Class: AWS.AuditManager
- Inherits:
-
AWS.Service
- Object
- AWS.Service
- AWS.AuditManager
- Identifier:
- auditmanager
- API Version:
- 2017-07-25
- Defined in:
- (unknown)
Overview
Constructs a service interface object. Each API operation is exposed as a function on service.
Service Description
Welcome to the Audit Manager API reference. This guide is for developers who need detailed information about the Audit Manager API operations, data types, and errors.
Audit Manager is a service that provides automated evidence collection so that you can continually audit your Amazon Web Services usage. You can use it to assess the effectiveness of your controls, manage risk, and simplify compliance.
Audit Manager provides prebuilt frameworks that structure and automate assessments for a given compliance standard. Frameworks include a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped according to the requirements of the specified compliance standard or regulation. You can also customize frameworks and controls to support internal audits with specific requirements.
Use the following links to get started with the Audit Manager API:
-
Actions: An alphabetical list of all Audit Manager API operations.
-
Data types: An alphabetical list of all Audit Manager data types.
-
Common parameters: Parameters that all operations can use.
-
Common errors: Client and server errors that all operations can return.
If you're new to Audit Manager, we recommend that you review the Audit Manager User Guide.
Sending a Request Using AuditManager
var auditmanager = new AWS.AuditManager();
auditmanager.associateAssessmentReportEvidenceFolder(params, function (err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});
Locking the API Version
In order to ensure that the AuditManager object uses this specific API, you can
construct the object by passing the apiVersion
option to the constructor:
var auditmanager = new AWS.AuditManager({apiVersion: '2017-07-25'});
You can also set the API version globally in AWS.config.apiVersions
using
the auditmanager service identifier:
AWS.config.apiVersions = {
auditmanager: '2017-07-25',
// other service API versions
};
var auditmanager = new AWS.AuditManager();
Version:
-
2017-07-25
Constructor Summary collapse
-
new AWS.AuditManager(options = {}) ⇒ Object
constructor
Constructs a service object.
Property Summary collapse
-
endpoint ⇒ AWS.Endpoint
readwrite
An Endpoint object representing the endpoint URL for service requests.
Properties inherited from AWS.Service
Method Summary collapse
-
associateAssessmentReportEvidenceFolder(params = {}, callback) ⇒ AWS.Request
Associates an evidence folder to an assessment report in an Audit Manager assessment.
-
batchAssociateAssessmentReportEvidence(params = {}, callback) ⇒ AWS.Request
Associates a list of evidence to an assessment report in an Audit Manager assessment.
-
batchCreateDelegationByAssessment(params = {}, callback) ⇒ AWS.Request
Creates a batch of delegations for an assessment in Audit Manager.
-
batchDeleteDelegationByAssessment(params = {}, callback) ⇒ AWS.Request
Deletes a batch of delegations for an assessment in Audit Manager.
-
batchDisassociateAssessmentReportEvidence(params = {}, callback) ⇒ AWS.Request
Disassociates a list of evidence from an assessment report in Audit Manager.
-
batchImportEvidenceToAssessmentControl(params = {}, callback) ⇒ AWS.Request
Adds one or more pieces of evidence to a control in an Audit Manager assessment.
-
createAssessment(params = {}, callback) ⇒ AWS.Request
Creates an assessment in Audit Manager.
-
createAssessmentFramework(params = {}, callback) ⇒ AWS.Request
Creates a custom framework in Audit Manager.
-
createAssessmentReport(params = {}, callback) ⇒ AWS.Request
Creates an assessment report for the specified assessment.
-
createControl(params = {}, callback) ⇒ AWS.Request
Creates a new custom control in Audit Manager.
-
deleteAssessment(params = {}, callback) ⇒ AWS.Request
Deletes an assessment in Audit Manager.
-
deleteAssessmentFramework(params = {}, callback) ⇒ AWS.Request
Deletes a custom framework in Audit Manager.
-
deleteAssessmentFrameworkShare(params = {}, callback) ⇒ AWS.Request
Deletes a share request for a custom framework in Audit Manager.
-
deleteAssessmentReport(params = {}, callback) ⇒ AWS.Request
Deletes an assessment report in Audit Manager.
-
deleteControl(params = {}, callback) ⇒ AWS.Request
Deletes a custom control in Audit Manager.
-
deregisterAccount(params = {}, callback) ⇒ AWS.Request
Deregisters an account in Audit Manager.
-
deregisterOrganizationAdminAccount(params = {}, callback) ⇒ AWS.Request
Removes the specified Amazon Web Services account as a delegated administrator for Audit Manager.
-
disassociateAssessmentReportEvidenceFolder(params = {}, callback) ⇒ AWS.Request
Disassociates an evidence folder from the specified assessment report in Audit Manager.
-
getAccountStatus(params = {}, callback) ⇒ AWS.Request
Gets the registration status of an account in Audit Manager.
-
getAssessment(params = {}, callback) ⇒ AWS.Request
Gets information about a specified assessment.
-
getAssessmentFramework(params = {}, callback) ⇒ AWS.Request
Gets information about a specified framework.
.
-
getAssessmentReportUrl(params = {}, callback) ⇒ AWS.Request
Gets the URL of an assessment report in Audit Manager.
-
getChangeLogs(params = {}, callback) ⇒ AWS.Request
Gets a list of changelogs from Audit Manager.
-
getControl(params = {}, callback) ⇒ AWS.Request
Gets information about a specified control.
.
-
getDelegations(params = {}, callback) ⇒ AWS.Request
Gets a list of delegations from an audit owner to a delegate.
-
getEvidence(params = {}, callback) ⇒ AWS.Request
Gets information about a specified evidence item.
.
-
getEvidenceByEvidenceFolder(params = {}, callback) ⇒ AWS.Request
Gets all evidence from a specified evidence folder in Audit Manager.
-
getEvidenceFileUploadUrl(params = {}, callback) ⇒ AWS.Request
Creates a presigned Amazon S3 URL that can be used to upload a file as manual evidence.
-
getEvidenceFolder(params = {}, callback) ⇒ AWS.Request
Gets an evidence folder from a specified assessment in Audit Manager.
-
getEvidenceFoldersByAssessment(params = {}, callback) ⇒ AWS.Request
Gets the evidence folders from a specified assessment in Audit Manager.
-
getEvidenceFoldersByAssessmentControl(params = {}, callback) ⇒ AWS.Request
Gets a list of evidence folders that are associated with a specified control in an Audit Manager assessment.
-
getInsights(params = {}, callback) ⇒ AWS.Request
Gets the latest analytics data for all your current active assessments.
-
getInsightsByAssessment(params = {}, callback) ⇒ AWS.Request
Gets the latest analytics data for a specific active assessment.
-
getOrganizationAdminAccount(params = {}, callback) ⇒ AWS.Request
Gets the name of the delegated Amazon Web Services administrator account for a specified organization.
-
getServicesInScope(params = {}, callback) ⇒ AWS.Request
Gets a list of the Amazon Web Services from which Audit Manager can collect evidence.
-
getSettings(params = {}, callback) ⇒ AWS.Request
Gets the settings for a specified Amazon Web Services account.
-
listAssessmentControlInsightsByControlDomain(params = {}, callback) ⇒ AWS.Request
Lists the latest analytics data for controls within a specific control domain and a specific active assessment.
Note: Control insights are listed only if the control belongs to the control domain and assessment that was specified.- listAssessmentFrameworks(params = {}, callback) ⇒ AWS.Request
Returns a list of the frameworks that are available in the Audit Manager framework library.
- listAssessmentFrameworkShareRequests(params = {}, callback) ⇒ AWS.Request
Returns a list of sent or received share requests for custom frameworks in Audit Manager.
- listAssessmentReports(params = {}, callback) ⇒ AWS.Request
Returns a list of assessment reports created in Audit Manager.
- listAssessments(params = {}, callback) ⇒ AWS.Request
Returns a list of current and past assessments from Audit Manager.
- listControlDomainInsights(params = {}, callback) ⇒ AWS.Request
Lists the latest analytics data for control domains across all of your active assessments.
- listControlDomainInsightsByAssessment(params = {}, callback) ⇒ AWS.Request
Lists analytics data for control domains within a specified active assessment.
Audit Manager supports the control domains that are provided by Amazon Web Services Control Catalog.
- listControlInsightsByControlDomain(params = {}, callback) ⇒ AWS.Request
Lists the latest analytics data for controls within a specific control domain across all active assessments.
Note: Control insights are listed only if the control belongs to the control domain that was specified and the control collected evidence on thelastUpdated
date ofcontrolInsightsMetadata
.- listControls(params = {}, callback) ⇒ AWS.Request
Returns a list of controls from Audit Manager.
- listKeywordsForDataSource(params = {}, callback) ⇒ AWS.Request
Returns a list of keywords that are pre-mapped to the specified control data source.
.
- listNotifications(params = {}, callback) ⇒ AWS.Request
Returns a list of all Audit Manager notifications.
- listTagsForResource(params = {}, callback) ⇒ AWS.Request
Returns a list of tags for the specified resource in Audit Manager.
- registerAccount(params = {}, callback) ⇒ AWS.Request
Enables Audit Manager for the specified Amazon Web Services account.
- registerOrganizationAdminAccount(params = {}, callback) ⇒ AWS.Request
Enables an Amazon Web Services account within the organization as the delegated administrator for Audit Manager.
- startAssessmentFrameworkShare(params = {}, callback) ⇒ AWS.Request
Creates a share request for a custom framework in Audit Manager.
- tagResource(params = {}, callback) ⇒ AWS.Request
Tags the specified resource in Audit Manager.
- untagResource(params = {}, callback) ⇒ AWS.Request
Removes a tag from a resource in Audit Manager.
- updateAssessment(params = {}, callback) ⇒ AWS.Request
Edits an Audit Manager assessment.
- updateAssessmentControl(params = {}, callback) ⇒ AWS.Request
Updates a control within an assessment in Audit Manager.
- updateAssessmentControlSetStatus(params = {}, callback) ⇒ AWS.Request
Updates the status of a control set in an Audit Manager assessment.
- updateAssessmentFramework(params = {}, callback) ⇒ AWS.Request
Updates a custom framework in Audit Manager.
- updateAssessmentFrameworkShare(params = {}, callback) ⇒ AWS.Request
Updates a share request for a custom framework in Audit Manager.
- updateAssessmentStatus(params = {}, callback) ⇒ AWS.Request
Updates the status of an assessment in Audit Manager.
- updateControl(params = {}, callback) ⇒ AWS.Request
Updates a custom control in Audit Manager.
- updateSettings(params = {}, callback) ⇒ AWS.Request
Updates Audit Manager settings for the current account.
- validateAssessmentReportIntegrity(params = {}, callback) ⇒ AWS.Request
Validates the integrity of an assessment report in Audit Manager.
Methods inherited from AWS.Service
makeRequest, makeUnauthenticatedRequest, waitFor, setupRequestListeners, defineService
Constructor Details
new AWS.AuditManager(options = {}) ⇒ Object
Constructs a service object. This object has one method for each API operation.
Examples:
Constructing a AuditManager object
var auditmanager = new AWS.AuditManager({apiVersion: '2017-07-25'});
Options Hash (options):
-
params
(map)
—
An optional map of parameters to bind to every request sent by this service object. For more information on bound parameters, see "Working with Services" in the Getting Started Guide.
-
endpoint
(String|AWS.Endpoint)
—
The endpoint URI to send requests to. The default endpoint is built from the configured
region
. The endpoint should be a string like'https://{service}.{region}.amazonaws.com'
or an Endpoint object. -
accessKeyId
(String)
—
your AWS access key ID.
-
secretAccessKey
(String)
—
your AWS secret access key.
-
sessionToken
(AWS.Credentials)
—
the optional AWS session token to sign requests with.
-
credentials
(AWS.Credentials)
—
the AWS credentials to sign requests with. You can either specify this object, or specify the accessKeyId and secretAccessKey options directly.
-
credentialProvider
(AWS.CredentialProviderChain)
—
the provider chain used to resolve credentials if no static
credentials
property is set. -
region
(String)
—
the region to send service requests to. See AWS.AuditManager.region for more information.
-
maxRetries
(Integer)
—
the maximum amount of retries to attempt with a request. See AWS.AuditManager.maxRetries for more information.
-
maxRedirects
(Integer)
—
the maximum amount of redirects to follow with a request. See AWS.AuditManager.maxRedirects for more information.
-
sslEnabled
(Boolean)
—
whether to enable SSL for requests.
-
paramValidation
(Boolean|map)
—
whether input parameters should be validated against the operation description before sending the request. Defaults to true. Pass a map to enable any of the following specific validation features:
- min [Boolean] — Validates that a value meets the min
constraint. This is enabled by default when paramValidation is set
to
true
. - max [Boolean] — Validates that a value meets the max constraint.
- pattern [Boolean] — Validates that a string value matches a regular expression.
- enum [Boolean] — Validates that a string value matches one of the allowable enum values.
- min [Boolean] — Validates that a value meets the min
constraint. This is enabled by default when paramValidation is set
to
-
computeChecksums
(Boolean)
—
whether to compute checksums for payload bodies when the service accepts it (currently supported in S3 only)
-
convertResponseTypes
(Boolean)
—
whether types are converted when parsing response data. Currently only supported for JSON based services. Turning this off may improve performance on large response payloads. Defaults to
true
. -
correctClockSkew
(Boolean)
—
whether to apply a clock skew correction and retry requests that fail because of an skewed client clock. Defaults to
false
. -
s3ForcePathStyle
(Boolean)
—
whether to force path style URLs for S3 objects.
-
s3BucketEndpoint
(Boolean)
—
whether the provided endpoint addresses an individual bucket (false if it addresses the root API endpoint). Note that setting this configuration option requires an
endpoint
to be provided explicitly to the service constructor. -
s3DisableBodySigning
(Boolean)
—
whether S3 body signing should be disabled when using signature version
v4
. Body signing can only be disabled when using https. Defaults totrue
. -
s3UsEast1RegionalEndpoint
('legacy'|'regional')
—
when region is set to 'us-east-1', whether to send s3 request to global endpoints or 'us-east-1' regional endpoints. This config is only applicable to S3 client. Defaults to
legacy
-
s3UseArnRegion
(Boolean)
—
whether to override the request region with the region inferred from requested resource's ARN. Only available for S3 buckets Defaults to
true
-
retryDelayOptions
(map)
—
A set of options to configure the retry delay on retryable errors. Currently supported options are:
- base [Integer] — The base number of milliseconds to use in the exponential backoff for operation retries. Defaults to 100 ms for all services except DynamoDB, where it defaults to 50ms.
- customBackoff [function] — A custom function that accepts a
retry count and error and returns the amount of time to delay in
milliseconds. If the result is a non-zero negative value, no further
retry attempts will be made. The
base
option will be ignored if this option is supplied. The function is only called for retryable errors.
-
httpOptions
(map)
—
A set of options to pass to the low-level HTTP request. Currently supported options are:
- proxy [String] — the URL to proxy requests through
- agent [http.Agent, https.Agent] — the Agent object to perform
HTTP requests with. Used for connection pooling. Defaults to the global
agent (
http.globalAgent
) for non-SSL connections. Note that for SSL connections, a special Agent object is used in order to enable peer certificate verification. This feature is only available in the Node.js environment. - connectTimeout [Integer] — Sets the socket to timeout after
failing to establish a connection with the server after
connectTimeout
milliseconds. This timeout has no effect once a socket connection has been established. - timeout [Integer] — Sets the socket to timeout after timeout milliseconds of inactivity on the socket. Defaults to two minutes (120000).
- xhrAsync [Boolean] — Whether the SDK will send asynchronous HTTP requests. Used in the browser environment only. Set to false to send requests synchronously. Defaults to true (async on).
- xhrWithCredentials [Boolean] — Sets the "withCredentials" property of an XMLHttpRequest object. Used in the browser environment only. Defaults to false.
-
apiVersion
(String, Date)
—
a String in YYYY-MM-DD format (or a date) that represents the latest possible API version that can be used in all services (unless overridden by
apiVersions
). Specify 'latest' to use the latest possible version. -
apiVersions
(map<String, String|Date>)
—
a map of service identifiers (the lowercase service class name) with the API version to use when instantiating a service. Specify 'latest' for each individual that can use the latest available version.
-
logger
(#write, #log)
—
an object that responds to .write() (like a stream) or .log() (like the console object) in order to log information about requests
-
systemClockOffset
(Number)
—
an offset value in milliseconds to apply to all signing times. Use this to compensate for clock skew when your system may be out of sync with the service time. Note that this configuration option can only be applied to the global
AWS.config
object and cannot be overridden in service-specific configuration. Defaults to 0 milliseconds. -
signatureVersion
(String)
—
the signature version to sign requests with (overriding the API configuration). Possible values are: 'v2', 'v3', 'v4'.
-
signatureCache
(Boolean)
—
whether the signature to sign requests with (overriding the API configuration) is cached. Only applies to the signature version 'v4'. Defaults to
true
. -
dynamoDbCrc32
(Boolean)
—
whether to validate the CRC32 checksum of HTTP response bodies returned by DynamoDB. Default:
true
. -
useAccelerateEndpoint
(Boolean)
—
Whether to use the S3 Transfer Acceleration endpoint with the S3 service. Default:
false
. -
clientSideMonitoring
(Boolean)
—
whether to collect and publish this client's performance metrics of all its API requests.
-
endpointDiscoveryEnabled
(Boolean|undefined)
—
whether to call operations with endpoints given by service dynamically. Setting this
-
endpointCacheSize
(Number)
—
the size of the global cache storing endpoints from endpoint discovery operations. Once endpoint cache is created, updating this setting cannot change existing cache size. Defaults to 1000
-
hostPrefixEnabled
(Boolean)
—
whether to marshal request parameters to the prefix of hostname. Defaults to
true
. -
stsRegionalEndpoints
('legacy'|'regional')
—
whether to send sts request to global endpoints or regional endpoints. Defaults to 'legacy'.
-
useFipsEndpoint
(Boolean)
—
Enables FIPS compatible endpoints. Defaults to
false
. -
useDualstackEndpoint
(Boolean)
—
Enables IPv6 dualstack endpoint. Defaults to
false
.
Property Details
Method Details
associateAssessmentReportEvidenceFolder(params = {}, callback) ⇒ AWS.Request
Associates an evidence folder to an assessment report in an Audit Manager assessment.
Service Reference:
Examples:
Calling the associateAssessmentReportEvidenceFolder operation
var params = { assessmentId: 'STRING_VALUE', /* required */ evidenceFolderId: 'STRING_VALUE' /* required */ }; auditmanager.associateAssessmentReportEvidenceFolder(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
assessmentId
— (String
)The identifier for the assessment.
evidenceFolderId
— (String
)The identifier for the folder that the evidence is stored in.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs.
-
(AWS.Response)
—
Returns:
batchAssociateAssessmentReportEvidence(params = {}, callback) ⇒ AWS.Request
Associates a list of evidence to an assessment report in an Audit Manager assessment.
Service Reference:
Examples:
Calling the batchAssociateAssessmentReportEvidence operation
var params = { assessmentId: 'STRING_VALUE', /* required */ evidenceFolderId: 'STRING_VALUE', /* required */ evidenceIds: [ /* required */ 'STRING_VALUE', /* more items */ ] }; auditmanager.batchAssociateAssessmentReportEvidence(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
assessmentId
— (String
)The identifier for the assessment.
evidenceFolderId
— (String
)The identifier for the folder that the evidence is stored in.
evidenceIds
— (Array<String>
)The list of evidence identifiers.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:evidenceIds
— (Array<String>
)The list of evidence identifiers.
errors
— (Array<map>
)A list of errors that the
BatchAssociateAssessmentReportEvidence
API returned.evidenceId
— (String
)The identifier for the evidence.
errorCode
— (String
)The error code that was returned.
errorMessage
— (String
)The error message that was returned.
-
(AWS.Response)
—
Returns:
batchCreateDelegationByAssessment(params = {}, callback) ⇒ AWS.Request
Creates a batch of delegations for an assessment in Audit Manager.
Service Reference:
Examples:
Calling the batchCreateDelegationByAssessment operation
var params = { assessmentId: 'STRING_VALUE', /* required */ createDelegationRequests: [ /* required */ { comment: 'STRING_VALUE', controlSetId: 'STRING_VALUE', roleArn: 'STRING_VALUE', roleType: PROCESS_OWNER | RESOURCE_OWNER }, /* more items */ ] }; auditmanager.batchCreateDelegationByAssessment(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
createDelegationRequests
— (Array<map>
)The API request to batch create delegations in Audit Manager.
comment
— (String
)A comment that's related to the delegation request.
controlSetId
— (String
)The unique identifier for the control set.
roleArn
— (String
)The Amazon Resource Name (ARN) of the IAM role.
roleType
— (String
)The type of customer persona.
Note: InPossible values include:CreateAssessment
,roleType
can only bePROCESS_OWNER
. InUpdateSettings
,roleType
can only bePROCESS_OWNER
. InBatchCreateDelegationByAssessment
,roleType
can only beRESOURCE_OWNER
."PROCESS_OWNER"
"RESOURCE_OWNER"
assessmentId
— (String
)The identifier for the assessment.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:delegations
— (Array<map>
)The delegations that are associated with the assessment.
id
— (String
)The unique identifier for the delegation.
assessmentName
— (String
)The name of the assessment that's associated with the delegation.
assessmentId
— (String
)The identifier for the assessment that's associated with the delegation.
status
— (String
)The status of the delegation.
