, and architecture diagrams.

Multi-account evidence collection

AWS Audit Manager is designed to support multiple accounts via integration with AWS Organizations. Audit Manager assessments is designed to run over multiple accounts and to collect and consolidate evidence into a delegated administrator account in AWS Organizations.

Delegation workflow

You can delegate control sets to team members who may be specialized in certain topic areas, such as network infrastructure, identity management, software licensing, or personnel policies. The delegation feature enables the support team members to review the control set and related evidence, add comments, upload additional evidence, and update the status of each control.

Search evidence

AWS Audit Manager helps you to sift through collected evidence from multiple sources, by enabling search filters and groupings to identify trends and cross-reference issues.

Audit reports

AWS Audit Manager helps to collect evidence and organize the evidence as defined by the control set in the framework you selected. You and your team can review evidence, comment on evidence, upload other supporting evidence, and update the status of each control. You can generate a final assessment report. The final assessment report is designed to contain a summary file on your assessment and provide links to a set of folders containing related evidence. The Audit Manager assessment report is designed to use cryptographic verification.

Third-party risk assessment

AWS Audit Manager is also designed to assist with third-party risk assessment with features like framework-sharing for vendors. You can create vendor risk assessment questions and share them with your vendors and partners to collect audit evidence through text responses or documentation. These third parties can then package their responses, along with any uploaded files and evidence collected, into an assessment report to be shared back with you.

Additional Information

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.