Possible values include:"IN_PROGRESS"
"UNDER_REVIEW"
"COMPLETE"
roleArn
— (String
)The Amazon Resource Name (ARN) of the IAM role.
roleType
— (String
)The type of customer persona.
Note: InPossible values include:CreateAssessment
,roleType
can only bePROCESS_OWNER
. InUpdateSettings
,roleType
can only bePROCESS_OWNER
. InBatchCreateDelegationByAssessment
,roleType
can only beRESOURCE_OWNER
."PROCESS_OWNER"
"RESOURCE_OWNER"
creationTime
— (Date
)Specifies when the delegation was created.
lastUpdated
— (Date
)Specifies when the delegation was last updated.
controlSetId
— (String
)The identifier for the control set that's associated with the delegation.
comment
— (String
)The comment that's related to the delegation.
createdBy
— (String
)The user or role that created the delegation.
errors
— (Array<map>
)A list of errors that the
BatchCreateDelegationByAssessment
API returned.createDelegationRequest
— (map
)The API request to batch create delegations in Audit Manager.
comment
— (String
)A comment that's related to the delegation request.
controlSetId
— (String
)The unique identifier for the control set.
roleArn
— (String
)The Amazon Resource Name (ARN) of the IAM role.
roleType
— (String
)The type of customer persona.
Note: InPossible values include:CreateAssessment
,roleType
can only bePROCESS_OWNER
. InUpdateSettings
,roleType
can only bePROCESS_OWNER
. InBatchCreateDelegationByAssessment
,roleType
can only beRESOURCE_OWNER
."PROCESS_OWNER"
"RESOURCE_OWNER"
errorCode
— (String
)The error code that the
BatchCreateDelegationByAssessment
API returned.errorMessage
— (String
)The error message that the
BatchCreateDelegationByAssessment
API returned.
-
(AWS.Response)
—
Returns:
batchDeleteDelegationByAssessment(params = {}, callback) ⇒ AWS.Request
Deletes a batch of delegations for an assessment in Audit Manager.
Service Reference:
Examples:
Calling the batchDeleteDelegationByAssessment operation
var params = { assessmentId: 'STRING_VALUE', /* required */ delegationIds: [ /* required */ 'STRING_VALUE', /* more items */ ] }; auditmanager.batchDeleteDelegationByAssessment(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
delegationIds
— (Array<String>
)The identifiers for the delegations.
assessmentId
— (String
)The identifier for the assessment.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:errors
— (Array<map>
)A list of errors that the
BatchDeleteDelegationByAssessment
API returned.delegationId
— (String
)The identifier for the delegation.
errorCode
— (String
)The error code that the
BatchDeleteDelegationByAssessment
API returned.errorMessage
— (String
)The error message that the
BatchDeleteDelegationByAssessment
API returned.
-
(AWS.Response)
—
Returns:
batchDisassociateAssessmentReportEvidence(params = {}, callback) ⇒ AWS.Request
Disassociates a list of evidence from an assessment report in Audit Manager.
Service Reference:
Examples:
Calling the batchDisassociateAssessmentReportEvidence operation
var params = { assessmentId: 'STRING_VALUE', /* required */ evidenceFolderId: 'STRING_VALUE', /* required */ evidenceIds: [ /* required */ 'STRING_VALUE', /* more items */ ] }; auditmanager.batchDisassociateAssessmentReportEvidence(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
assessmentId
— (String
)The identifier for the assessment.
evidenceFolderId
— (String
)The identifier for the folder that the evidence is stored in.
evidenceIds
— (Array<String>
)The list of evidence identifiers.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:evidenceIds
— (Array<String>
)The identifier for the evidence.
errors
— (Array<map>
)A list of errors that the
BatchDisassociateAssessmentReportEvidence
API returned.evidenceId
— (String
)The identifier for the evidence.
errorCode
— (String
)The error code that was returned.
errorMessage
— (String
)The error message that was returned.
-
(AWS.Response)
—
Returns:
batchImportEvidenceToAssessmentControl(params = {}, callback) ⇒ AWS.Request
Adds one or more pieces of evidence to a control in an Audit Manager assessment.
You can import manual evidence from any S3 bucket by specifying the S3 URI of the object. You can also upload a file from your browser, or enter plain text in response to a risk assessment question.
The following restrictions apply to this action:
-
manualEvidence
can be only one of the following:evidenceFileName
,s3ResourcePath
, ortextResponse
-
Maximum size of an individual evidence file: 100 MB
-
Number of daily manual evidence uploads per control: 100
-
Supported file formats: See Supported file types for manual evidence in the Audit Manager User Guide
For more information about Audit Manager service restrictions, see Quotas and restrictions for Audit Manager.
Service Reference:
Examples:
Calling the batchImportEvidenceToAssessmentControl operation
var params = { assessmentId: 'STRING_VALUE', /* required */ controlId: 'STRING_VALUE', /* required */ controlSetId: 'STRING_VALUE', /* required */ manualEvidence: [ /* required */ { evidenceFileName: 'STRING_VALUE', s3ResourcePath: 'STRING_VALUE', textResponse: 'STRING_VALUE' }, /* more items */ ] }; auditmanager.batchImportEvidenceToAssessmentControl(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
assessmentId
— (String
)The identifier for the assessment.
controlSetId
— (String
)The identifier for the control set.
controlId
— (String
)The identifier for the control.
manualEvidence
— (Array<map>
)The list of manual evidence objects.
s3ResourcePath
— (String
)The S3 URL of the object that's imported as manual evidence.
textResponse
— (String
)The plain text response that's entered and saved as manual evidence.
evidenceFileName
— (String
)The name of the file that's uploaded as manual evidence. This name is populated using the
evidenceFileName
value from theGetEvidenceFileUploadUrl
API response.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:errors
— (Array<map>
)A list of errors that the
BatchImportEvidenceToAssessmentControl
API returned.manualEvidence
— (map
)Manual evidence that can't be collected automatically by Audit Manager.
s3ResourcePath
— (String
)The S3 URL of the object that's imported as manual evidence.
textResponse
— (String
)The plain text response that's entered and saved as manual evidence.
evidenceFileName
— (String
)The name of the file that's uploaded as manual evidence. This name is populated using the
evidenceFileName
value from theGetEvidenceFileUploadUrl
API response.
errorCode
— (String
)The error code that the
BatchImportEvidenceToAssessmentControl
API returned.errorMessage
— (String
)The error message that the
BatchImportEvidenceToAssessmentControl
API returned.
-
(AWS.Response)
—
Returns:
createAssessment(params = {}, callback) ⇒ AWS.Request
Creates an assessment in Audit Manager.
Service Reference:
Examples:
Calling the createAssessment operation
var params = { assessmentReportsDestination: { /* required */ destination: 'STRING_VALUE', destinationType: S3 }, frameworkId: 'STRING_VALUE', /* required */ name: 'STRING_VALUE', /* required */ roles: [ /* required */ { roleArn: 'STRING_VALUE', /* required */ roleType: PROCESS_OWNER | RESOURCE_OWNER /* required */ }, /* more items */ ], scope: { /* required */ awsAccounts: [ { emailAddress: 'STRING_VALUE', id: 'STRING_VALUE', name: 'STRING_VALUE' }, /* more items */ ], awsServices: [ { serviceName: 'STRING_VALUE' }, /* more items */ ] }, description: 'STRING_VALUE', tags: { '<TagKey>': 'STRING_VALUE', /* '<TagKey>': ... */ } }; auditmanager.createAssessment(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
name
— (String
)The name of the assessment to be created.
description
— (String
)The optional description of the assessment to be created.
assessmentReportsDestination
— (map
)The assessment report storage destination for the assessment that's being created.
destinationType
— (String
)The destination type, such as Amazon S3.
Possible values include:"S3"
destination
— (String
)The destination bucket where Audit Manager stores assessment reports.
scope
— (map
)The wrapper that contains the Amazon Web Services accounts that are in scope for the assessment.
Note: You no longer need to specify which Amazon Web Services are in scope when you create or update an assessment. Audit Manager infers the services in scope by examining your assessment controls and their data sources, and then mapping this information to the relevant Amazon Web Services. If an underlying data source changes for your assessment, we automatically update the services scope as needed to reflect the correct Amazon Web Services. This ensures that your assessment collects accurate and comprehensive evidence about all of the relevant services in your AWS environment.awsAccounts
— (Array<map>
)The Amazon Web Services accounts that are included in the scope of the assessment.
id
— (String
)The identifier for the Amazon Web Services account.
emailAddress
— (String
)The email address that's associated with the Amazon Web Services account.
name
— (String
)The name of the Amazon Web Services account.
awsServices
— (Array<map>
)The Amazon Web Services services that are included in the scope of the assessment.
This API parameter is no longer supported. If you use this parameter to specify one or more Amazon Web Services, Audit Manager ignores this input. Instead, the value for
awsServices
will show as empty.serviceName
— (String
)The name of the Amazon Web Service.
roles
— (Array<map>
)The list of roles for the assessment.
roleType
— required — (String
)The type of customer persona.
Note: InPossible values include:CreateAssessment
,roleType
can only bePROCESS_OWNER
. InUpdateSettings
,roleType
can only bePROCESS_OWNER
. InBatchCreateDelegationByAssessment
,roleType
can only beRESOURCE_OWNER
."PROCESS_OWNER"
"RESOURCE_OWNER"
roleArn
— required — (String
)The Amazon Resource Name (ARN) of the IAM role.
frameworkId
— (String
)The identifier for the framework that the assessment will be created from.
tags
— (map<String>
)The tags that are associated with the assessment.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:assessment
— (map
)An entity that defines the scope of audit evidence collected by Audit Manager. An Audit Manager assessment is an implementation of an Audit Manager framework.
arn
— (String
)The Amazon Resource Name (ARN) of the assessment.
awsAccount
— (map
)The Amazon Web Services account that's associated with the assessment.
id
— (String
)The identifier for the Amazon Web Services account.
emailAddress
— (String
)The email address that's associated with the Amazon Web Services account.
name
— (String
)The name of the Amazon Web Services account.
metadata
— (map
)The metadata for the assessment.
name
— (String
)The name of the assessment.
id
— (String
)The unique identifier for the assessment.
description
— (String
)The description of the assessment.
complianceType
— (String
)The name of the compliance standard that's related to the assessment, such as PCI-DSS.
status
— (String
)The overall status of the assessment.
Possible values include:"ACTIVE"
"INACTIVE"
assessmentReportsDestination
— (map
)The destination that evidence reports are stored in for the assessment.
destinationType
— (String
)The destination type, such as Amazon S3.
Possible values include:"S3"
destination
— (String
)The destination bucket where Audit Manager stores assessment reports.
scope
— (map
)The wrapper of Amazon Web Services accounts and services that are in scope for the assessment.
awsAccounts
— (Array<map>
)The Amazon Web Services accounts that are included in the scope of the assessment.
id
— (String
)The identifier for the Amazon Web Services account.
emailAddress
— (String
)The email address that's associated with the Amazon Web Services account.
name
— (String
)The name of the Amazon Web Services account.
awsServices
— (Array<map>
)The Amazon Web Services services that are included in the scope of the assessment.
This API parameter is no longer supported. If you use this parameter to specify one or more Amazon Web Services, Audit Manager ignores this input. Instead, the value for
awsServices
will show as empty.serviceName
— (String
)The name of the Amazon Web Service.
roles
— (Array<map>
)The roles that are associated with the assessment.
roleType
— required — (String
)The type of customer persona.
Note: InPossible values include:CreateAssessment
,roleType
can only bePROCESS_OWNER
. InUpdateSettings
,roleType
can only bePROCESS_OWNER
. InBatchCreateDelegationByAssessment
,roleType
can only beRESOURCE_OWNER
."PROCESS_OWNER"
"RESOURCE_OWNER"
roleArn
— required — (String
)The Amazon Resource Name (ARN) of the IAM role.
delegations
— (Array<map>
)The delegations that are associated with the assessment.
id
— (String
)The unique identifier for the delegation.
assessmentName
— (String
)The name of the assessment that's associated with the delegation.
assessmentId
— (String
)The identifier for the assessment that's associated with the delegation.
status
— (String
)The status of the delegation.
Possible values include:"IN_PROGRESS"
"UNDER_REVIEW"
"COMPLETE"
roleArn
— (String
)The Amazon Resource Name (ARN) of the IAM role.
roleType
— (String
)The type of customer persona.
Note: InPossible values include:CreateAssessment
,roleType
can only bePROCESS_OWNER
. InUpdateSettings
,roleType
can only bePROCESS_OWNER
. InBatchCreateDelegationByAssessment
,roleType
can only beRESOURCE_OWNER
."PROCESS_OWNER"
"RESOURCE_OWNER"
creationTime
— (Date
)Specifies when the delegation was created.
lastUpdated
— (Date
)Specifies when the delegation was last updated.
controlSetId
— (String
)The identifier for the control set that's associated with the delegation.
comment
— (String
)The comment that's related to the delegation.
createdBy
— (String
)The user or role that created the delegation.
creationTime
— (Date
)Specifies when the assessment was created.
lastUpdated
— (Date
)The time of the most recent update.
framework
— (map
)The framework that the assessment was created from.
id
— (String
)The unique identifier for the framework.
arn
— (String
)The Amazon Resource Name (ARN) of the framework.
metadata
— (map
)The metadata of a framework, such as the name, ID, or description.
name
— (String
)The name of the framework.
description
— (String
)The description of the framework.
logo
— (String
)The logo that's associated with the framework.
complianceType
— (String
)The compliance standard that's associated with the framework. For example, this could be PCI DSS or HIPAA.
controlSets
— (Array<map>
)The control sets that are associated with the framework.
id
— (String
)The identifier of the control set in the assessment. This is the control set name in a plain string format.
description
— (String
)The description for the control set.
status
— (String
)The current status of the control set.
Possible values include:"ACTIVE"
"UNDER_REVIEW"
"REVIEWED"
roles
— (Array<map>
)The roles that are associated with the control set.
roleType
— required — (String
)The type of customer persona.
Note: InPossible values include:CreateAssessment
,roleType
can only bePROCESS_OWNER
. InUpdateSettings
,roleType
can only bePROCESS_OWNER
. InBatchCreateDelegationByAssessment
,roleType
can only beRESOURCE_OWNER
."PROCESS_OWNER"
"RESOURCE_OWNER"
roleArn
— required — (String
)The Amazon Resource Name (ARN) of the IAM role.
controls
— (Array<map>
)The list of controls that's contained with the control set.
id
— (String
)The identifier for the control.
name
— (String
)The name of the control.
description
— (String
)The description of the control.
status
— (String
)The status of the control.
Possible values include:"UNDER_REVIEW"
"REVIEWED"
"INACTIVE"
response
— (String
)The response of the control.
Possible values include:"MANUAL"
"AUTOMATE"
"DEFER"
"IGNORE"
comments
— (Array<map>
)The list of comments that's attached to the control.
authorName
— (String
)The name of the user who authored the comment.
commentBody
— (String
)The body text of a control comment.
postedDate
— (Date
)The time when the comment was posted.
evidenceSources
— (Array<String>
)The list of data sources for the evidence.
evidenceCount
— (Integer
)The amount of evidence that's collected for the control.
assessmentReportEvidenceCount
— (Integer
)The amount of evidence in the assessment report.
delegations
— (Array<map>
)The delegations that are associated with the control set.
id
— (String
)The unique identifier for the delegation.
assessmentName
— (String
)The name of the assessment that's associated with the delegation.
assessmentId
— (String
)The identifier for the assessment that's associated with the delegation.
status
— (String
)The status of the delegation.
Possible values include:"IN_PROGRESS"
"UNDER_REVIEW"
"COMPLETE"
roleArn
— (String
)The Amazon Resource Name (ARN) of the IAM role.
roleType
— (String
)The type of customer persona.
Note: InPossible values include:CreateAssessment
,roleType
can only bePROCESS_OWNER
. InUpdateSettings
,roleType
can only bePROCESS_OWNER
. InBatchCreateDelegationByAssessment
,roleType
can only beRESOURCE_OWNER
."PROCESS_OWNER"
"RESOURCE_OWNER"
creationTime
— (Date
)Specifies when the delegation was created.
lastUpdated
— (Date
)Specifies when the delegation was last updated.
controlSetId
— (String
)The identifier for the control set that's associated with the delegation.
comment
— (String
)The comment that's related to the delegation.
createdBy
— (String
)The user or role that created the delegation.
systemEvidenceCount
— (Integer
)The total number of evidence objects that are retrieved automatically for the control set.
manualEvidenceCount
— (Integer
)The total number of evidence objects that are uploaded manually to the control set.
tags
— (map<String>
)The tags that are associated with the assessment.
-
(AWS.Response)
—
Returns:
createAssessmentFramework(params = {}, callback) ⇒ AWS.Request
Creates a custom framework in Audit Manager.
Service Reference:
Examples:
Calling the createAssessmentFramework operation
var params = { controlSets: [ /* required */ { name: 'STRING_VALUE', /* required */ controls: [ { id: 'STRING_VALUE' /* required */ }, /* more items */ ] }, /* more items */ ], name: 'STRING_VALUE', /* required */ complianceType: 'STRING_VALUE', description: 'STRING_VALUE', tags: { '<TagKey>': 'STRING_VALUE', /* '<TagKey>': ... */ } }; auditmanager.createAssessmentFramework(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
name
— (String
)The name of the new custom framework.
description
— (String
)An optional description for the new custom framework.
complianceType
— (String
)The compliance type that the new custom framework supports, such as CIS or HIPAA.
controlSets
— (Array<map>
)The control sets that are associated with the framework.
name
— required — (String
)The name of the control set.
controls
— (Array<map>
)The list of controls within the control set. This doesn't contain the control set ID.
id
— required — (String
)The unique identifier of the control.
tags
— (map<String>
)The tags that are associated with the framework.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:framework
— (map
)The name of the new framework that the
CreateAssessmentFramework
API returned.arn
— (String
)The Amazon Resource Name (ARN) of the framework.
id
— (String
)The unique identifier for the framework.
name
— (String
)The name of the framework.
type
— (String
)Specifies whether the framework is a standard framework or a custom framework.
Possible values include:"Standard"
"Custom"
complianceType
— (String
)The compliance type that the framework supports, such as CIS or HIPAA.
description
— (String
)The description of the framework.
logo
— (String
)The logo that's associated with the framework.
controlSources
— (String
)The control data sources where Audit Manager collects evidence from.
controlSets
— (Array<map>
)The control sets that are associated with the framework.
id
— (String
)The identifier of the control set in the assessment. This is the control set name in a plain string format.
name
— (String
)The name of the control set.
controls
— (Array<map>
)The list of controls within the control set.
arn
— (String
)The Amazon Resource Name (ARN) of the control.
id
— (String
)The unique identifier for the control.
type
— (String
)Specifies whether the control is a standard control or a custom control.
Possible values include:"Standard"
"Custom"
"Core"
name
— (String
)The name of the control.
description
— (String
)The description of the control.
testingInformation
— (String
)The steps that you should follow to determine if the control has been satisfied.
actionPlanTitle
— (String
)The title of the action plan for remediating the control.
actionPlanInstructions
— (String
)The recommended actions to carry out if the control isn't fulfilled.
controlSources
— (String
)The data source types that determine where Audit Manager collects evidence from for the control.
controlMappingSources
— (Array<map>
)The data mapping sources for the control.
sourceId
— (String
)The unique identifier for the source.
sourceName
— (String
)The name of the source.
sourceDescription
— (String
)The description of the source.
sourceSetUpOption
— (String
)The setup option for the data source. This option reflects if the evidence collection method is automated or manual. If you don’t provide a value for
Possible values include:sourceSetUpOption
, Audit Manager automatically infers and populates the correct value based on thesourceType
that you specify."System_Controls_Mapping"
"Procedural_Controls_Mapping"
sourceType
— (String
)Specifies which type of data source is used to collect evidence.
-
The source can be an individual data source type, such as
AWS_Cloudtrail
,AWS_Config
,AWS_Security_Hub
,AWS_API_Call
, orMANUAL
. -
The source can also be a managed grouping of data sources, such as a
Core_Control
or aCommon_Control
.
"AWS_Cloudtrail"
"AWS_Config"
"AWS_Security_Hub"
"AWS_API_Call"
"MANUAL"
"Common_Control"
"Core_Control"
-
sourceKeyword
— (map
)A keyword that relates to the control data source.
For manual evidence, this keyword indicates if the manual evidence is a file or text.
For automated evidence, this keyword identifies a specific CloudTrail event, Config rule, Security Hub control, or Amazon Web Services API name.
To learn more about the supported keywords that you can use when mapping a control data source, see the following pages in the Audit Manager User Guide:
keywordInputType
— (String
)The input method for the keyword.
-
SELECT_FROM_LIST
is used when mapping a data source for automated evidence.-
When
keywordInputType
isSELECT_FROM_LIST
, a keyword must be selected to collect automated evidence. For example, this keyword can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
-
-
UPLOAD_FILE
andINPUT_TEXT
are only used when mapping a data source for manual evidence.-
When
keywordInputType
isUPLOAD_FILE
, a file must be uploaded as manual evidence. -
When
keywordInputType
isINPUT_TEXT
, text must be entered as manual evidence.
-
"SELECT_FROM_LIST"
"UPLOAD_FILE"
"INPUT_TEXT"
-
keywordValue
— (String
)The value of the keyword that's used when mapping a control data source. For example, this can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
If you’re mapping a data source to a rule in Config, the
keywordValue
that you specify depends on the type of rule:-
For managed rules, you can use the rule identifier as the
keywordValue
. You can find the rule identifier from the list of Config managed rules. For some rules, the rule identifier is different from the rule name. For example, the rule namerestricted-ssh
has the following rule identifier:INCOMING_SSH_DISABLED
. Make sure to use the rule identifier, not the rule name.Keyword example for managed rules:
-
Managed rule name: s3-bucket-acl-prohibited
keywordValue
:S3_BUCKET_ACL_PROHIBITED
-
-
For custom rules, you form the
keywordValue
by adding theCustom_
prefix to the rule name. This prefix distinguishes the custom rule from a managed rule.Keyword example for custom rules:
-
Custom rule name: my-custom-config-rule
keywordValue
:Custom_my-custom-config-rule
-
-
For service-linked rules, you form the
keywordValue
by adding theCustom_
prefix to the rule name. In addition, you remove the suffix ID that appears at the end of the rule name.Keyword examples for service-linked rules:
-
Service-linked rule name: CustomRuleForAccount-conformance-pack-szsm1uv0w
keywordValue
:Custom_CustomRuleForAccount-conformance-pack
-
Service-linked rule name: OrgConfigRule-s3-bucket-versioning-enabled-dbgzf8ba
keywordValue
:Custom_OrgConfigRule-s3-bucket-versioning-enabled
-
The
keywordValue
is case sensitive. If you enter a value incorrectly, Audit Manager might not recognize the data source mapping. As a result, you might not successfully collect evidence from that data source as intended.Keep in mind the following requirements, depending on the data source type that you're using.
-
For Config:
-
For managed rules, make sure that the
keywordValue
is the rule identifier inALL_CAPS_WITH_UNDERSCORES
. For example,CLOUDWATCH_LOG_GROUP_ENCRYPTED
. For accuracy, we recommend that you reference the list of supported Config managed rules. -
For custom rules, make sure that the
keywordValue
has theCustom_
prefix followed by the custom rule name. The format of the custom rule name itself may vary. For accuracy, we recommend that you visit the Config console to verify your custom rule name.
-
-
For Security Hub: The format varies for Security Hub control names. For accuracy, we recommend that you reference the list of supported Security Hub controls.
-
For Amazon Web Services API calls: Make sure that the
keywordValue
is written asserviceprefix_ActionName
. For example,iam_ListGroups
. For accuracy, we recommend that you reference the list of supported API calls. -
For CloudTrail: Make sure that the
keywordValue
is written asserviceprefix_ActionName
. For example,cloudtrail_StartLogging
. For accuracy, we recommend that you review the Amazon Web Service prefix and action names in the Service Authorization Reference.
-
sourceFrequency
— (String
)Specifies how often evidence is collected from the control mapping source.
Possible values include:"DAILY"
"WEEKLY"
"MONTHLY"
troubleshootingText
— (String
)The instructions for troubleshooting the control.
createdAt
— (Date
)The time when the control was created.
lastUpdatedAt
— (Date
)The time when the control was most recently updated.
createdBy
— (String
)The user or role that created the control.
lastUpdatedBy
— (String
)The user or role that most recently updated the control.
tags
— (map<String>
)The tags associated with the control.
state
— (String
)The state of the control. The
Possible values include:END_OF_SUPPORT
state is applicable to standard controls only. This state indicates that the standard control can still be used to collect evidence, but Audit Manager is no longer updating or maintaining that control."ACTIVE"
"END_OF_SUPPORT"
createdAt
— (Date
)The time when the framework was created.
lastUpdatedAt
— (Date
)The time when the framework was most recently updated.
createdBy
— (String
)The user or role that created the framework.
lastUpdatedBy
— (String
)The user or role that most recently updated the framework.
tags
— (map<String>
)The tags that are associated with the framework.
-
(AWS.Response)
—
Returns:
createAssessmentReport(params = {}, callback) ⇒ AWS.Request
Creates an assessment report for the specified assessment.
Service Reference:
Examples:
Calling the createAssessmentReport operation
var params = { assessmentId: 'STRING_VALUE', /* required */ name: 'STRING_VALUE', /* required */ description: 'STRING_VALUE', queryStatement: 'STRING_VALUE' }; auditmanager.createAssessmentReport(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
name
— (String
)The name of the new assessment report.
description
— (String
)The description of the assessment report.
assessmentId
— (String
)The identifier for the assessment.
queryStatement
— (String
)A SQL statement that represents an evidence finder query.
Provide this parameter when you want to generate an assessment report from the results of an evidence finder search query. When you use this parameter, Audit Manager generates a one-time report using only the evidence from the query output. This report does not include any assessment evidence that was manually added to a report using the console, or associated with a report using the API.
To use this parameter, the enablementStatus of evidence finder must be
ENABLED
.For examples and help resolving
queryStatement
validation exceptions, see Troubleshooting evidence finder issues in the Audit Manager User Guide.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:assessmentReport
— (map
)The new assessment report that the
CreateAssessmentReport
API returned.id
— (String
)The unique identifier for the assessment report.
name
— (String
)The name that's given to the assessment report.
description
— (String
)The description of the specified assessment report.
awsAccountId
— (String
)The identifier for the specified Amazon Web Services account.
assessmentId
— (String
)The identifier for the specified assessment.
assessmentName
— (String
)The name of the associated assessment.
author
— (String
)The name of the user who created the assessment report.
status
— (String
)The current status of the specified assessment report.
Possible values include:"COMPLETE"
"IN_PROGRESS"
"FAILED"
creationTime
— (Date
)Specifies when the assessment report was created.
-
(AWS.Response)
—
Returns:
createControl(params = {}, callback) ⇒ AWS.Request
Creates a new custom control in Audit Manager.
Service Reference:
Examples:
Calling the createControl operation
var params = { controlMappingSources: [ /* required */ { sourceDescription: 'STRING_VALUE', sourceFrequency: DAILY | WEEKLY | MONTHLY, sourceKeyword: { keywordInputType: SELECT_FROM_LIST | UPLOAD_FILE | INPUT_TEXT, keywordValue: 'STRING_VALUE' }, sourceName: 'STRING_VALUE', sourceSetUpOption: System_Controls_Mapping | Procedural_Controls_Mapping, sourceType: AWS_Cloudtrail | AWS_Config | AWS_Security_Hub | AWS_API_Call | MANUAL | Common_Control | Core_Control, troubleshootingText: 'STRING_VALUE' }, /* more items */ ], name: 'STRING_VALUE', /* required */ actionPlanInstructions: 'STRING_VALUE', actionPlanTitle: 'STRING_VALUE', description: 'STRING_VALUE', tags: { '<TagKey>': 'STRING_VALUE', /* '<TagKey>': ... */ }, testingInformation: 'STRING_VALUE' }; auditmanager.createControl(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
name
— (String
)The name of the control.
description
— (String
)The description of the control.
testingInformation
— (String
)The steps to follow to determine if the control is satisfied.
actionPlanTitle
— (String
)The title of the action plan for remediating the control.
actionPlanInstructions
— (String
)The recommended actions to carry out if the control isn't fulfilled.
controlMappingSources
— (Array<map>
)The data mapping sources for the control.
sourceName
— (String
)The name of the control mapping data source.
sourceDescription
— (String
)The description of the data source that determines where Audit Manager collects evidence from for the control.
sourceSetUpOption
— (String
)The setup option for the data source. This option reflects if the evidence collection method is automated or manual. If you don’t provide a value for
Possible values include:sourceSetUpOption
, Audit Manager automatically infers and populates the correct value based on thesourceType
that you specify."System_Controls_Mapping"
"Procedural_Controls_Mapping"
sourceType
— (String
)Specifies which type of data source is used to collect evidence.
-
The source can be an individual data source type, such as
AWS_Cloudtrail
,AWS_Config
,AWS_Security_Hub
,AWS_API_Call
, orMANUAL
. -
The source can also be a managed grouping of data sources, such as a
Core_Control
or aCommon_Control
.
"AWS_Cloudtrail"
"AWS_Config"
"AWS_Security_Hub"
"AWS_API_Call"
"MANUAL"
"Common_Control"
"Core_Control"
-
sourceKeyword
— (map
)A keyword that relates to the control data source.
For manual evidence, this keyword indicates if the manual evidence is a file or text.
For automated evidence, this keyword identifies a specific CloudTrail event, Config rule, Security Hub control, or Amazon Web Services API name.
To learn more about the supported keywords that you can use when mapping a control data source, see the following pages in the Audit Manager User Guide:
keywordInputType
— (String
)The input method for the keyword.
-
SELECT_FROM_LIST
is used when mapping a data source for automated evidence.-
When
keywordInputType
isSELECT_FROM_LIST
, a keyword must be selected to collect automated evidence. For example, this keyword can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
-
-
UPLOAD_FILE
andINPUT_TEXT
are only used when mapping a data source for manual evidence.-
When
keywordInputType
isUPLOAD_FILE
, a file must be uploaded as manual evidence. -
When
keywordInputType
isINPUT_TEXT
, text must be entered as manual evidence.
-
"SELECT_FROM_LIST"
"UPLOAD_FILE"
"INPUT_TEXT"
-
keywordValue
— (String
)The value of the keyword that's used when mapping a control data source. For example, this can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
If you’re mapping a data source to a rule in Config, the
keywordValue
that you specify depends on the type of rule:-
For managed rules, you can use the rule identifier as the
keywordValue
. You can find the rule identifier from the list of Config managed rules. For some rules, the rule identifier is different from the rule name. For example, the rule namerestricted-ssh
has the following rule identifier:INCOMING_SSH_DISABLED
. Make sure to use the rule identifier, not the rule name.Keyword example for managed rules:
-
Managed rule name: s3-bucket-acl-prohibited
keywordValue
:S3_BUCKET_ACL_PROHIBITED
-
-
For custom rules, you form the
keywordValue
by adding theCustom_
prefix to the rule name. This prefix distinguishes the custom rule from a managed rule.Keyword example for custom rules:
-
Custom rule name: my-custom-config-rule
keywordValue
:Custom_my-custom-config-rule
-
-
For service-linked rules, you form the
keywordValue
by adding theCustom_
prefix to the rule name. In addition, you remove the suffix ID that appears at the end of the rule name.Keyword examples for service-linked rules:
-
Service-linked rule name: CustomRuleForAccount-conformance-pack-szsm1uv0w
keywordValue
:Custom_CustomRuleForAccount-conformance-pack
-
Service-linked rule name: OrgConfigRule-s3-bucket-versioning-enabled-dbgzf8ba
keywordValue
:Custom_OrgConfigRule-s3-bucket-versioning-enabled
-
The
keywordValue
is case sensitive. If you enter a value incorrectly, Audit Manager might not recognize the data source mapping. As a result, you might not successfully collect evidence from that data source as intended.Keep in mind the following requirements, depending on the data source type that you're using.
-
For Config:
-
For managed rules, make sure that the
keywordValue
is the rule identifier inALL_CAPS_WITH_UNDERSCORES
. For example,CLOUDWATCH_LOG_GROUP_ENCRYPTED
. For accuracy, we recommend that you reference the list of supported Config managed rules. -
For custom rules, make sure that the
keywordValue
has theCustom_
prefix followed by the custom rule name. The format of the custom rule name itself may vary. For accuracy, we recommend that you visit the Config console to verify your custom rule name.
-
-
For Security Hub: The format varies for Security Hub control names. For accuracy, we recommend that you reference the list of supported Security Hub controls.
-
For Amazon Web Services API calls: Make sure that the
keywordValue
is written asserviceprefix_ActionName
. For example,iam_ListGroups
. For accuracy, we recommend that you reference the list of supported API calls. -
For CloudTrail: Make sure that the
keywordValue
is written asserviceprefix_ActionName
. For example,cloudtrail_StartLogging
. For accuracy, we recommend that you review the Amazon Web Service prefix and action names in the Service Authorization Reference.
-
sourceFrequency
— (String
)Specifies how often evidence is collected from the control mapping source.
Possible values include:"DAILY"
"WEEKLY"
"MONTHLY"
troubleshootingText
— (String
)The instructions for troubleshooting the control.
tags
— (map<String>
)The tags that are associated with the control.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:control
— (map
)The new control that the
CreateControl
API returned.arn
— (String
)The Amazon Resource Name (ARN) of the control.
id
— (String
)The unique identifier for the control.
type
— (String
)Specifies whether the control is a standard control or a custom control.
Possible values include:"Standard"
"Custom"
"Core"
name
— (String
)The name of the control.
description
— (String
)The description of the control.
testingInformation
— (String
)The steps that you should follow to determine if the control has been satisfied.
actionPlanTitle
— (String
)The title of the action plan for remediating the control.
actionPlanInstructions
— (String
)The recommended actions to carry out if the control isn't fulfilled.
controlSources
— (String
)The data source types that determine where Audit Manager collects evidence from for the control.
controlMappingSources
— (Array<map>
)The data mapping sources for the control.
sourceId
— (String
)The unique identifier for the source.
sourceName
— (String
)The name of the source.
sourceDescription
— (String
)The description of the source.
sourceSetUpOption
— (String
)The setup option for the data source. This option reflects if the evidence collection method is automated or manual. If you don’t provide a value for
Possible values include:sourceSetUpOption
, Audit Manager automatically infers and populates the correct value based on thesourceType
that you specify."System_Controls_Mapping"
"Procedural_Controls_Mapping"
sourceType
— (String
)Specifies which type of data source is used to collect evidence.
-
The source can be an individual data source type, such as
AWS_Cloudtrail
,AWS_Config
,AWS_Security_Hub
,AWS_API_Call
, orMANUAL
. -
The source can also be a managed grouping of data sources, such as a
Core_Control
or aCommon_Control
.
"AWS_Cloudtrail"
"AWS_Config"
"AWS_Security_Hub"
"AWS_API_Call"
"MANUAL"
"Common_Control"
"Core_Control"
-
sourceKeyword
— (map
)A keyword that relates to the control data source.
For manual evidence, this keyword indicates if the manual evidence is a file or text.
For automated evidence, this keyword identifies a specific CloudTrail event, Config rule, Security Hub control, or Amazon Web Services API name.
To learn more about the supported keywords that you can use when mapping a control data source, see the following pages in the Audit Manager User Guide:
keywordInputType
— (String
)The input method for the keyword.
-
SELECT_FROM_LIST
is used when mapping a data source for automated evidence.-
When
keywordInputType
isSELECT_FROM_LIST
, a keyword must be selected to collect automated evidence. For example, this keyword can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
-
-
UPLOAD_FILE
andINPUT_TEXT
are only used when mapping a data source for manual evidence.-
When
keywordInputType
isUPLOAD_FILE
, a file must be uploaded as manual evidence. -
When
keywordInputType
isINPUT_TEXT
, text must be entered as manual evidence.
-
"SELECT_FROM_LIST"
"UPLOAD_FILE"
"INPUT_TEXT"
-
keywordValue
— (String
)The value of the keyword that's used when mapping a control data source. For example, this can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
If you’re mapping a data source to a rule in Config, the
keywordValue
that you specify depends on the type of rule:-
For managed rules, you can use the rule identifier as the
keywordValue
. You can find the rule identifier from the list of Config managed rules. For some rules, the rule identifier is different from the rule name. For example, the rule namerestricted-ssh
has the following rule identifier:INCOMING_SSH_DISABLED
. Make sure to use the rule identifier, not the rule name.Keyword example for managed rules:
-
Managed rule name: s3-bucket-acl-prohibited
keywordValue
:S3_BUCKET_ACL_PROHIBITED
-
-
For custom rules, you form the
keywordValue
by adding theCustom_
prefix to the rule name. This prefix distinguishes the custom rule from a managed rule.Keyword example for custom rules:
-
Custom rule name: my-custom-config-rule
keywordValue
:Custom_my-custom-config-rule
-
-
For service-linked rules, you form the
keywordValue
by adding theCustom_
prefix to the rule name. In addition, you remove the suffix ID that appears at the end of the rule name.Keyword examples for service-linked rules:
-
Service-linked rule name: CustomRuleForAccount-conformance-pack-szsm1uv0w
keywordValue
:Custom_CustomRuleForAccount-conformance-pack
-
Service-linked rule name: OrgConfigRule-s3-bucket-versioning-enabled-dbgzf8ba
keywordValue
:Custom_OrgConfigRule-s3-bucket-versioning-enabled
-
The
keywordValue
is case sensitive. If you enter a value incorrectly, Audit Manager might not recognize the data source mapping. As a result, you might not successfully collect evidence from that data source as intended.Keep in mind the following requirements, depending on the data source type that you're using.
-
For Config:
-
For managed rules, make sure that the
keywordValue
is the rule identifier inALL_CAPS_WITH_UNDERSCORES
. For example,CLOUDWATCH_LOG_GROUP_ENCRYPTED
. For accuracy, we recommend that you reference the list of supported Config managed rules. -
For custom rules, make sure that the
keywordValue
has theCustom_
prefix followed by the custom rule name. The format of the custom rule name itself may vary. For accuracy, we recommend that you visit the Config console to verify your custom rule name.
-
-
For Security Hub: The format varies for Security Hub control names. For accuracy, we recommend that you reference the list of supported Security Hub controls.
-
For Amazon Web Services API calls: Make sure that the
keywordValue
is written asserviceprefix_ActionName
. For example,iam_ListGroups
. For accuracy, we recommend that you reference the list of supported API calls. -
For CloudTrail: Make sure that the
keywordValue
is written asserviceprefix_ActionName
. For example,cloudtrail_StartLogging
. For accuracy, we recommend that you review the Amazon Web Service prefix and action names in the Service Authorization Reference.
-
sourceFrequency
— (String
)Specifies how often evidence is collected from the control mapping source.
Possible values include:"DAILY"
"WEEKLY"
"MONTHLY"
troubleshootingText
— (String
)The instructions for troubleshooting the control.
createdAt
— (Date
)The time when the control was created.
lastUpdatedAt
— (Date
)The time when the control was most recently updated.
createdBy
— (String
)The user or role that created the control.
lastUpdatedBy
— (String
)The user or role that most recently updated the control.
tags
— (map<String>
)The tags associated with the control.
state
— (String
)The state of the control. The
Possible values include:END_OF_SUPPORT
state is applicable to standard controls only. This state indicates that the standard control can still be used to collect evidence, but Audit Manager is no longer updating or maintaining that control."ACTIVE"
"END_OF_SUPPORT"
-
(AWS.Response)
—
Returns:
deleteAssessment(params = {}, callback) ⇒ AWS.Request
Deletes an assessment in Audit Manager.
Service Reference:
Examples:
Calling the deleteAssessment operation
var params = { assessmentId: 'STRING_VALUE' /* required */ }; auditmanager.deleteAssessment(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
assessmentId
— (String
)The identifier for the assessment.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs.
-
(AWS.Response)
—
Returns:
deleteAssessmentFramework(params = {}, callback) ⇒ AWS.Request
Deletes a custom framework in Audit Manager.
Service Reference:
Examples:
Calling the deleteAssessmentFramework operation
var params = { frameworkId: 'STRING_VALUE' /* required */ }; auditmanager.deleteAssessmentFramework(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
frameworkId
— (String
)The identifier for the custom framework.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs.
-
(AWS.Response)
—
Returns:
deleteAssessmentFrameworkShare(params = {}, callback) ⇒ AWS.Request
Deletes a share request for a custom framework in Audit Manager.
Service Reference:
Examples:
Calling the deleteAssessmentFrameworkShare operation
var params = { requestId: 'STRING_VALUE', /* required */ requestType: SENT | RECEIVED /* required */ }; auditmanager.deleteAssessmentFrameworkShare(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
requestId
— (String
)The unique identifier for the share request to be deleted.
requestType
— (String
)Specifies whether the share request is a sent request or a received request.
Possible values include:"SENT"
"RECEIVED"
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs.
-
(AWS.Response)
—
Returns:
deleteAssessmentReport(params = {}, callback) ⇒ AWS.Request
Deletes an assessment report in Audit Manager.
When you run the
DeleteAssessmentReport
operation, Audit Manager attempts to delete the following data:-
The specified assessment report that’s stored in your S3 bucket
-
The associated metadata that’s stored in Audit Manager
If Audit Manager can’t access the assessment report in your S3 bucket, the report isn’t deleted. In this event, the
DeleteAssessmentReport
operation doesn’t fail. Instead, it proceeds to delete the associated metadata only. You must then delete the assessment report from the S3 bucket yourself.This scenario happens when Audit Manager receives a
403 (Forbidden)
or404 (Not Found)
error from Amazon S3. To avoid this, make sure that your S3 bucket is available, and that you configured the correct permissions for Audit Manager to delete resources in your S3 bucket. For an example permissions policy that you can use, see Assessment report destination permissions in the Audit Manager User Guide. For information about the issues that could cause a403 (Forbidden)
or404 (Not Found
) error from Amazon S3, see List of Error Codes in the Amazon Simple Storage Service API Reference.Service Reference:
Examples:
Calling the deleteAssessmentReport operation
var params = { assessmentId: 'STRING_VALUE', /* required */ assessmentReportId: 'STRING_VALUE' /* required */ }; auditmanager.deleteAssessmentReport(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
assessmentId
— (String
)The unique identifier for the assessment.
assessmentReportId
— (String
)The unique identifier for the assessment report.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs.
-
(AWS.Response)
—
Returns:
deleteControl(params = {}, callback) ⇒ AWS.Request
Deletes a custom control in Audit Manager.
When you invoke this operation, the custom control is deleted from any frameworks or assessments that it’s currently part of. As a result, Audit Manager will stop collecting evidence for that custom control in all of your assessments. This includes assessments that you previously created before you deleted the custom control.
Service Reference:
Examples:
Calling the deleteControl operation
var params = { controlId: 'STRING_VALUE' /* required */ }; auditmanager.deleteControl(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
controlId
— (String
)The unique identifier for the control.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs.
-
(AWS.Response)
—
Returns:
deregisterAccount(params = {}, callback) ⇒ AWS.Request
Deregisters an account in Audit Manager.
Note: Before you deregister, you can use the UpdateSettings API operation to set your preferred data retention policy. By default, Audit Manager retains your data. If you want to delete your data, you can use theDeregistrationPolicy
attribute to request the deletion of your data. For more information about data retention, see Data Protection in the Audit Manager User Guide.Service Reference:
Examples:
Calling the deregisterAccount operation
var params = { }; auditmanager.deregisterAccount(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
- params (Object) (defaults to: {})
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:status
— (String
)The registration status of the account.
Possible values include:"ACTIVE"
"INACTIVE"
"PENDING_ACTIVATION"
-
(AWS.Response)
—
Returns:
deregisterOrganizationAdminAccount(params = {}, callback) ⇒ AWS.Request
Removes the specified Amazon Web Services account as a delegated administrator for Audit Manager.
When you remove a delegated administrator from your Audit Manager settings, you continue to have access to the evidence that you previously collected under that account. This is also the case when you deregister a delegated administrator from Organizations. However, Audit Manager stops collecting and attaching evidence to that delegated administrator account moving forward.
Keep in mind the following cleanup task if you use evidence finder:
Before you use your management account to remove a delegated administrator, make sure that the current delegated administrator account signs in to Audit Manager and disables evidence finder first. Disabling evidence finder automatically deletes the event data store that was created in their account when they enabled evidence finder. If this task isn’t completed, the event data store remains in their account. In this case, we recommend that the original delegated administrator goes to CloudTrail Lake and manually deletes the event data store.
This cleanup task is necessary to ensure that you don't end up with multiple event data stores. Audit Manager ignores an unused event data store after you remove or change a delegated administrator account. However, the unused event data store continues to incur storage costs from CloudTrail Lake if you don't delete it.
When you deregister a delegated administrator account for Audit Manager, the data for that account isn’t deleted. If you want to delete resource data for a delegated administrator account, you must perform that task separately before you deregister the account. Either, you can do this in the Audit Manager console. Or, you can use one of the delete API operations that are provided by Audit Manager.
To delete your Audit Manager resource data, see the following instructions:
-
DeleteAssessment (see also: Deleting an assessment in the Audit Manager User Guide)
-
DeleteAssessmentFramework (see also: Deleting a custom framework in the Audit Manager User Guide)
-
DeleteAssessmentFrameworkShare (see also: Deleting a share request in the Audit Manager User Guide)
-
DeleteAssessmentReport (see also: Deleting an assessment report in the Audit Manager User Guide)
-
DeleteControl (see also: Deleting a custom control in the Audit Manager User Guide)
At this time, Audit Manager doesn't provide an option to delete evidence for a specific delegated administrator. Instead, when your management account deregisters Audit Manager, we perform a cleanup for the current delegated administrator account at the time of deregistration.
Service Reference:
Examples:
Calling the deregisterOrganizationAdminAccount operation
var params = { adminAccountId: 'STRING_VALUE' }; auditmanager.deregisterOrganizationAdminAccount(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
adminAccountId
— (String
)The identifier for the administrator account.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs.
-
(AWS.Response)
—
Returns:
disassociateAssessmentReportEvidenceFolder(params = {}, callback) ⇒ AWS.Request
Disassociates an evidence folder from the specified assessment report in Audit Manager.
Service Reference:
Examples:
Calling the disassociateAssessmentReportEvidenceFolder operation
var params = { assessmentId: 'STRING_VALUE', /* required */ evidenceFolderId: 'STRING_VALUE' /* required */ }; auditmanager.disassociateAssessmentReportEvidenceFolder(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
assessmentId
— (String
)The unique identifier for the assessment.
evidenceFolderId
— (String
)The unique identifier for the folder that the evidence is stored in.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs.
-
(AWS.Response)
—
Returns:
getAccountStatus(params = {}, callback) ⇒ AWS.Request
Gets the registration status of an account in Audit Manager.
Service Reference:
Examples:
Calling the getAccountStatus operation
var params = { }; auditmanager.getAccountStatus(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
- params (Object) (defaults to: {})
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:status
— (String
)The status of the Amazon Web Services account.
Possible values include:"ACTIVE"
"INACTIVE"
"PENDING_ACTIVATION"
-
(AWS.Response)
—
Returns:
getAssessment(params = {}, callback) ⇒ AWS.Request
Gets information about a specified assessment.
Service Reference:
Examples:
Calling the getAssessment operation
var params = { assessmentId: 'STRING_VALUE' /* required */ }; auditmanager.getAssessment(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
assessmentId
— (String
)The unique identifier for the assessment.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:assessment
— (map
)An entity that defines the scope of audit evidence collected by Audit Manager. An Audit Manager assessment is an implementation of an Audit Manager framework.
arn
— (String
)The Amazon Resource Name (ARN) of the assessment.
awsAccount
— (map
)The Amazon Web Services account that's associated with the assessment.
id
— (String
)The identifier for the Amazon Web Services account.
emailAddress
— (String
)The email address that's associated with the Amazon Web Services account.
name
— (String
)The name of the Amazon Web Services account.
metadata
— (map
)The metadata for the assessment.
name
— (String
)The name of the assessment.
id
— (String
)The unique identifier for the assessment.
description
— (String
)The description of the assessment.
complianceType
— (String
)The name of the compliance standard that's related to the assessment, such as PCI-DSS.
status
— (String
)The overall status of the assessment.
Possible values include:"ACTIVE"
"INACTIVE"
assessmentReportsDestination
— (map
)The destination that evidence reports are stored in for the assessment.
destinationType
— (String
)The destination type, such as Amazon S3.
Possible values include:"S3"
destination
— (String
)The destination bucket where Audit Manager stores assessment reports.
scope
— (map
)The wrapper of Amazon Web Services accounts and services that are in scope for the assessment.
awsAccounts
— (Array<map>
)The Amazon Web Services accounts that are included in the scope of the assessment.
id
— (String
)The identifier for the Amazon Web Services account.
emailAddress
— (String
)The email address that's associated with the Amazon Web Services account.
name
— (String
)The name of the Amazon Web Services account.
awsServices
— (Array<map>
)The Amazon Web Services services that are included in the scope of the assessment.
This API parameter is no longer supported. If you use this parameter to specify one or more Amazon Web Services, Audit Manager ignores this input. Instead, the value for
awsServices
will show as empty.serviceName
— (String
)The name of the Amazon Web Service.
roles
— (Array<map>
)The roles that are associated with the assessment.
roleType
— required — (String
)The type of customer persona.
Note: InPossible values include:CreateAssessment
,roleType
can only bePROCESS_OWNER
. InUpdateSettings
,roleType
can only bePROCESS_OWNER
. InBatchCreateDelegationByAssessment
,roleType
can only beRESOURCE_OWNER
."PROCESS_OWNER"
"RESOURCE_OWNER"
roleArn
— required — (String
)The Amazon Resource Name (ARN) of the IAM role.
delegations
— (Array<map>
)The delegations that are associated with the assessment.
id
— (String
)The unique identifier for the delegation.
assessmentName
— (String
)The name of the assessment that's associated with the delegation.
assessmentId
— (String
)The identifier for the assessment that's associated with the delegation.
status
— (String
)The status of the delegation.
Possible values include:"IN_PROGRESS"
"UNDER_REVIEW"
"COMPLETE"
roleArn
— (String
)The Amazon Resource Name (ARN) of the IAM role.
roleType
— (String
)The type of customer persona.
Note: InPossible values include:CreateAssessment
,roleType
can only bePROCESS_OWNER
. InUpdateSettings
,roleType
can only bePROCESS_OWNER
. InBatchCreateDelegationByAssessment
,roleType
can only beRESOURCE_OWNER
."PROCESS_OWNER"
"RESOURCE_OWNER"
creationTime
— (Date
)Specifies when the delegation was created.
lastUpdated
— (Date
)Specifies when the delegation was last updated.
controlSetId
— (String
)The identifier for the control set that's associated with the delegation.
comment
— (String
)The comment that's related to the delegation.
createdBy
— (String
)The user or role that created the delegation.
creationTime
— (Date
)Specifies when the assessment was created.
lastUpdated
— (Date
)The time of the most recent update.
framework
— (map
)The framework that the assessment was created from.
id
— (String
)The unique identifier for the framework.
arn
— (String
)The Amazon Resource Name (ARN) of the framework.
metadata
— (map
)The metadata of a framework, such as the name, ID, or description.
name
— (String
)The name of the framework.
description
— (String
)The description of the framework.
logo
— (String
)The logo that's associated with the framework.
complianceType
— (String
)The compliance standard that's associated with the framework. For example, this could be PCI DSS or HIPAA.
controlSets
— (Array<map>
)The control sets that are associated with the framework.
id
— (String
)The identifier of the control set in the assessment. This is the control set name in a plain string format.
description
— (String
)The description for the control set.
status
— (String
)The current status of the control set.
Possible values include:"ACTIVE"
"UNDER_REVIEW"
"REVIEWED"
roles
— (Array<map>
)The roles that are associated with the control set.
roleType
— required — (String
)The type of customer persona.
Note: InPossible values include:CreateAssessment
,roleType
can only bePROCESS_OWNER
. InUpdateSettings
,roleType
can only bePROCESS_OWNER
. InBatchCreateDelegationByAssessment
,roleType
can only beRESOURCE_OWNER
."PROCESS_OWNER"
"RESOURCE_OWNER"
roleArn
— required — (String
)The Amazon Resource Name (ARN) of the IAM role.
controls
— (Array<map>
)The list of controls that's contained with the control set.
id
— (String
)The identifier for the control.
name
— (String
)The name of the control.
description
— (String
)The description of the control.
status
— (String
)The status of the control.
Possible values include:"UNDER_REVIEW"
"REVIEWED"
"INACTIVE"
response
— (String
)The response of the control.
Possible values include:"MANUAL"
"AUTOMATE"
"DEFER"
"IGNORE"
comments
— (Array<map>
)The list of comments that's attached to the control.
authorName
— (String
)The name of the user who authored the comment.
commentBody
— (String
)The body text of a control comment.
postedDate
— (Date
)The time when the comment was posted.
evidenceSources
— (Array<String>
)The list of data sources for the evidence.
evidenceCount
— (Integer
)The amount of evidence that's collected for the control.
assessmentReportEvidenceCount
— (Integer
)The amount of evidence in the assessment report.
delegations
— (Array<map>
)The delegations that are associated with the control set.
id
— (String
)The unique identifier for the delegation.
assessmentName
— (String
)The name of the assessment that's associated with the delegation.
assessmentId
— (String
)The identifier for the assessment that's associated with the delegation.
status
— (String
)The status of the delegation.
Possible values include:"IN_PROGRESS"
"UNDER_REVIEW"
"COMPLETE"
roleArn
— (String
)The Amazon Resource Name (ARN) of the IAM role.
roleType
— (String
)The type of customer persona.
Note: InPossible values include:CreateAssessment
,roleType
can only bePROCESS_OWNER
. InUpdateSettings
,roleType
can only bePROCESS_OWNER
. InBatchCreateDelegationByAssessment
,roleType
can only beRESOURCE_OWNER
."PROCESS_OWNER"
"RESOURCE_OWNER"
creationTime
— (Date
)Specifies when the delegation was created.
lastUpdated
— (Date
)Specifies when the delegation was last updated.
controlSetId
— (String
)The identifier for the control set that's associated with the delegation.
comment
— (String
)The comment that's related to the delegation.
createdBy
— (String
)The user or role that created the delegation.
systemEvidenceCount
— (Integer
)The total number of evidence objects that are retrieved automatically for the control set.
manualEvidenceCount
— (Integer
)The total number of evidence objects that are uploaded manually to the control set.
tags
— (map<String>
)The tags that are associated with the assessment.
userRole
— (map
)The wrapper that contains the Audit Manager role information of the current user. This includes the role type and IAM Amazon Resource Name (ARN).
roleType
— required — (String
)The type of customer persona.
Note: InPossible values include:CreateAssessment
,roleType
can only bePROCESS_OWNER
. InUpdateSettings
,roleType
can only bePROCESS_OWNER
. InBatchCreateDelegationByAssessment
,roleType
can only beRESOURCE_OWNER
."PROCESS_OWNER"
"RESOURCE_OWNER"
roleArn
— required — (String
)The Amazon Resource Name (ARN) of the IAM role.
-
(AWS.Response)
—
Returns:
getAssessmentFramework(params = {}, callback) ⇒ AWS.Request
Gets information about a specified framework.
Service Reference:
Examples:
Calling the getAssessmentFramework operation
var params = { frameworkId: 'STRING_VALUE' /* required */ }; auditmanager.getAssessmentFramework(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
frameworkId
— (String
)The identifier for the framework.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:framework
— (map
)The framework that the
GetAssessmentFramework
API returned.arn
— (String
)The Amazon Resource Name (ARN) of the framework.
id
— (String
)The unique identifier for the framework.
name
— (String
)The name of the framework.
type
— (String
)Specifies whether the framework is a standard framework or a custom framework.
Possible values include:"Standard"
"Custom"
complianceType
— (String
)The compliance type that the framework supports, such as CIS or HIPAA.
description
— (String
)The description of the framework.
logo
— (String
)The logo that's associated with the framework.
controlSources
— (String
)The control data sources where Audit Manager collects evidence from.
controlSets
— (Array<map>
)The control sets that are associated with the framework.
id
— (String
)The identifier of the control set in the assessment. This is the control set name in a plain string format.
name
— (String
)The name of the control set.
controls
— (Array<map>
)The list of controls within the control set.
arn
— (String
)The Amazon Resource Name (ARN) of the control.
id
— (String
)The unique identifier for the control.
type
— (String
)Specifies whether the control is a standard control or a custom control.
Possible values include:"Standard"
"Custom"
"Core"
name
— (String
)The name of the control.
description
— (String
)The description of the control.
testingInformation
— (String
)The steps that you should follow to determine if the control has been satisfied.
actionPlanTitle
— (String
)The title of the action plan for remediating the control.
actionPlanInstructions
— (String
)The recommended actions to carry out if the control isn't fulfilled.
controlSources
— (String
)The data source types that determine where Audit Manager collects evidence from for the control.
controlMappingSources
— (Array<map>
)The data mapping sources for the control.
sourceId
— (String
)The unique identifier for the source.
sourceName
— (String
)The name of the source.
sourceDescription
— (String
)The description of the source.
sourceSetUpOption
— (String
)The setup option for the data source. This option reflects if the evidence collection method is automated or manual. If you don’t provide a value for
Possible values include:sourceSetUpOption
, Audit Manager automatically infers and populates the correct value based on thesourceType
that you specify."System_Controls_Mapping"
"Procedural_Controls_Mapping"
sourceType
— (String
)Specifies which type of data source is used to collect evidence.
-
The source can be an individual data source type, such as
AWS_Cloudtrail
,AWS_Config
,AWS_Security_Hub
,AWS_API_Call
, orMANUAL
. -
The source can also be a managed grouping of data sources, such as a
Core_Control
or aCommon_Control
.
"AWS_Cloudtrail"
"AWS_Config"
"AWS_Security_Hub"
"AWS_API_Call"
"MANUAL"
"Common_Control"
"Core_Control"
-
sourceKeyword
— (map
)A keyword that relates to the control data source.
For manual evidence, this keyword indicates if the manual evidence is a file or text.
For automated evidence, this keyword identifies a specific CloudTrail event, Config rule, Security Hub control, or Amazon Web Services API name.
To learn more about the supported keywords that you can use when mapping a control data source, see the following pages in the Audit Manager User Guide:
keywordInputType
— (String
)The input method for the keyword.
-
SELECT_FROM_LIST
is used when mapping a data source for automated evidence.-
When
keywordInputType
isSELECT_FROM_LIST
, a keyword must be selected to collect automated evidence. For example, this keyword can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
-
-
UPLOAD_FILE
andINPUT_TEXT
are only used when mapping a data source for manual evidence.-
When
keywordInputType
isUPLOAD_FILE
, a file must be uploaded as manual evidence. -
When
keywordInputType
isINPUT_TEXT
, text must be entered as manual evidence.
-
"SELECT_FROM_LIST"
"UPLOAD_FILE"
"INPUT_TEXT"
-
keywordValue
— (String
)The value of the keyword that's used when mapping a control data source. For example, this can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
If you’re mapping a data source to a rule in Config, the
keywordValue
that you specify depends on the type of rule:-
For managed rules, you can use the rule identifier as the
keywordValue
. You can find the rule identifier from the list of Config managed rules. For some rules, the rule identifier is different from the rule name. For example, the rule namerestricted-ssh
has the following rule identifier:INCOMING_SSH_DISABLED
. Make sure to use the rule identifier, not the rule name.Keyword example for managed rules:
-
Managed rule name: s3-bucket-acl-prohibited
keywordValue
:S3_BUCKET_ACL_PROHIBITED
-
-
For custom rules, you form the
keywordValue
by adding theCustom_
prefix to the rule name. This prefix distinguishes the custom rule from a managed rule.Keyword example for custom rules:
-
Custom rule name: my-custom-config-rule
keywordValue
:Custom_my-custom-config-rule
-
-
For service-linked rules, you form the
keywordValue
by adding theCustom_
prefix to the rule name. In addition, you remove the suffix ID that appears at the end of the rule name.Keyword examples for service-linked rules:
-
Service-linked rule name: CustomRuleForAccount-conformance-pack-szsm1uv0w
keywordValue
:Custom_CustomRuleForAccount-conformance-pack
-
Service-linked rule name: OrgConfigRule-s3-bucket-versioning-enabled-dbgzf8ba
keywordValue
:Custom_OrgConfigRule-s3-bucket-versioning-enabled
-
The
keywordValue
is case sensitive. If you enter a value incorrectly, Audit Manager might not recognize the data source mapping. As a result, you might not successfully collect evidence from that data source as intended.Keep in mind the following requirements, depending on the data source type that you're using.
-
For Config:
-
For managed rules, make sure that the
keywordValue
is the rule identifier inALL_CAPS_WITH_UNDERSCORES
. For example,CLOUDWATCH_LOG_GROUP_ENCRYPTED
. For accuracy, we recommend that you reference the list of supported Config managed rules. -
For custom rules, make sure that the
keywordValue
has theCustom_
prefix followed by the custom rule name. The format of the custom rule name itself may vary. For accuracy, we recommend that you visit the Config console to verify your custom rule name.
-
-
For Security Hub: The format varies for Security Hub control names. For accuracy, we recommend that you reference the list of supported Security Hub controls.
-
For Amazon Web Services API calls: Make sure that the
keywordValue
is written asserviceprefix_ActionName
. For example,iam_ListGroups
. For accuracy, we recommend that you reference the list of supported API calls. -
For CloudTrail: Make sure that the
keywordValue
is written asserviceprefix_ActionName
. For example,cloudtrail_StartLogging
. For accuracy, we recommend that you review the Amazon Web Service prefix and action names in the Service Authorization Reference.
-
sourceFrequency
— (String
)Specifies how often evidence is collected from the control mapping source.
Possible values include:"DAILY"
"WEEKLY"
"MONTHLY"
troubleshootingText
— (String
)The instructions for troubleshooting the control.
createdAt
— (Date
)The time when the control was created.
lastUpdatedAt
— (Date
)The time when the control was most recently updated.
createdBy
— (String
)The user or role that created the control.
lastUpdatedBy
— (String
)The user or role that most recently updated the control.
tags
— (map<String>
)The tags associated with the control.
state
— (String
)The state of the control. The
Possible values include:END_OF_SUPPORT
state is applicable to standard controls only. This state indicates that the standard control can still be used to collect evidence, but Audit Manager is no longer updating or maintaining that control."ACTIVE"
"END_OF_SUPPORT"
createdAt
— (Date
)The time when the framework was created.
lastUpdatedAt
— (Date
)The time when the framework was most recently updated.
createdBy
— (String
)The user or role that created the framework.
lastUpdatedBy
— (String
)The user or role that most recently updated the framework.
tags
— (map<String>
)The tags that are associated with the framework.
-
(AWS.Response)
—
Returns:
getAssessmentReportUrl(params = {}, callback) ⇒ AWS.Request
Gets the URL of an assessment report in Audit Manager.
Service Reference:
Examples:
Calling the getAssessmentReportUrl operation
var params = { assessmentId: 'STRING_VALUE', /* required */ assessmentReportId: 'STRING_VALUE' /* required */ }; auditmanager.getAssessmentReportUrl(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
assessmentReportId
— (String
)The unique identifier for the assessment report.
assessmentId
— (String
)The unique identifier for the assessment.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:preSignedUrl
— (map
)Short for uniform resource locator. A URL is used as a unique identifier to locate a resource on the internet.
hyperlinkName
— (String
)The name or word that's used as a hyperlink to the URL.
link
— (String
)The unique identifier for the internet resource.
-
(AWS.Response)
—
Returns:
getChangeLogs(params = {}, callback) ⇒ AWS.Request
Gets a list of changelogs from Audit Manager.
Service Reference:
Examples:
Calling the getChangeLogs operation
var params = { assessmentId: 'STRING_VALUE', /* required */ controlId: 'STRING_VALUE', controlSetId: 'STRING_VALUE', maxResults: 'NUMBER_VALUE', nextToken: 'STRING_VALUE' }; auditmanager.getChangeLogs(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
assessmentId
— (String
)The unique identifier for the assessment.
controlSetId
— (String
)The unique identifier for the control set.
controlId
— (String
)The unique identifier for the control.
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
maxResults
— (Integer
)Represents the maximum number of results on a page or for an API request call.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:changeLogs
— (Array<map>
)The list of user activity for the control.
objectType
— (String
)The object that was changed, such as an assessment, control, or control set.
Possible values include:"ASSESSMENT"
"CONTROL_SET"
"CONTROL"
"DELEGATION"
"ASSESSMENT_REPORT"
objectName
— (String
)The name of the object that changed. This could be the name of an assessment, control, or control set.
action
— (String
)The action that was performed.
Possible values include:"CREATE"
"UPDATE_METADATA"
"ACTIVE"
"INACTIVE"
"DELETE"
"UNDER_REVIEW"
"REVIEWED"
"IMPORT_EVIDENCE"
createdAt
— (Date
)The time when the action was performed and the changelog record was created.
createdBy
— (String
)The user or role that performed the action.
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
-
(AWS.Response)
—
Returns:
getControl(params = {}, callback) ⇒ AWS.Request
Gets information about a specified control.
Service Reference:
Examples:
Calling the getControl operation
var params = { controlId: 'STRING_VALUE' /* required */ }; auditmanager.getControl(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
controlId
— (String
)The identifier for the control.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:control
— (map
)The details of the control that the
GetControl
API returned.arn
— (String
)The Amazon Resource Name (ARN) of the control.
id
— (String
)The unique identifier for the control.
type
— (String
)Specifies whether the control is a standard control or a custom control.
Possible values include:"Standard"
"Custom"
"Core"
name
— (String
)The name of the control.
description
— (String
)The description of the control.
testingInformation
— (String
)The steps that you should follow to determine if the control has been satisfied.
actionPlanTitle
— (String
)The title of the action plan for remediating the control.
actionPlanInstructions
— (String
)The recommended actions to carry out if the control isn't fulfilled.
controlSources
— (String
)The data source types that determine where Audit Manager collects evidence from for the control.
controlMappingSources
— (Array<map>
)The data mapping sources for the control.
sourceId
— (String
)The unique identifier for the source.
sourceName
— (String
)The name of the source.
sourceDescription
— (String
)The description of the source.
sourceSetUpOption
— (String
)The setup option for the data source. This option reflects if the evidence collection method is automated or manual. If you don’t provide a value for
Possible values include:sourceSetUpOption
, Audit Manager automatically infers and populates the correct value based on thesourceType
that you specify."System_Controls_Mapping"
"Procedural_Controls_Mapping"
sourceType
— (String
)Specifies which type of data source is used to collect evidence.
-
The source can be an individual data source type, such as
AWS_Cloudtrail
,AWS_Config
,AWS_Security_Hub
,AWS_API_Call
, orMANUAL
. -
The source can also be a managed grouping of data sources, such as a
Core_Control
or aCommon_Control
.
"AWS_Cloudtrail"
"AWS_Config"
"AWS_Security_Hub"
"AWS_API_Call"
"MANUAL"
"Common_Control"
"Core_Control"
-
sourceKeyword
— (map
)A keyword that relates to the control data source.
For manual evidence, this keyword indicates if the manual evidence is a file or text.
For automated evidence, this keyword identifies a specific CloudTrail event, Config rule, Security Hub control, or Amazon Web Services API name.
To learn more about the supported keywords that you can use when mapping a control data source, see the following pages in the Audit Manager User Guide:
keywordInputType
— (String
)The input method for the keyword.
-
SELECT_FROM_LIST
is used when mapping a data source for automated evidence.-
When
keywordInputType
isSELECT_FROM_LIST
, a keyword must be selected to collect automated evidence. For example, this keyword can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
-
-
UPLOAD_FILE
andINPUT_TEXT
are only used when mapping a data source for manual evidence.-
When
keywordInputType
isUPLOAD_FILE
, a file must be uploaded as manual evidence. -
When
keywordInputType
isINPUT_TEXT
, text must be entered as manual evidence.
-
"SELECT_FROM_LIST"
"UPLOAD_FILE"
"INPUT_TEXT"
-
keywordValue
— (String
)The value of the keyword that's used when mapping a control data source. For example, this can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
If you’re mapping a data source to a rule in Config, the
keywordValue
that you specify depends on the type of rule:-
For managed rules, you can use the rule identifier as the
keywordValue
. You can find the rule identifier from the list of Config managed rules. For some rules, the rule identifier is different from the rule name. For example, the rule namerestricted-ssh
has the following rule identifier:INCOMING_SSH_DISABLED
. Make sure to use the rule identifier, not the rule name.Keyword example for managed rules:
-
Managed rule name: s3-bucket-acl-prohibited
keywordValue
:S3_BUCKET_ACL_PROHIBITED
-
-
For custom rules, you form the
keywordValue
by adding theCustom_
prefix to the rule name. This prefix distinguishes the custom rule from a managed rule.Keyword example for custom rules:
-
Custom rule name: my-custom-config-rule
keywordValue
:Custom_my-custom-config-rule
-
-
For service-linked rules, you form the
keywordValue
by adding theCustom_
prefix to the rule name. In addition, you remove the suffix ID that appears at the end of the rule name.Keyword examples for service-linked rules:
-
Service-linked rule name: CustomRuleForAccount-conformance-pack-szsm1uv0w
keywordValue
:Custom_CustomRuleForAccount-conformance-pack
-
Service-linked rule name: OrgConfigRule-s3-bucket-versioning-enabled-dbgzf8ba
keywordValue
:Custom_OrgConfigRule-s3-bucket-versioning-enabled
-
The
keywordValue
is case sensitive. If you enter a value incorrectly, Audit Manager might not recognize the data source mapping. As a result, you might not successfully collect evidence from that data source as intended.Keep in mind the following requirements, depending on the data source type that you're using.
-
For Config:
-
For managed rules, make sure that the
keywordValue
is the rule identifier inALL_CAPS_WITH_UNDERSCORES
. For example,CLOUDWATCH_LOG_GROUP_ENCRYPTED
. For accuracy, we recommend that you reference the list of supported Config managed rules. -
For custom rules, make sure that the
keywordValue
has theCustom_
prefix followed by the custom rule name. The format of the custom rule name itself may vary. For accuracy, we recommend that you visit the Config console to verify your custom rule name.
-
-
For Security Hub: The format varies for Security Hub control names. For accuracy, we recommend that you reference the list of supported Security Hub controls.
-
For Amazon Web Services API calls: Make sure that the
keywordValue
is written asserviceprefix_ActionName
. For example,iam_ListGroups
. For accuracy, we recommend that you reference the list of supported API calls. -
For CloudTrail: Make sure that the
keywordValue
is written asserviceprefix_ActionName
. For example,cloudtrail_StartLogging
. For accuracy, we recommend that you review the Amazon Web Service prefix and action names in the Service Authorization Reference.
-
sourceFrequency
— (String
)Specifies how often evidence is collected from the control mapping source.
Possible values include:"DAILY"
"WEEKLY"
"MONTHLY"
troubleshootingText
— (String
)The instructions for troubleshooting the control.
createdAt
— (Date
)The time when the control was created.
lastUpdatedAt
— (Date
)The time when the control was most recently updated.
createdBy
— (String
)The user or role that created the control.
lastUpdatedBy
— (String
)The user or role that most recently updated the control.
tags
— (map<String>
)The tags associated with the control.
state
— (String
)The state of the control. The
Possible values include:END_OF_SUPPORT
state is applicable to standard controls only. This state indicates that the standard control can still be used to collect evidence, but Audit Manager is no longer updating or maintaining that control."ACTIVE"
"END_OF_SUPPORT"
-
(AWS.Response)
—
Returns:
getDelegations(params = {}, callback) ⇒ AWS.Request
Gets a list of delegations from an audit owner to a delegate.
Service Reference:
Examples:
Calling the getDelegations operation
var params = { maxResults: 'NUMBER_VALUE', nextToken: 'STRING_VALUE' }; auditmanager.getDelegations(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
maxResults
— (Integer
)Represents the maximum number of results on a page or for an API request call.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:delegations
— (Array<map>
)The list of delegations that the
GetDelegations
API returned.id
— (String
)The unique identifier for the delegation.
assessmentName
— (String
)The name of the associated assessment.
assessmentId
— (String
)The unique identifier for the assessment.
status
— (String
)The current status of the delegation.
Possible values include:"IN_PROGRESS"
"UNDER_REVIEW"
"COMPLETE"
roleArn
— (String
)The Amazon Resource Name (ARN) of the IAM role.
creationTime
— (Date
)Specifies when the delegation was created.
controlSetName
— (String
)Specifies the name of the control set that was delegated for review.
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
-
(AWS.Response)
—
Returns:
getEvidence(params = {}, callback) ⇒ AWS.Request
Gets information about a specified evidence item.
Service Reference:
Examples:
Calling the getEvidence operation
var params = { assessmentId: 'STRING_VALUE', /* required */ controlSetId: 'STRING_VALUE', /* required */ evidenceFolderId: 'STRING_VALUE', /* required */ evidenceId: 'STRING_VALUE' /* required */ }; auditmanager.getEvidence(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
assessmentId
— (String
)The unique identifier for the assessment.
controlSetId
— (String
)The unique identifier for the control set.
evidenceFolderId
— (String
)The unique identifier for the folder that the evidence is stored in.
evidenceId
— (String
)The unique identifier for the evidence.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:evidence
— (map
)The evidence that the
GetEvidence
API returned.dataSource
— (String
)The data source where the evidence was collected from.
evidenceAwsAccountId
— (String
)The identifier for the Amazon Web Services account.
time
— (Date
)The timestamp that represents when the evidence was collected.
eventSource
— (String
)The Amazon Web Service that the evidence is collected from.
eventName
— (String
)The name of the evidence event.
evidenceByType
— (String
)The type of automated evidence.
resourcesIncluded
— (Array<map>
)The list of resources that are assessed to generate the evidence.
arn
— (String
)The Amazon Resource Name (ARN) for the resource.
value
— (String
)The value of the resource.
complianceCheck
— (String
)The evaluation status for a resource that was assessed when collecting compliance check evidence.
-
Audit Manager classes the resource as non-compliant if Security Hub reports a Fail result, or if Config reports a Non-compliant result.
-
Audit Manager classes the resource as compliant if Security Hub reports a Pass result, or if Config reports a Compliant result.
-
If a compliance check isn't available or applicable, then no compliance evaluation can be made for that resource. This is the case if a resource assessment uses Config or Security Hub as the underlying data source type, but those services aren't enabled. This is also the case if the resource assessment uses an underlying data source type that doesn't support compliance checks (such as manual evidence, Amazon Web Services API calls, or CloudTrail).
-
attributes
— (map<String>
)The names and values that are used by the evidence event. This includes an attribute name (such as
allowUsersToChangePassword
) and value (such astrue
orfalse
).iamId
— (String
)The unique identifier for the user or role that's associated with the evidence.
complianceCheck
— (String
)The evaluation status for automated evidence that falls under the compliance check category.
-
Audit Manager classes evidence as non-compliant if Security Hub reports a Fail result, or if Config reports a Non-compliant result.
-
Audit Manager classes evidence as compliant if Security Hub reports a Pass result, or if Config reports a Compliant result.
-
If a compliance check isn't available or applicable, then no compliance evaluation can be made for that evidence. This is the case if the evidence uses Config or Security Hub as the underlying data source type, but those services aren't enabled. This is also the case if the evidence uses an underlying data source type that doesn't support compliance checks (such as manual evidence, Amazon Web Services API calls, or CloudTrail).
-
awsOrganization
— (String
)The Amazon Web Services account that the evidence is collected from, and its organization path.
awsAccountId
— (String
)The identifier for the Amazon Web Services account.
evidenceFolderId
— (String
)The identifier for the folder that the evidence is stored in.
id
— (String
)The identifier for the evidence.
assessmentReportSelection
— (String
)Specifies whether the evidence is included in the assessment report.
-
(AWS.Response)
—
Returns:
getEvidenceByEvidenceFolder(params = {}, callback) ⇒ AWS.Request
Gets all evidence from a specified evidence folder in Audit Manager.
Service Reference:
Examples:
Calling the getEvidenceByEvidenceFolder operation
var params = { assessmentId: 'STRING_VALUE', /* required */ controlSetId: 'STRING_VALUE', /* required */ evidenceFolderId: 'STRING_VALUE', /* required */ maxResults: 'NUMBER_VALUE', nextToken: 'STRING_VALUE' }; auditmanager.getEvidenceByEvidenceFolder(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
assessmentId
— (String
)The identifier for the assessment.
controlSetId
— (String
)The identifier for the control set.
evidenceFolderId
— (String
)The unique identifier for the folder that the evidence is stored in.
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
maxResults
— (Integer
)Represents the maximum number of results on a page or for an API request call.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:evidence
— (Array<map>
)The list of evidence that the
GetEvidenceByEvidenceFolder
API returned.dataSource
— (String
)The data source where the evidence was collected from.
evidenceAwsAccountId
— (String
)The identifier for the Amazon Web Services account.
time
— (Date
)The timestamp that represents when the evidence was collected.
eventSource
— (String
)The Amazon Web Service that the evidence is collected from.
eventName
— (String
)The name of the evidence event.
evidenceByType
— (String
)The type of automated evidence.
resourcesIncluded
— (Array<map>
)The list of resources that are assessed to generate the evidence.
arn
— (String
)The Amazon Resource Name (ARN) for the resource.
value
— (String
)The value of the resource.
complianceCheck
— (String
)The evaluation status for a resource that was assessed when collecting compliance check evidence.
-
Audit Manager classes the resource as non-compliant if Security Hub reports a Fail result, or if Config reports a Non-compliant result.
-
Audit Manager classes the resource as compliant if Security Hub reports a Pass result, or if Config reports a Compliant result.
-
If a compliance check isn't available or applicable, then no compliance evaluation can be made for that resource. This is the case if a resource assessment uses Config or Security Hub as the underlying data source type, but those services aren't enabled. This is also the case if the resource assessment uses an underlying data source type that doesn't support compliance checks (such as manual evidence, Amazon Web Services API calls, or CloudTrail).
-
attributes
— (map<String>
)The names and values that are used by the evidence event. This includes an attribute name (such as
allowUsersToChangePassword
) and value (such astrue
orfalse
).iamId
— (String
)The unique identifier for the user or role that's associated with the evidence.
complianceCheck
— (String
)The evaluation status for automated evidence that falls under the compliance check category.
-
Audit Manager classes evidence as non-compliant if Security Hub reports a Fail result, or if Config reports a Non-compliant result.
-
Audit Manager classes evidence as compliant if Security Hub reports a Pass result, or if Config reports a Compliant result.
-
If a compliance check isn't available or applicable, then no compliance evaluation can be made for that evidence. This is the case if the evidence uses Config or Security Hub as the underlying data source type, but those services aren't enabled. This is also the case if the evidence uses an underlying data source type that doesn't support compliance checks (such as manual evidence, Amazon Web Services API calls, or CloudTrail).
-
awsOrganization
— (String
)The Amazon Web Services account that the evidence is collected from, and its organization path.
awsAccountId
— (String
)The identifier for the Amazon Web Services account.
evidenceFolderId
— (String
)The identifier for the folder that the evidence is stored in.
id
— (String
)The identifier for the evidence.
assessmentReportSelection
— (String
)Specifies whether the evidence is included in the assessment report.
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
-
(AWS.Response)
—
Returns:
getEvidenceFileUploadUrl(params = {}, callback) ⇒ AWS.Request
Creates a presigned Amazon S3 URL that can be used to upload a file as manual evidence. For instructions on how to use this operation, see Upload a file from your browser in the Audit Manager User Guide.
The following restrictions apply to this operation:
-
Maximum size of an individual evidence file: 100 MB
-
Number of daily manual evidence uploads per control: 100
-
Supported file formats: See Supported file types for manual evidence in the Audit Manager User Guide
For more information about Audit Manager service restrictions, see Quotas and restrictions for Audit Manager.
Service Reference:
Examples:
Calling the getEvidenceFileUploadUrl operation
var params = { fileName: 'STRING_VALUE' /* required */ }; auditmanager.getEvidenceFileUploadUrl(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
fileName
— (String
)The file that you want to upload. For a list of supported file formats, see Supported file types for manual evidence in the Audit Manager User Guide.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:evidenceFileName
— (String
)The name of the uploaded manual evidence file that the presigned URL was generated for.
uploadUrl
— (String
)The presigned URL that was generated.
-
(AWS.Response)
—
Returns:
getEvidenceFolder(params = {}, callback) ⇒ AWS.Request
Gets an evidence folder from a specified assessment in Audit Manager.
Service Reference:
Examples:
Calling the getEvidenceFolder operation
var params = { assessmentId: 'STRING_VALUE', /* required */ controlSetId: 'STRING_VALUE', /* required */ evidenceFolderId: 'STRING_VALUE' /* required */ }; auditmanager.getEvidenceFolder(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
assessmentId
— (String
)The unique identifier for the assessment.
controlSetId
— (String
)The unique identifier for the control set.
evidenceFolderId
— (String
)The unique identifier for the folder that the evidence is stored in.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:evidenceFolder
— (map
)The folder that the evidence is stored in.
name
— (String
)The name of the evidence folder.
date
— (Date
)The date when the first evidence was added to the evidence folder.
assessmentId
— (String
)The identifier for the assessment.
controlSetId
— (String
)The identifier for the control set.
controlId
— (String
)The unique identifier for the control.
id
— (String
)The identifier for the folder that the evidence is stored in.
dataSource
— (String
)The Amazon Web Service that the evidence was collected from.
author
— (String
)The name of the user who created the evidence folder.
totalEvidence
— (Integer
)The total amount of evidence in the evidence folder.
assessmentReportSelectionCount
— (Integer
)The total count of evidence that's included in the assessment report.
controlName
— (String
)The name of the control.
evidenceResourcesIncludedCount
— (Integer
)The amount of evidence that's included in the evidence folder.
evidenceByTypeConfigurationDataCount
— (Integer
)The number of evidence that falls under the configuration data category. This evidence is collected from configuration snapshots of other Amazon Web Services such as Amazon EC2, Amazon S3, or IAM.
evidenceByTypeManualCount
— (Integer
)The number of evidence that falls under the manual category. This evidence is imported manually.
evidenceByTypeComplianceCheckCount
— (Integer
)The number of evidence that falls under the compliance check category. This evidence is collected from Config or Security Hub.
evidenceByTypeComplianceCheckIssuesCount
— (Integer
)The total number of issues that were reported directly from Security Hub, Config, or both.
evidenceByTypeUserActivityCount
— (Integer
)The number of evidence that falls under the user activity category. This evidence is collected from CloudTrail logs.
evidenceAwsServiceSourceCount
— (Integer
)The total number of Amazon Web Services resources that were assessed to generate the evidence.
-
(AWS.Response)
—
Returns:
getEvidenceFoldersByAssessment(params = {}, callback) ⇒ AWS.Request
Gets the evidence folders from a specified assessment in Audit Manager.
Service Reference:
Examples:
Calling the getEvidenceFoldersByAssessment operation
var params = { assessmentId: 'STRING_VALUE', /* required */ maxResults: 'NUMBER_VALUE', nextToken: 'STRING_VALUE' }; auditmanager.getEvidenceFoldersByAssessment(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
assessmentId
— (String
)The unique identifier for the assessment.
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
maxResults
— (Integer
)Represents the maximum number of results on a page or for an API request call.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:evidenceFolders
— (Array<map>
)The list of evidence folders that the
GetEvidenceFoldersByAssessment
API returned.name
— (String
)The name of the evidence folder.
date
— (Date
)The date when the first evidence was added to the evidence folder.
assessmentId
— (String
)The identifier for the assessment.
controlSetId
— (String
)The identifier for the control set.
controlId
— (String
)The unique identifier for the control.
id
— (String
)The identifier for the folder that the evidence is stored in.
dataSource
— (String
)The Amazon Web Service that the evidence was collected from.
author
— (String
)The name of the user who created the evidence folder.
totalEvidence
— (Integer
)The total amount of evidence in the evidence folder.
assessmentReportSelectionCount
— (Integer
)The total count of evidence that's included in the assessment report.
controlName
— (String
)The name of the control.
evidenceResourcesIncludedCount
— (Integer
)The amount of evidence that's included in the evidence folder.
evidenceByTypeConfigurationDataCount
— (Integer
)The number of evidence that falls under the configuration data category. This evidence is collected from configuration snapshots of other Amazon Web Services such as Amazon EC2, Amazon S3, or IAM.
evidenceByTypeManualCount
— (Integer
)The number of evidence that falls under the manual category. This evidence is imported manually.
evidenceByTypeComplianceCheckCount
— (Integer
)The number of evidence that falls under the compliance check category. This evidence is collected from Config or Security Hub.
evidenceByTypeComplianceCheckIssuesCount
— (Integer
)The total number of issues that were reported directly from Security Hub, Config, or both.
evidenceByTypeUserActivityCount
— (Integer
)The number of evidence that falls under the user activity category. This evidence is collected from CloudTrail logs.
evidenceAwsServiceSourceCount
— (Integer
)The total number of Amazon Web Services resources that were assessed to generate the evidence.
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
-
(AWS.Response)
—
Returns:
getEvidenceFoldersByAssessmentControl(params = {}, callback) ⇒ AWS.Request
Gets a list of evidence folders that are associated with a specified control in an Audit Manager assessment.
Service Reference:
Examples:
Calling the getEvidenceFoldersByAssessmentControl operation
var params = { assessmentId: 'STRING_VALUE', /* required */ controlId: 'STRING_VALUE', /* required */ controlSetId: 'STRING_VALUE', /* required */ maxResults: 'NUMBER_VALUE', nextToken: 'STRING_VALUE' }; auditmanager.getEvidenceFoldersByAssessmentControl(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
assessmentId
— (String
)The identifier for the assessment.
controlSetId
— (String
)The identifier for the control set.
controlId
— (String
)The identifier for the control.
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
maxResults
— (Integer
)Represents the maximum number of results on a page or for an API request call.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:evidenceFolders
— (Array<map>
)The list of evidence folders that the
GetEvidenceFoldersByAssessmentControl
API returned.name
— (String
)The name of the evidence folder.
date
— (Date
)The date when the first evidence was added to the evidence folder.
assessmentId
— (String
)The identifier for the assessment.
controlSetId
— (String
)The identifier for the control set.
controlId
— (String
)The unique identifier for the control.
id
— (String
)The identifier for the folder that the evidence is stored in.
dataSource
— (String
)The Amazon Web Service that the evidence was collected from.
author
— (String
)The name of the user who created the evidence folder.
totalEvidence
— (Integer
)The total amount of evidence in the evidence folder.
assessmentReportSelectionCount
— (Integer
)The total count of evidence that's included in the assessment report.
controlName
— (String
)The name of the control.
evidenceResourcesIncludedCount
— (Integer
)The amount of evidence that's included in the evidence folder.
evidenceByTypeConfigurationDataCount
— (Integer
)The number of evidence that falls under the configuration data category. This evidence is collected from configuration snapshots of other Amazon Web Services such as Amazon EC2, Amazon S3, or IAM.
evidenceByTypeManualCount
— (Integer
)The number of evidence that falls under the manual category. This evidence is imported manually.
evidenceByTypeComplianceCheckCount
— (Integer
)The number of evidence that falls under the compliance check category. This evidence is collected from Config or Security Hub.
evidenceByTypeComplianceCheckIssuesCount
— (Integer
)The total number of issues that were reported directly from Security Hub, Config, or both.
evidenceByTypeUserActivityCount
— (Integer
)The number of evidence that falls under the user activity category. This evidence is collected from CloudTrail logs.
evidenceAwsServiceSourceCount
— (Integer
)The total number of Amazon Web Services resources that were assessed to generate the evidence.
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
-
(AWS.Response)
—
Returns:
getInsights(params = {}, callback) ⇒ AWS.Request
Gets the latest analytics data for all your current active assessments.
Service Reference:
Examples:
Calling the getInsights operation
var params = { }; auditmanager.getInsights(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
- params (Object) (defaults to: {})
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:insights
— (map
)The analytics data that the
GetInsights
API returned.activeAssessmentsCount
— (Integer
)The number of active assessments in Audit Manager.
noncompliantEvidenceCount
— (Integer
)The number of compliance check evidence that Audit Manager classified as non-compliant on the
lastUpdated
date. This includes evidence that was collected from Security Hub with a Fail ruling, or collected from Config with a Non-compliant ruling.compliantEvidenceCount
— (Integer
)The number of compliance check evidence that Audit Manager classified as compliant on the
lastUpdated
date. This includes evidence that was collected from Security Hub with a Pass ruling, or collected from Config with a Compliant ruling.inconclusiveEvidenceCount
— (Integer
)The number of evidence without a compliance check ruling. Evidence is inconclusive when the associated control uses Security Hub or Config as a data source but you didn't enable those services. This is also the case when a control uses a data source that doesn’t support compliance checks (for example: manual evidence, API calls, or CloudTrail).
Note: If evidence has a compliance check status of not applicable, it's classed as inconclusive inInsights
data.assessmentControlsCountByNoncompliantEvidence
— (Integer
)The number of assessment controls that collected non-compliant evidence on the
lastUpdated
date.totalAssessmentControlsCount
— (Integer
)The total number of controls across all active assessments.
lastUpdated
— (Date
)The time when the cross-assessment insights were last updated.
-
(AWS.Response)
—
Returns:
getInsightsByAssessment(params = {}, callback) ⇒ AWS.Request
Gets the latest analytics data for a specific active assessment.
Service Reference:
Examples:
Calling the getInsightsByAssessment operation
var params = { assessmentId: 'STRING_VALUE' /* required */ }; auditmanager.getInsightsByAssessment(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
assessmentId
— (String
)The unique identifier for the assessment.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:insights
— (map
)The assessment analytics data that the
GetInsightsByAssessment
API returned.noncompliantEvidenceCount
— (Integer
)The number of compliance check evidence that Audit Manager classified as non-compliant. This includes evidence that was collected from Security Hub with a Fail ruling, or collected from Config with a Non-compliant ruling.
compliantEvidenceCount
— (Integer
)The number of compliance check evidence that Audit Manager classified as compliant. This includes evidence that was collected from Security Hub with a Pass ruling, or collected from Config with a Compliant ruling.
inconclusiveEvidenceCount
— (Integer
)The amount of evidence without a compliance check ruling. Evidence is inconclusive if the associated control uses Security Hub or Config as a data source and you didn't enable those services. This is also the case if a control uses a data source that doesn’t support compliance checks (for example, manual evidence, API calls, or CloudTrail).
Note: If evidence has a compliance check status of not applicable, it's classified as inconclusive inInsightsByAssessment
data.assessmentControlsCountByNoncompliantEvidence
— (Integer
)The number of assessment controls that collected non-compliant evidence on the
lastUpdated
date.totalAssessmentControlsCount
— (Integer
)The total number of controls in the assessment.
lastUpdated
— (Date
)The time when the assessment insights were last updated.
-
(AWS.Response)
—
Returns:
getOrganizationAdminAccount(params = {}, callback) ⇒ AWS.Request
Gets the name of the delegated Amazon Web Services administrator account for a specified organization.
Service Reference:
Examples:
Calling the getOrganizationAdminAccount operation
var params = { }; auditmanager.getOrganizationAdminAccount(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
- params (Object) (defaults to: {})
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:adminAccountId
— (String
)The identifier for the administrator account.
organizationId
— (String
)The identifier for the organization.
-
(AWS.Response)
—
Returns:
getServicesInScope(params = {}, callback) ⇒ AWS.Request
Gets a list of the Amazon Web Services from which Audit Manager can collect evidence.
Audit Manager defines which Amazon Web Services are in scope for an assessment. Audit Manager infers this scope by examining the assessment’s controls and their data sources, and then mapping this information to one or more of the corresponding Amazon Web Services that are in this list.
Note: For information about why it's no longer possible to specify services in scope manually, see I can't edit the services in scope for my assessment in the Troubleshooting section of the Audit Manager user guide.Service Reference:
Examples:
Calling the getServicesInScope operation
var params = { }; auditmanager.getServicesInScope(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
- params (Object) (defaults to: {})
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:serviceMetadata
— (Array<map>
)The metadata that's associated with the Amazon Web Service.
name
— (String
)The name of the Amazon Web Service.
displayName
— (String
)The display name of the Amazon Web Service.
description
— (String
)The description of the Amazon Web Service.
category
— (String
)The category that the Amazon Web Service belongs to, such as compute, storage, or database.
-
(AWS.Response)
—
Returns:
getSettings(params = {}, callback) ⇒ AWS.Request
Gets the settings for a specified Amazon Web Services account.
Service Reference:
Examples:
Calling the getSettings operation
var params = { attribute: ALL | IS_AWS_ORG_ENABLED | SNS_TOPIC | DEFAULT_ASSESSMENT_REPORTS_DESTINATION | DEFAULT_PROCESS_OWNERS | EVIDENCE_FINDER_ENABLEMENT | DEREGISTRATION_POLICY | DEFAULT_EXPORT_DESTINATION /* required */ }; auditmanager.getSettings(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
attribute
— (String
)The list of setting attribute enum values.
Possible values include:"ALL"
"IS_AWS_ORG_ENABLED"
"SNS_TOPIC"
"DEFAULT_ASSESSMENT_REPORTS_DESTINATION"
"DEFAULT_PROCESS_OWNERS"
"EVIDENCE_FINDER_ENABLEMENT"
"DEREGISTRATION_POLICY"
"DEFAULT_EXPORT_DESTINATION"
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:settings
— (map
)The settings object that holds all supported Audit Manager settings.
isAwsOrgEnabled
— (Boolean
)Specifies whether Organizations is enabled.
snsTopic
— (String
)The designated Amazon Simple Notification Service (Amazon SNS) topic.
defaultAssessmentReportsDestination
— (map
)The default S3 destination bucket for storing assessment reports.
destinationType
— (String
)The destination type, such as Amazon S3.
Possible values include:"S3"
destination
— (String
)The destination bucket where Audit Manager stores assessment reports.
defaultProcessOwners
— (Array<map>
)The designated default audit owners.
roleType
— required — (String
)The type of customer persona.
Note: InPossible values include:CreateAssessment
,roleType
can only bePROCESS_OWNER
. InUpdateSettings
,roleType
can only bePROCESS_OWNER
. InBatchCreateDelegationByAssessment
,roleType
can only beRESOURCE_OWNER
."PROCESS_OWNER"
"RESOURCE_OWNER"
roleArn
— required — (String
)The Amazon Resource Name (ARN) of the IAM role.
kmsKey
— (String
)The KMS key details.
evidenceFinderEnablement
— (map
)The current evidence finder status and event data store details.
eventDataStoreArn
— (String
)The Amazon Resource Name (ARN) of the CloudTrail Lake event data store that’s used by evidence finder. The event data store is the lake of evidence data that evidence finder runs queries against.
enablementStatus
— (String
)The current status of the evidence finder feature and the related event data store.
-
ENABLE_IN_PROGRESS
means that you requested to enable evidence finder. An event data store is currently being created to support evidence finder queries. -
ENABLED
means that an event data store was successfully created and evidence finder is enabled. We recommend that you wait 7 days until the event data store is backfilled with your past two years’ worth of evidence data. You can use evidence finder in the meantime, but not all data might be available until the backfill is complete. -
DISABLE_IN_PROGRESS
means that you requested to disable evidence finder, and your request is pending the deletion of the event data store. -
DISABLED
means that you have permanently disabled evidence finder and the event data store has been deleted. You can't re-enable evidence finder after this point.
"ENABLED"
"DISABLED"
"ENABLE_IN_PROGRESS"
"DISABLE_IN_PROGRESS"
-
backfillStatus
— (String
)The current status of the evidence data backfill process.
The backfill starts after you enable evidence finder. During this task, Audit Manager populates an event data store with your past two years’ worth of evidence data so that your evidence can be queried.
-
NOT_STARTED
means that the backfill hasn’t started yet. -
IN_PROGRESS
means that the backfill is in progress. This can take up to 7 days to complete, depending on the amount of evidence data. -
COMPLETED
means that the backfill is complete. All of your past evidence is now queryable.
"NOT_STARTED"
"IN_PROGRESS"
"COMPLETED"
-
error
— (String
)Represents any errors that occurred when enabling or disabling evidence finder.
deregistrationPolicy
— (map
)The deregistration policy for your Audit Manager data. You can use this attribute to determine how your data is handled when you deregister Audit Manager.
deleteResources
— (String
)Specifies which Audit Manager data will be deleted when you deregister Audit Manager.
-
If you set the value to
ALL
, all of your data is deleted within seven days of deregistration. -
If you set the value to
DEFAULT
, none of your data is deleted at the time of deregistration. However, keep in mind that the Audit Manager data retention policy still applies. As a result, any evidence data will be deleted two years after its creation date. Your other Audit Manager resources will continue to exist indefinitely.
"ALL"
"DEFAULT"
-
defaultExportDestination
— (map
)The default S3 destination bucket for storing evidence finder exports.
destinationType
— (String
)The destination type, such as Amazon S3.
Possible values include:"S3"
destination
— (String
)The destination bucket where Audit Manager stores exported files.
-
(AWS.Response)
—
Returns:
listAssessmentControlInsightsByControlDomain(params = {}, callback) ⇒ AWS.Request
Lists the latest analytics data for controls within a specific control domain and a specific active assessment.
Note: Control insights are listed only if the control belongs to the control domain and assessment that was specified. Moreover, the control must have collected evidence on thelastUpdated
date ofcontrolInsightsByAssessment
. If neither of these conditions are met, no data is listed for that control.Service Reference:
Examples:
Calling the listAssessmentControlInsightsByControlDomain operation
var params = { assessmentId: 'STRING_VALUE', /* required */ controlDomainId: 'STRING_VALUE', /* required */ maxResults: 'NUMBER_VALUE', nextToken: 'STRING_VALUE' }; auditmanager.listAssessmentControlInsightsByControlDomain(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
controlDomainId
— (String
)The unique identifier for the control domain.
Audit Manager supports the control domains that are provided by Amazon Web Services Control Catalog. For information about how to find a list of available control domains, see
ListDomains
in the Amazon Web Services Control Catalog API Reference.assessmentId
— (String
)The unique identifier for the active assessment.
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
maxResults
— (Integer
)Represents the maximum number of results on a page or for an API request call.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:controlInsightsByAssessment
— (Array<map>
)The assessment control analytics data that the
ListAssessmentControlInsightsByControlDomain
API returned.name
— (String
)The name of the assessment control.
id
— (String
)The unique identifier for the assessment control.
evidenceInsights
— (map
)A breakdown of the compliance check status for the evidence that’s associated with the assessment control.
noncompliantEvidenceCount
— (Integer
)The number of compliance check evidence that Audit Manager classified as non-compliant. This includes evidence that was collected from Security Hub with a Fail ruling, or collected from Config with a Non-compliant ruling.
compliantEvidenceCount
— (Integer
)The number of compliance check evidence that Audit Manager classified as compliant. This includes evidence that was collected from Security Hub with a Pass ruling, or collected from Config with a Compliant ruling.
inconclusiveEvidenceCount
— (Integer
)The number of evidence that a compliance check ruling isn't available for. Evidence is inconclusive when the associated control uses Security Hub or Config as a data source but you didn't enable those services. This is also the case when a control uses a data source that doesn’t support compliance checks (for example, manual evidence, API calls, or CloudTrail).
Note: If evidence has a compliance check status of not applicable in the console, it's classified as inconclusive inEvidenceInsights
data.
controlSetName
— (String
)The name of the control set that the assessment control belongs to.
lastUpdated
— (Date
)The time when the assessment control insights were last updated.
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
-
(AWS.Response)
—
Returns:
listAssessmentFrameworks(params = {}, callback) ⇒ AWS.Request
Returns a list of the frameworks that are available in the Audit Manager framework library.
Service Reference:
Examples:
Calling the listAssessmentFrameworks operation
var params = { frameworkType: Standard | Custom, /* required */ maxResults: 'NUMBER_VALUE', nextToken: 'STRING_VALUE' }; auditmanager.listAssessmentFrameworks(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
frameworkType
— (String
)The type of framework, such as a standard framework or a custom framework.
Possible values include:"Standard"
"Custom"
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
maxResults
— (Integer
)Represents the maximum number of results on a page or for an API request call.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:frameworkMetadataList
— (Array<map>
)A list of metadata that the
ListAssessmentFrameworks
API returns for each framework.arn
— (String
)The Amazon Resource Name (ARN) of the framework.
id
— (String
)The unique identifier for the framework.
type
— (String
)The framework type, such as a standard framework or a custom framework.
Possible values include:"Standard"
"Custom"
name
— (String
)The name of the framework.
description
— (String
)The description of the framework.
logo
— (String
)The logo that's associated with the framework.
complianceType
— (String
)The compliance type that the new custom framework supports, such as CIS or HIPAA.
controlsCount
— (Integer
)The number of controls that are associated with the framework.
controlSetsCount
— (Integer
)The number of control sets that are associated with the framework.
createdAt
— (Date
)The time when the framework was created.
lastUpdatedAt
— (Date
)The time when the framework was most recently updated.
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
-
(AWS.Response)
—
Returns:
listAssessmentFrameworkShareRequests(params = {}, callback) ⇒ AWS.Request
Returns a list of sent or received share requests for custom frameworks in Audit Manager.
Service Reference:
Examples:
Calling the listAssessmentFrameworkShareRequests operation
var params = { requestType: SENT | RECEIVED, /* required */ maxResults: 'NUMBER_VALUE', nextToken: 'STRING_VALUE' }; auditmanager.listAssessmentFrameworkShareRequests(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
requestType
— (String
)Specifies whether the share request is a sent request or a received request.
Possible values include:"SENT"
"RECEIVED"
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
maxResults
— (Integer
)Represents the maximum number of results on a page or for an API request call.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:assessmentFrameworkShareRequests
— (Array<map>
)The list of share requests that the
ListAssessmentFrameworkShareRequests
API returned.id
— (String
)The unique identifier for the share request.
frameworkId
— (String
)The unique identifier for the shared custom framework.
frameworkName
— (String
)The name of the custom framework that the share request is for.
frameworkDescription
— (String
)The description of the shared custom framework.
status
— (String
)The status of the share request.
Possible values include:"ACTIVE"
"REPLICATING"
"SHARED"
"EXPIRING"
"FAILED"
"EXPIRED"
"DECLINED"
"REVOKED"
sourceAccount
— (String
)The Amazon Web Services account of the sender.
destinationAccount
— (String
)The Amazon Web Services account of the recipient.
destinationRegion
— (String
)The Amazon Web Services Region of the recipient.
expirationTime
— (Date
)The time when the share request expires.
creationTime
— (Date
)The time when the share request was created.
lastUpdated
— (Date
)Specifies when the share request was last updated.
comment
— (String
)An optional comment from the sender about the share request.
standardControlsCount
— (Integer
)The number of standard controls that are part of the shared custom framework.
customControlsCount
— (Integer
)The number of custom controls that are part of the shared custom framework.
complianceType
— (String
)The compliance type that the shared custom framework supports, such as CIS or HIPAA.
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
-
(AWS.Response)
—
Returns:
listAssessmentReports(params = {}, callback) ⇒ AWS.Request
Returns a list of assessment reports created in Audit Manager.
Service Reference:
Examples:
Calling the listAssessmentReports operation
var params = { maxResults: 'NUMBER_VALUE', nextToken: 'STRING_VALUE' }; auditmanager.listAssessmentReports(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
maxResults
— (Integer
)Represents the maximum number of results on a page or for an API request call.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:assessmentReports
— (Array<map>
)The list of assessment reports that the
ListAssessmentReports
API returned.id
— (String
)The unique identifier for the assessment report.
name
— (String
)The name of the assessment report.
description
— (String
)The description of the assessment report.
assessmentId
— (String
)The unique identifier for the associated assessment.
assessmentName
— (String
)The name of the associated assessment.
author
— (String
)The name of the user who created the assessment report.
status
— (String
)The current status of the assessment report.
Possible values include:"COMPLETE"
"IN_PROGRESS"
"FAILED"
creationTime
— (Date
)Specifies when the assessment report was created.
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
-
(AWS.Response)
—
Returns:
listAssessments(params = {}, callback) ⇒ AWS.Request
Returns a list of current and past assessments from Audit Manager.
Service Reference:
Examples:
Calling the listAssessments operation
var params = { maxResults: 'NUMBER_VALUE', nextToken: 'STRING_VALUE', status: ACTIVE | INACTIVE }; auditmanager.listAssessments(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
status
— (String
)The current status of the assessment.
Possible values include:"ACTIVE"
"INACTIVE"
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
maxResults
— (Integer
)Represents the maximum number of results on a page or for an API request call.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:assessmentMetadata
— (Array<map>
)The metadata that the
ListAssessments
API returns for each assessment.name
— (String
)The name of the assessment.
id
— (String
)The unique identifier for the assessment.
complianceType
— (String
)The name of the compliance standard that's related to the assessment, such as PCI-DSS.
status
— (String
)The current status of the assessment.
Possible values include:"ACTIVE"
"INACTIVE"
roles
— (Array<map>
)The roles that are associated with the assessment.
roleType
— required — (String
)The type of customer persona.
Note: InPossible values include:CreateAssessment
,roleType
can only bePROCESS_OWNER
. InUpdateSettings
,roleType
can only bePROCESS_OWNER
. InBatchCreateDelegationByAssessment
,roleType
can only beRESOURCE_OWNER
."PROCESS_OWNER"
"RESOURCE_OWNER"
roleArn
— required — (String
)The Amazon Resource Name (ARN) of the IAM role.
delegations
— (Array<map>
)The delegations that are associated with the assessment.
id
— (String
)The unique identifier for the delegation.
assessmentName
— (String
)The name of the assessment that's associated with the delegation.
assessmentId
— (String
)The identifier for the assessment that's associated with the delegation.
status
— (String
)The status of the delegation.
Possible values include:"IN_PROGRESS"
"UNDER_REVIEW"
"COMPLETE"
roleArn
— (String
)The Amazon Resource Name (ARN) of the IAM role.
roleType
— (String
)The type of customer persona.
Note: InPossible values include:CreateAssessment
,roleType
can only bePROCESS_OWNER
. InUpdateSettings
,roleType
can only bePROCESS_OWNER
. InBatchCreateDelegationByAssessment
,roleType
can only beRESOURCE_OWNER
."PROCESS_OWNER"
"RESOURCE_OWNER"
creationTime
— (Date
)Specifies when the delegation was created.
lastUpdated
— (Date
)Specifies when the delegation was last updated.
controlSetId
— (String
)The identifier for the control set that's associated with the delegation.
comment
— (String
)The comment that's related to the delegation.
createdBy
— (String
)The user or role that created the delegation.
creationTime
— (Date
)Specifies when the assessment was created.
lastUpdated
— (Date
)The time of the most recent update.
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
-
(AWS.Response)
—
Returns:
listControlDomainInsights(params = {}, callback) ⇒ AWS.Request
Lists the latest analytics data for control domains across all of your active assessments.
Audit Manager supports the control domains that are provided by Amazon Web Services Control Catalog. For information about how to find a list of available control domains, see
ListDomains
in the Amazon Web Services Control Catalog API Reference.Note: A control domain is listed only if at least one of the controls within that domain collected evidence on thelastUpdated
date ofcontrolDomainInsights
. If this condition isn’t met, no data is listed for that control domain.Service Reference:
Examples:
Calling the listControlDomainInsights operation
var params = { maxResults: 'NUMBER_VALUE', nextToken: 'STRING_VALUE' }; auditmanager.listControlDomainInsights(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
maxResults
— (Integer
)Represents the maximum number of results on a page or for an API request call.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:controlDomainInsights
— (Array<map>
)The control domain analytics data that the
ListControlDomainInsights
API returned.name
— (String
)The name of the control domain.
id
— (String
)The unique identifier for the control domain. Audit Manager supports the control domains that are provided by Amazon Web Services Control Catalog. For information about how to find a list of available control domains, see
ListDomains
in the Amazon Web Services Control Catalog API Reference.controlsCountByNoncompliantEvidence
— (Integer
)The number of controls in the control domain that collected non-compliant evidence on the
lastUpdated
date.totalControlsCount
— (Integer
)The total number of controls in the control domain.
evidenceInsights
— (map
)A breakdown of the compliance check status for the evidence that’s associated with the control domain.
noncompliantEvidenceCount
— (Integer
)The number of compliance check evidence that Audit Manager classified as non-compliant. This includes evidence that was collected from Security Hub with a Fail ruling, or collected from Config with a Non-compliant ruling.
compliantEvidenceCount
— (Integer
)The number of compliance check evidence that Audit Manager classified as compliant. This includes evidence that was collected from Security Hub with a Pass ruling, or collected from Config with a Compliant ruling.
inconclusiveEvidenceCount
— (Integer
)The number of evidence that a compliance check ruling isn't available for. Evidence is inconclusive when the associated control uses Security Hub or Config as a data source but you didn't enable those services. This is also the case when a control uses a data source that doesn’t support compliance checks (for example, manual evidence, API calls, or CloudTrail).
Note: If evidence has a compliance check status of not applicable in the console, it's classified as inconclusive inEvidenceInsights
data.
lastUpdated
— (Date
)The time when the control domain insights were last updated.
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
-
(AWS.Response)
—
Returns:
listControlDomainInsightsByAssessment(params = {}, callback) ⇒ AWS.Request
Lists analytics data for control domains within a specified active assessment.
Audit Manager supports the control domains that are provided by Amazon Web Services Control Catalog. For information about how to find a list of available control domains, see
ListDomains
in the Amazon Web Services Control Catalog API Reference.Note: A control domain is listed only if at least one of the controls within that domain collected evidence on thelastUpdated
date ofcontrolDomainInsights
. If this condition isn’t met, no data is listed for that domain.Service Reference:
Examples:
Calling the listControlDomainInsightsByAssessment operation
var params = { assessmentId: 'STRING_VALUE', /* required */ maxResults: 'NUMBER_VALUE', nextToken: 'STRING_VALUE' }; auditmanager.listControlDomainInsightsByAssessment(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
assessmentId
— (String
)The unique identifier for the active assessment.
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
maxResults
— (Integer
)Represents the maximum number of results on a page or for an API request call.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:controlDomainInsights
— (Array<map>
)The control domain analytics data that the
ListControlDomainInsightsByAssessment
API returned.name
— (String
)The name of the control domain.
id
— (String
)The unique identifier for the control domain. Audit Manager supports the control domains that are provided by Amazon Web Services Control Catalog. For information about how to find a list of available control domains, see
ListDomains
in the Amazon Web Services Control Catalog API Reference.controlsCountByNoncompliantEvidence
— (Integer
)The number of controls in the control domain that collected non-compliant evidence on the
lastUpdated
date.totalControlsCount
— (Integer
)The total number of controls in the control domain.
evidenceInsights
— (map
)A breakdown of the compliance check status for the evidence that’s associated with the control domain.
noncompliantEvidenceCount
— (Integer
)The number of compliance check evidence that Audit Manager classified as non-compliant. This includes evidence that was collected from Security Hub with a Fail ruling, or collected from Config with a Non-compliant ruling.
compliantEvidenceCount
— (Integer
)The number of compliance check evidence that Audit Manager classified as compliant. This includes evidence that was collected from Security Hub with a Pass ruling, or collected from Config with a Compliant ruling.
inconclusiveEvidenceCount
— (Integer
)The number of evidence that a compliance check ruling isn't available for. Evidence is inconclusive when the associated control uses Security Hub or Config as a data source but you didn't enable those services. This is also the case when a control uses a data source that doesn’t support compliance checks (for example, manual evidence, API calls, or CloudTrail).
Note: If evidence has a compliance check status of not applicable in the console, it's classified as inconclusive inEvidenceInsights
data.
lastUpdated
— (Date
)The time when the control domain insights were last updated.
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
-
(AWS.Response)
—
Returns:
listControlInsightsByControlDomain(params = {}, callback) ⇒ AWS.Request
Lists the latest analytics data for controls within a specific control domain across all active assessments.
Note: Control insights are listed only if the control belongs to the control domain that was specified and the control collected evidence on thelastUpdated
date ofcontrolInsightsMetadata
. If neither of these conditions are met, no data is listed for that control.Service Reference:
Examples:
Calling the listControlInsightsByControlDomain operation
var params = { controlDomainId: 'STRING_VALUE', /* required */ maxResults: 'NUMBER_VALUE', nextToken: 'STRING_VALUE' }; auditmanager.listControlInsightsByControlDomain(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
controlDomainId
— (String
)The unique identifier for the control domain.
Audit Manager supports the control domains that are provided by Amazon Web Services Control Catalog. For information about how to find a list of available control domains, see
ListDomains
in the Amazon Web Services Control Catalog API Reference.nextToken
— (String
)The pagination token that's used to fetch the next set of results.
maxResults
— (Integer
)Represents the maximum number of results on a page or for an API request call.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:controlInsightsMetadata
— (Array<map>
)The control analytics data that the
ListControlInsightsByControlDomain
API returned.name
— (String
)The name of the control.
id
— (String
)The unique identifier for the control.
evidenceInsights
— (map
)A breakdown of the compliance check status for the evidence that’s associated with the control.
noncompliantEvidenceCount
— (Integer
)The number of compliance check evidence that Audit Manager classified as non-compliant. This includes evidence that was collected from Security Hub with a Fail ruling, or collected from Config with a Non-compliant ruling.
compliantEvidenceCount
— (Integer
)The number of compliance check evidence that Audit Manager classified as compliant. This includes evidence that was collected from Security Hub with a Pass ruling, or collected from Config with a Compliant ruling.
inconclusiveEvidenceCount
— (Integer
)The number of evidence that a compliance check ruling isn't available for. Evidence is inconclusive when the associated control uses Security Hub or Config as a data source but you didn't enable those services. This is also the case when a control uses a data source that doesn’t support compliance checks (for example, manual evidence, API calls, or CloudTrail).
Note: If evidence has a compliance check status of not applicable in the console, it's classified as inconclusive inEvidenceInsights
data.
lastUpdated
— (Date
)The time when the control insights were last updated.
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
-
(AWS.Response)
—
Returns:
listControls(params = {}, callback) ⇒ AWS.Request
Returns a list of controls from Audit Manager.
Service Reference:
Examples:
Calling the listControls operation
var params = { controlType: Standard | Custom | Core, /* required */ controlCatalogId: 'STRING_VALUE', maxResults: 'NUMBER_VALUE', nextToken: 'STRING_VALUE' }; auditmanager.listControls(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
controlType
— (String
)A filter that narrows the list of controls to a specific type.
Possible values include:"Standard"
"Custom"
"Core"
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
maxResults
— (Integer
)The maximum number of results on a page or for an API request call.
controlCatalogId
— (String
)A filter that narrows the list of controls to a specific resource from the Amazon Web Services Control Catalog.
To use this parameter, specify the ARN of the Control Catalog resource. You can specify either a control domain, a control objective, or a common control. For information about how to find the ARNs for these resources, see
ListDomains
,ListObjectives
, andListCommonControls
.Note: You can only filter by one Control Catalog resource at a time. Specifying multiple resource ARNs isn’t currently supported. If you want to filter by more than one ARN, we recommend that you run theListControls
operation separately for each ARN.Alternatively, specify
UNCATEGORIZED
to list controls that aren't mapped to a Control Catalog resource. For example, this operation might return a list of custom controls that don't belong to any control domain or control objective.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:controlMetadataList
— (Array<map>
)A list of metadata that the
ListControls
API returns for each control.arn
— (String
)The Amazon Resource Name (ARN) of the control.
id
— (String
)The unique identifier for the control.
name
— (String
)The name of the control.
controlSources
— (String
)The data source that determines where Audit Manager collects evidence from for the control.
createdAt
— (Date
)The time when the control was created.
lastUpdatedAt
— (Date
)The time when the control was most recently updated.
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
-
(AWS.Response)
—
Returns:
listKeywordsForDataSource(params = {}, callback) ⇒ AWS.Request
Returns a list of keywords that are pre-mapped to the specified control data source.
Service Reference:
Examples:
Calling the listKeywordsForDataSource operation
var params = { source: AWS_Cloudtrail | AWS_Config | AWS_Security_Hub | AWS_API_Call | MANUAL, /* required */ maxResults: 'NUMBER_VALUE', nextToken: 'STRING_VALUE' }; auditmanager.listKeywordsForDataSource(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
source
— (String
)The control mapping data source that the keywords apply to.
Possible values include:"AWS_Cloudtrail"
"AWS_Config"
"AWS_Security_Hub"
"AWS_API_Call"
"MANUAL"
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
maxResults
— (Integer
)Represents the maximum number of results on a page or for an API request call.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:keywords
— (Array<String>
)The list of keywords for the control mapping source.
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
-
(AWS.Response)
—
Returns:
listNotifications(params = {}, callback) ⇒ AWS.Request
Returns a list of all Audit Manager notifications.
Service Reference:
Examples:
Calling the listNotifications operation
var params = { maxResults: 'NUMBER_VALUE', nextToken: 'STRING_VALUE' }; auditmanager.listNotifications(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
maxResults
— (Integer
)Represents the maximum number of results on a page or for an API request call.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:notifications
— (Array<map>
)The returned list of notifications.
id
— (String
)The unique identifier for the notification.
assessmentId
— (String
)The identifier for the assessment.
assessmentName
— (String
)The name of the related assessment.
controlSetId
— (String
)The identifier for the control set.
controlSetName
— (String
)Specifies the name of the control set that the notification is about.
description
— (String
)The description of the notification.
eventTime
— (Date
)The time when the notification was sent.
source
— (String
)The sender of the notification.
nextToken
— (String
)The pagination token that's used to fetch the next set of results.
-
(AWS.Response)
—
Returns:
listTagsForResource(params = {}, callback) ⇒ AWS.Request
Returns a list of tags for the specified resource in Audit Manager.
Service Reference:
Examples:
Calling the listTagsForResource operation
var params = { resourceArn: 'STRING_VALUE' /* required */ }; auditmanager.listTagsForResource(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
resourceArn
— (String
)The Amazon Resource Name (ARN) of the resource.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:tags
— (map<String>
)The list of tags that the
ListTagsForResource
API returned.
-
(AWS.Response)
—
Returns:
registerAccount(params = {}, callback) ⇒ AWS.Request
Enables Audit Manager for the specified Amazon Web Services account.
Service Reference:
Examples:
Calling the registerAccount operation
var params = { delegatedAdminAccount: 'STRING_VALUE', kmsKey: 'STRING_VALUE' }; auditmanager.registerAccount(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
kmsKey
— (String
)The KMS key details.
delegatedAdminAccount
— (String
)The delegated administrator account for Audit Manager.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:status
— (String
)The status of the account registration request.
Possible values include:"ACTIVE"
"INACTIVE"
"PENDING_ACTIVATION"
-
(AWS.Response)
—
Returns:
registerOrganizationAdminAccount(params = {}, callback) ⇒ AWS.Request
Enables an Amazon Web Services account within the organization as the delegated administrator for Audit Manager.
Service Reference:
Examples:
Calling the registerOrganizationAdminAccount operation
var params = { adminAccountId: 'STRING_VALUE' /* required */ }; auditmanager.registerOrganizationAdminAccount(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
adminAccountId
— (String
)The identifier for the delegated administrator account.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:adminAccountId
— (String
)The identifier for the delegated administrator account.
organizationId
— (String
)The identifier for the organization.
-
(AWS.Response)
—
Returns:
startAssessmentFrameworkShare(params = {}, callback) ⇒ AWS.Request
Creates a share request for a custom framework in Audit Manager.
The share request specifies a recipient and notifies them that a custom framework is available. Recipients have 120 days to accept or decline the request. If no action is taken, the share request expires.
When you create a share request, Audit Manager stores a snapshot of your custom framework in the US East (N. Virginia) Amazon Web Services Region. Audit Manager also stores a backup of the same snapshot in the US West (Oregon) Amazon Web Services Region.
Audit Manager deletes the snapshot and the backup snapshot when one of the following events occurs:
-
The sender revokes the share request.
-
The recipient declines the share request.
-
The recipient encounters an error and doesn't successfully accept the share request.
-
The share request expires before the recipient responds to the request.
When a sender resends a share request, the snapshot is replaced with an updated version that corresponds with the latest version of the custom framework.
When a recipient accepts a share request, the snapshot is replicated into their Amazon Web Services account under the Amazon Web Services Region that was specified in the share request.
When you invoke the
StartAssessmentFrameworkShare
API, you are about to share a custom framework with another Amazon Web Services account. You may not share a custom framework that is derived from a standard framework if the standard framework is designated as not eligible for sharing by Amazon Web Services, unless you have obtained permission to do so from the owner of the standard framework. To learn more about which standard frameworks are eligible for sharing, see Framework sharing eligibility in the Audit Manager User Guide.Service Reference:
Examples:
Calling the startAssessmentFrameworkShare operation
var params = { destinationAccount: 'STRING_VALUE', /* required */ destinationRegion: 'STRING_VALUE', /* required */ frameworkId: 'STRING_VALUE', /* required */ comment: 'STRING_VALUE' }; auditmanager.startAssessmentFrameworkShare(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
frameworkId
— (String
)The unique identifier for the custom framework to be shared.
destinationAccount
— (String
)The Amazon Web Services account of the recipient.
destinationRegion
— (String
)The Amazon Web Services Region of the recipient.
comment
— (String
)An optional comment from the sender about the share request.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:assessmentFrameworkShareRequest
— (map
)The share request that's created by the
StartAssessmentFrameworkShare
API.id
— (String
)The unique identifier for the share request.
frameworkId
— (String
)The unique identifier for the shared custom framework.
frameworkName
— (String
)The name of the custom framework that the share request is for.
frameworkDescription
— (String
)The description of the shared custom framework.
status
— (String
)The status of the share request.
Possible values include:"ACTIVE"
"REPLICATING"
"SHARED"
"EXPIRING"
"FAILED"
"EXPIRED"
"DECLINED"
"REVOKED"
sourceAccount
— (String
)The Amazon Web Services account of the sender.
destinationAccount
— (String
)The Amazon Web Services account of the recipient.
destinationRegion
— (String
)The Amazon Web Services Region of the recipient.
expirationTime
— (Date
)The time when the share request expires.
creationTime
— (Date
)The time when the share request was created.
lastUpdated
— (Date
)Specifies when the share request was last updated.
comment
— (String
)An optional comment from the sender about the share request.
standardControlsCount
— (Integer
)The number of standard controls that are part of the shared custom framework.
customControlsCount
— (Integer
)The number of custom controls that are part of the shared custom framework.
complianceType
— (String
)The compliance type that the shared custom framework supports, such as CIS or HIPAA.
-
(AWS.Response)
—
Returns:
tagResource(params = {}, callback) ⇒ AWS.Request
Tags the specified resource in Audit Manager.
Service Reference:
Examples:
Calling the tagResource operation
var params = { resourceArn: 'STRING_VALUE', /* required */ tags: { /* required */ '<TagKey>': 'STRING_VALUE', /* '<TagKey>': ... */ } }; auditmanager.tagResource(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
resourceArn
— (String
)The Amazon Resource Name (ARN) of the resource.
tags
— (map<String>
)The tags that are associated with the resource.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs.
-
(AWS.Response)
—
Returns:
untagResource(params = {}, callback) ⇒ AWS.Request
Removes a tag from a resource in Audit Manager.
Service Reference:
Examples:
Calling the untagResource operation
var params = { resourceArn: 'STRING_VALUE', /* required */ tagKeys: [ /* required */ 'STRING_VALUE', /* more items */ ] }; auditmanager.untagResource(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
resourceArn
— (String
)The Amazon Resource Name (ARN) of the specified resource.
tagKeys
— (Array<String>
)The name or key of the tag.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs.
-
(AWS.Response)
—
Returns:
updateAssessment(params = {}, callback) ⇒ AWS.Request
Edits an Audit Manager assessment.
Service Reference:
Examples:
Calling the updateAssessment operation
var params = { assessmentId: 'STRING_VALUE', /* required */ scope: { /* required */ awsAccounts: [ { emailAddress: 'STRING_VALUE', id: 'STRING_VALUE', name: 'STRING_VALUE' }, /* more items */ ], awsServices: [ { serviceName: 'STRING_VALUE' }, /* more items */ ] }, assessmentDescription: 'STRING_VALUE', assessmentName: 'STRING_VALUE', assessmentReportsDestination: { destination: 'STRING_VALUE', destinationType: S3 }, roles: [ { roleArn: 'STRING_VALUE', /* required */ roleType: PROCESS_OWNER | RESOURCE_OWNER /* required */ }, /* more items */ ] }; auditmanager.updateAssessment(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
assessmentId
— (String
)The unique identifier for the assessment.
assessmentName
— (String
)The name of the assessment to be updated.
assessmentDescription
— (String
)The description of the assessment.
scope
— (map
)The scope of the assessment.
awsAccounts
— (Array<map>
)The Amazon Web Services accounts that are included in the scope of the assessment.
id
— (String
)The identifier for the Amazon Web Services account.
emailAddress
— (String
)The email address that's associated with the Amazon Web Services account.
name
— (String
)The name of the Amazon Web Services account.
awsServices
— (Array<map>
)The Amazon Web Services services that are included in the scope of the assessment.
This API parameter is no longer supported. If you use this parameter to specify one or more Amazon Web Services, Audit Manager ignores this input. Instead, the value for
awsServices
will show as empty.serviceName
— (String
)The name of the Amazon Web Service.
assessmentReportsDestination
— (map
)The assessment report storage destination for the assessment that's being updated.
destinationType
— (String
)The destination type, such as Amazon S3.
Possible values include:"S3"
destination
— (String
)The destination bucket where Audit Manager stores assessment reports.
roles
— (Array<map>
)The list of roles for the assessment.
roleType
— required — (String
)The type of customer persona.
Note: InPossible values include:CreateAssessment
,roleType
can only bePROCESS_OWNER
. InUpdateSettings
,roleType
can only bePROCESS_OWNER
. InBatchCreateDelegationByAssessment
,roleType
can only beRESOURCE_OWNER
."PROCESS_OWNER"
"RESOURCE_OWNER"
roleArn
— required — (String
)The Amazon Resource Name (ARN) of the IAM role.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:assessment
— (map
)The response object for the
UpdateAssessment
API. This is the name of the updated assessment.arn
— (String
)The Amazon Resource Name (ARN) of the assessment.
awsAccount
— (map
)The Amazon Web Services account that's associated with the assessment.
id
— (String
)The identifier for the Amazon Web Services account.
emailAddress
— (String
)The email address that's associated with the Amazon Web Services account.
name
— (String
)The name of the Amazon Web Services account.
metadata
— (map
)The metadata for the assessment.
name
— (String
)The name of the assessment.
id
— (String
)The unique identifier for the assessment.
description
— (String
)The description of the assessment.
complianceType
— (String
)The name of the compliance standard that's related to the assessment, such as PCI-DSS.
status
— (String
)The overall status of the assessment.
Possible values include:"ACTIVE"
"INACTIVE"
assessmentReportsDestination
— (map
)The destination that evidence reports are stored in for the assessment.
destinationType
— (String
)The destination type, such as Amazon S3.
Possible values include:"S3"
destination
— (String
)The destination bucket where Audit Manager stores assessment reports.
scope
— (map
)The wrapper of Amazon Web Services accounts and services that are in scope for the assessment.
awsAccounts
— (Array<map>
)The Amazon Web Services accounts that are included in the scope of the assessment.
id
— (String
)The identifier for the Amazon Web Services account.
emailAddress
— (String
)The email address that's associated with the Amazon Web Services account.
name
— (String
)The name of the Amazon Web Services account.
awsServices
— (Array<map>
)The Amazon Web Services services that are included in the scope of the assessment.
This API parameter is no longer supported. If you use this parameter to specify one or more Amazon Web Services, Audit Manager ignores this input. Instead, the value for
awsServices
will show as empty.serviceName
— (String
)The name of the Amazon Web Service.
roles
— (Array<map>
)The roles that are associated with the assessment.
roleType
— required — (String
)The type of customer persona.
Note: InPossible values include:CreateAssessment
,roleType
can only bePROCESS_OWNER
. InUpdateSettings
,roleType
can only bePROCESS_OWNER
. InBatchCreateDelegationByAssessment
,roleType
can only beRESOURCE_OWNER
."PROCESS_OWNER"
"RESOURCE_OWNER"
roleArn
— required — (String
)The Amazon Resource Name (ARN) of the IAM role.
delegations
— (Array<map>
)The delegations that are associated with the assessment.
id
— (String
)The unique identifier for the delegation.
assessmentName
— (String
)The name of the assessment that's associated with the delegation.
assessmentId
— (String
)The identifier for the assessment that's associated with the delegation.
status
— (String
)The status of the delegation.
Possible values include:"IN_PROGRESS"
"UNDER_REVIEW"
"COMPLETE"
roleArn
— (String
)The Amazon Resource Name (ARN) of the IAM role.
roleType
— (String
)The type of customer persona.
Note: InPossible values include:CreateAssessment
,roleType
can only bePROCESS_OWNER
. InUpdateSettings
,roleType
can only bePROCESS_OWNER
. InBatchCreateDelegationByAssessment
,roleType
can only beRESOURCE_OWNER
."PROCESS_OWNER"
"RESOURCE_OWNER"
creationTime
— (Date
)Specifies when the delegation was created.
lastUpdated
— (Date
)Specifies when the delegation was last updated.
controlSetId
— (String
)The identifier for the control set that's associated with the delegation.
comment
— (String
)The comment that's related to the delegation.
createdBy
— (String
)The user or role that created the delegation.
creationTime
— (Date
)Specifies when the assessment was created.
lastUpdated
— (Date
)The time of the most recent update.
framework
— (map
)The framework that the assessment was created from.
id
— (String
)The unique identifier for the framework.
arn
— (String
)The Amazon Resource Name (ARN) of the framework.
metadata
— (map
)The metadata of a framework, such as the name, ID, or description.
name
— (String
)The name of the framework.
description
— (String
)The description of the framework.
logo
— (String
)The logo that's associated with the framework.
complianceType
— (String
)The compliance standard that's associated with the framework. For example, this could be PCI DSS or HIPAA.
controlSets
— (Array<map>
)The control sets that are associated with the framework.
id
— (String
)The identifier of the control set in the assessment. This is the control set name in a plain string format.
description
— (String
)The description for the control set.
status
— (String
)The current status of the control set.
Possible values include:"ACTIVE"
"UNDER_REVIEW"
"REVIEWED"
roles
— (Array<map>
)The roles that are associated with the control set.
roleType
— required — (String
)The type of customer persona.
Note: InPossible values include:CreateAssessment
,roleType
can only bePROCESS_OWNER
. InUpdateSettings
,roleType
can only bePROCESS_OWNER
. InBatchCreateDelegationByAssessment
,roleType
can only beRESOURCE_OWNER
."PROCESS_OWNER"
"RESOURCE_OWNER"
roleArn
— required — (String
)The Amazon Resource Name (ARN) of the IAM role.
controls
— (Array<map>
)The list of controls that's contained with the control set.
id
— (String
)The identifier for the control.
name
— (String
)The name of the control.
description
— (String
)The description of the control.
status
— (String
)The status of the control.
Possible values include:"UNDER_REVIEW"
"REVIEWED"
"INACTIVE"
response
— (String
)The response of the control.
Possible values include:"MANUAL"
"AUTOMATE"
"DEFER"
"IGNORE"
comments
— (Array<map>
)The list of comments that's attached to the control.
authorName
— (String
)The name of the user who authored the comment.
commentBody
— (String
)The body text of a control comment.
postedDate
— (Date
)The time when the comment was posted.
evidenceSources
— (Array<String>
)The list of data sources for the evidence.
evidenceCount
— (Integer
)The amount of evidence that's collected for the control.
assessmentReportEvidenceCount
— (Integer
)The amount of evidence in the assessment report.
delegations
— (Array<map>
)The delegations that are associated with the control set.
id
— (String
)The unique identifier for the delegation.
assessmentName
— (String
)The name of the assessment that's associated with the delegation.
assessmentId
— (String
)The identifier for the assessment that's associated with the delegation.
status
— (String
)The status of the delegation.
Possible values include:"IN_PROGRESS"
"UNDER_REVIEW"
"COMPLETE"
roleArn
— (String
)The Amazon Resource Name (ARN) of the IAM role.
roleType
— (String
)The type of customer persona.
Note: InPossible values include:CreateAssessment
,roleType
can only bePROCESS_OWNER
. InUpdateSettings
,roleType
can only bePROCESS_OWNER
. InBatchCreateDelegationByAssessment
,roleType
can only beRESOURCE_OWNER
."PROCESS_OWNER"
"RESOURCE_OWNER"
creationTime
— (Date
)Specifies when the delegation was created.
lastUpdated
— (Date
)Specifies when the delegation was last updated.
controlSetId
— (String
)The identifier for the control set that's associated with the delegation.
comment
— (String
)The comment that's related to the delegation.
createdBy
— (String
)The user or role that created the delegation.
systemEvidenceCount
— (Integer
)The total number of evidence objects that are retrieved automatically for the control set.
manualEvidenceCount
— (Integer
)The total number of evidence objects that are uploaded manually to the control set.
tags
— (map<String>
)The tags that are associated with the assessment.
-
(AWS.Response)
—
Returns:
updateAssessmentControl(params = {}, callback) ⇒ AWS.Request
Updates a control within an assessment in Audit Manager.
Service Reference:
Examples:
Calling the updateAssessmentControl operation
var params = { assessmentId: 'STRING_VALUE', /* required */ controlId: 'STRING_VALUE', /* required */ controlSetId: 'STRING_VALUE', /* required */ commentBody: 'STRING_VALUE', controlStatus: UNDER_REVIEW | REVIEWED | INACTIVE }; auditmanager.updateAssessmentControl(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
assessmentId
— (String
)The unique identifier for the assessment.
controlSetId
— (String
)The unique identifier for the control set.
controlId
— (String
)The unique identifier for the control.
controlStatus
— (String
)The status of the control.
Possible values include:"UNDER_REVIEW"
"REVIEWED"
"INACTIVE"
commentBody
— (String
)The comment body text for the control.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:control
— (map
)The name of the updated control set that the
UpdateAssessmentControl
API returned.id
— (String
)The identifier for the control.
name
— (String
)The name of the control.
description
— (String
)The description of the control.
status
— (String
)The status of the control.
Possible values include:"UNDER_REVIEW"
"REVIEWED"
"INACTIVE"
response
— (String
)The response of the control.
Possible values include:"MANUAL"
"AUTOMATE"
"DEFER"
"IGNORE"
comments
— (Array<map>
)The list of comments that's attached to the control.
authorName
— (String
)The name of the user who authored the comment.
commentBody
— (String
)The body text of a control comment.
postedDate
— (Date
)The time when the comment was posted.
evidenceSources
— (Array<String>
)The list of data sources for the evidence.
evidenceCount
— (Integer
)The amount of evidence that's collected for the control.
assessmentReportEvidenceCount
— (Integer
)The amount of evidence in the assessment report.
-
(AWS.Response)
—
Returns:
updateAssessmentControlSetStatus(params = {}, callback) ⇒ AWS.Request
Updates the status of a control set in an Audit Manager assessment.
Service Reference:
Examples:
Calling the updateAssessmentControlSetStatus operation
var params = { assessmentId: 'STRING_VALUE', /* required */ comment: 'STRING_VALUE', /* required */ controlSetId: 'STRING_VALUE', /* required */ status: ACTIVE | UNDER_REVIEW | REVIEWED /* required */ }; auditmanager.updateAssessmentControlSetStatus(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
assessmentId
— (String
)The unique identifier for the assessment.
controlSetId
— (String
)The unique identifier for the control set.
status
— (String
)The status of the control set that's being updated.
Possible values include:"ACTIVE"
"UNDER_REVIEW"
"REVIEWED"
comment
— (String
)The comment that's related to the status update.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:controlSet
— (map
)The name of the updated control set that the
UpdateAssessmentControlSetStatus
API returned.id
— (String
)The identifier of the control set in the assessment. This is the control set name in a plain string format.
description
— (String
)The description for the control set.
status
— (String
)The current status of the control set.
Possible values include:"ACTIVE"
"UNDER_REVIEW"
"REVIEWED"
roles
— (Array<map>
)The roles that are associated with the control set.
roleType
— required — (String
)The type of customer persona.
Note: InPossible values include:CreateAssessment
,roleType
can only bePROCESS_OWNER
. InUpdateSettings
,roleType
can only bePROCESS_OWNER
. InBatchCreateDelegationByAssessment
,roleType
can only beRESOURCE_OWNER
."PROCESS_OWNER"
"RESOURCE_OWNER"
roleArn
— required — (String
)The Amazon Resource Name (ARN) of the IAM role.
controls
— (Array<map>
)The list of controls that's contained with the control set.
id
— (String
)The identifier for the control.
name
— (String
)The name of the control.
description
— (String
)The description of the control.
status
— (String
)The status of the control.
Possible values include:"UNDER_REVIEW"
"REVIEWED"
"INACTIVE"
response
— (String
)The response of the control.
Possible values include:"MANUAL"
"AUTOMATE"
"DEFER"
"IGNORE"
comments
— (Array<map>
)The list of comments that's attached to the control.
authorName
— (String
)The name of the user who authored the comment.
commentBody
— (String
)The body text of a control comment.
postedDate
— (Date
)The time when the comment was posted.
evidenceSources
— (Array<String>
)The list of data sources for the evidence.
evidenceCount
— (Integer
)The amount of evidence that's collected for the control.
assessmentReportEvidenceCount
— (Integer
)The amount of evidence in the assessment report.
delegations
— (Array<map>
)The delegations that are associated with the control set.
id
— (String
)The unique identifier for the delegation.
assessmentName
— (String
)The name of the assessment that's associated with the delegation.
assessmentId
— (String
)The identifier for the assessment that's associated with the delegation.
status
— (String
)The status of the delegation.
Possible values include:"IN_PROGRESS"
"UNDER_REVIEW"
"COMPLETE"
roleArn
— (String
)The Amazon Resource Name (ARN) of the IAM role.
roleType
— (String
)The type of customer persona.
Note: InPossible values include:CreateAssessment
,roleType
can only bePROCESS_OWNER
. InUpdateSettings
,roleType
can only bePROCESS_OWNER
. InBatchCreateDelegationByAssessment
,roleType
can only beRESOURCE_OWNER
."PROCESS_OWNER"
"RESOURCE_OWNER"
creationTime
— (Date
)Specifies when the delegation was created.
lastUpdated
— (Date
)Specifies when the delegation was last updated.
controlSetId
— (String
)The identifier for the control set that's associated with the delegation.
comment
— (String
)The comment that's related to the delegation.
createdBy
— (String
)The user or role that created the delegation.
systemEvidenceCount
— (Integer
)The total number of evidence objects that are retrieved automatically for the control set.
manualEvidenceCount
— (Integer
)The total number of evidence objects that are uploaded manually to the control set.
-
(AWS.Response)
—
Returns:
updateAssessmentFramework(params = {}, callback) ⇒ AWS.Request
Updates a custom framework in Audit Manager.
Service Reference:
Examples:
Calling the updateAssessmentFramework operation
var params = { controlSets: [ /* required */ { controls: [ /* required */ { id: 'STRING_VALUE' /* required */ }, /* more items */ ], name: 'STRING_VALUE', /* required */ id: 'STRING_VALUE' }, /* more items */ ], frameworkId: 'STRING_VALUE', /* required */ name: 'STRING_VALUE', /* required */ complianceType: 'STRING_VALUE', description: 'STRING_VALUE' }; auditmanager.updateAssessmentFramework(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
frameworkId
— (String
)The unique identifier for the framework.
name
— (String
)The name of the framework to be updated.
description
— (String
)The description of the updated framework.
complianceType
— (String
)The compliance type that the new custom framework supports, such as CIS or HIPAA.
controlSets
— (Array<map>
)The control sets that are associated with the framework.
id
— (String
)The unique identifier for the control set.
name
— required — (String
)The name of the control set.
controls
— required — (Array<map>
)The list of controls that are contained within the control set.
id
— required — (String
)The unique identifier of the control.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:framework
— (map
)The name of the framework.
arn
— (String
)The Amazon Resource Name (ARN) of the framework.
id
— (String
)The unique identifier for the framework.
name
— (String
)The name of the framework.
type
— (String
)Specifies whether the framework is a standard framework or a custom framework.
Possible values include:"Standard"
"Custom"
complianceType
— (String
)The compliance type that the framework supports, such as CIS or HIPAA.
description
— (String
)The description of the framework.
logo
— (String
)The logo that's associated with the framework.
controlSources
— (String
)The control data sources where Audit Manager collects evidence from.
controlSets
— (Array<map>
)The control sets that are associated with the framework.
id
— (String
)The identifier of the control set in the assessment. This is the control set name in a plain string format.
name
— (String
)The name of the control set.
controls
— (Array<map>
)The list of controls within the control set.
arn
— (String
)The Amazon Resource Name (ARN) of the control.
id
— (String
)The unique identifier for the control.
type
— (String
)Specifies whether the control is a standard control or a custom control.
Possible values include:"Standard"
"Custom"
"Core"
name
— (String
)The name of the control.
description
— (String
)The description of the control.
testingInformation
— (String
)The steps that you should follow to determine if the control has been satisfied.
actionPlanTitle
— (String
)The title of the action plan for remediating the control.
actionPlanInstructions
— (String
)The recommended actions to carry out if the control isn't fulfilled.
controlSources
— (String
)The data source types that determine where Audit Manager collects evidence from for the control.
controlMappingSources
— (Array<map>
)The data mapping sources for the control.
sourceId
— (String
)The unique identifier for the source.
sourceName
— (String
)The name of the source.
sourceDescription
— (String
)The description of the source.
sourceSetUpOption
— (String
)The setup option for the data source. This option reflects if the evidence collection method is automated or manual. If you don’t provide a value for
Possible values include:sourceSetUpOption
, Audit Manager automatically infers and populates the correct value based on thesourceType
that you specify."System_Controls_Mapping"
"Procedural_Controls_Mapping"
sourceType
— (String
)Specifies which type of data source is used to collect evidence.
-
The source can be an individual data source type, such as
AWS_Cloudtrail
,AWS_Config
,AWS_Security_Hub
,AWS_API_Call
, orMANUAL
. -
The source can also be a managed grouping of data sources, such as a
Core_Control
or aCommon_Control
.
"AWS_Cloudtrail"
"AWS_Config"
"AWS_Security_Hub"
"AWS_API_Call"
"MANUAL"
"Common_Control"
"Core_Control"
-
sourceKeyword
— (map
)A keyword that relates to the control data source.
For manual evidence, this keyword indicates if the manual evidence is a file or text.
For automated evidence, this keyword identifies a specific CloudTrail event, Config rule, Security Hub control, or Amazon Web Services API name.
To learn more about the supported keywords that you can use when mapping a control data source, see the following pages in the Audit Manager User Guide:
keywordInputType
— (String
)The input method for the keyword.
-
SELECT_FROM_LIST
is used when mapping a data source for automated evidence.-
When
keywordInputType
isSELECT_FROM_LIST
, a keyword must be selected to collect automated evidence. For example, this keyword can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
-
-
UPLOAD_FILE
andINPUT_TEXT
are only used when mapping a data source for manual evidence.-
When
keywordInputType
isUPLOAD_FILE
, a file must be uploaded as manual evidence. -
When
keywordInputType
isINPUT_TEXT
, text must be entered as manual evidence.
-
"SELECT_FROM_LIST"
"UPLOAD_FILE"
"INPUT_TEXT"
-
keywordValue
— (String
)The value of the keyword that's used when mapping a control data source. For example, this can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
If you’re mapping a data source to a rule in Config, the
keywordValue
that you specify depends on the type of rule:-
For managed rules, you can use the rule identifier as the
keywordValue
. You can find the rule identifier from the list of Config managed rules. For some rules, the rule identifier is different from the rule name. For example, the rule namerestricted-ssh
has the following rule identifier:INCOMING_SSH_DISABLED
. Make sure to use the rule identifier, not the rule name.Keyword example for managed rules:
-
Managed rule name: s3-bucket-acl-prohibited
keywordValue
:S3_BUCKET_ACL_PROHIBITED
-
-
For custom rules, you form the
keywordValue
by adding theCustom_
prefix to the rule name. This prefix distinguishes the custom rule from a managed rule.Keyword example for custom rules:
-
Custom rule name: my-custom-config-rule
keywordValue
:Custom_my-custom-config-rule
-
-
For service-linked rules, you form the
keywordValue
by adding theCustom_
prefix to the rule name. In addition, you remove the suffix ID that appears at the end of the rule name.Keyword examples for service-linked rules:
-
Service-linked rule name: CustomRuleForAccount-conformance-pack-szsm1uv0w
keywordValue
:Custom_CustomRuleForAccount-conformance-pack
-
Service-linked rule name: OrgConfigRule-s3-bucket-versioning-enabled-dbgzf8ba
keywordValue
:Custom_OrgConfigRule-s3-bucket-versioning-enabled
-
The
keywordValue
is case sensitive. If you enter a value incorrectly, Audit Manager might not recognize the data source mapping. As a result, you might not successfully collect evidence from that data source as intended.Keep in mind the following requirements, depending on the data source type that you're using.
-
For Config:
-
For managed rules, make sure that the
keywordValue
is the rule identifier inALL_CAPS_WITH_UNDERSCORES
. For example,CLOUDWATCH_LOG_GROUP_ENCRYPTED
. For accuracy, we recommend that you reference the list of supported Config managed rules. -
For custom rules, make sure that the
keywordValue
has theCustom_
prefix followed by the custom rule name. The format of the custom rule name itself may vary. For accuracy, we recommend that you visit the Config console to verify your custom rule name.
-
-
For Security Hub: The format varies for Security Hub control names. For accuracy, we recommend that you reference the list of supported Security Hub controls.
-
For Amazon Web Services API calls: Make sure that the
keywordValue
is written asserviceprefix_ActionName
. For example,iam_ListGroups
. For accuracy, we recommend that you reference the list of supported API calls. -
For CloudTrail: Make sure that the
keywordValue
is written asserviceprefix_ActionName
. For example,cloudtrail_StartLogging
. For accuracy, we recommend that you review the Amazon Web Service prefix and action names in the Service Authorization Reference.
-
sourceFrequency
— (String
)Specifies how often evidence is collected from the control mapping source.
Possible values include:"DAILY"
"WEEKLY"
"MONTHLY"
troubleshootingText
— (String
)The instructions for troubleshooting the control.
createdAt
— (Date
)The time when the control was created.
lastUpdatedAt
— (Date
)The time when the control was most recently updated.
createdBy
— (String
)The user or role that created the control.
lastUpdatedBy
— (String
)The user or role that most recently updated the control.
tags
— (map<String>
)The tags associated with the control.
state
— (String
)The state of the control. The
Possible values include:END_OF_SUPPORT
state is applicable to standard controls only. This state indicates that the standard control can still be used to collect evidence, but Audit Manager is no longer updating or maintaining that control."ACTIVE"
"END_OF_SUPPORT"
createdAt
— (Date
)The time when the framework was created.
lastUpdatedAt
— (Date
)The time when the framework was most recently updated.
createdBy
— (String
)The user or role that created the framework.
lastUpdatedBy
— (String
)The user or role that most recently updated the framework.
tags
— (map<String>
)The tags that are associated with the framework.
-
(AWS.Response)
—
Returns:
updateAssessmentFrameworkShare(params = {}, callback) ⇒ AWS.Request
Updates a share request for a custom framework in Audit Manager.
Service Reference:
Examples:
Calling the updateAssessmentFrameworkShare operation
var params = { action: ACCEPT | DECLINE | REVOKE, /* required */ requestId: 'STRING_VALUE', /* required */ requestType: SENT | RECEIVED /* required */ }; auditmanager.updateAssessmentFrameworkShare(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
requestId
— (String
)The unique identifier for the share request.
requestType
— (String
)Specifies whether the share request is a sent request or a received request.
Possible values include:"SENT"
"RECEIVED"
action
— (String
)Specifies the update action for the share request.
Possible values include:"ACCEPT"
"DECLINE"
"REVOKE"
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:assessmentFrameworkShareRequest
— (map
)The updated share request that's returned by the
UpdateAssessmentFrameworkShare
operation.id
— (String
)The unique identifier for the share request.
frameworkId
— (String
)The unique identifier for the shared custom framework.
frameworkName
— (String
)The name of the custom framework that the share request is for.
frameworkDescription
— (String
)The description of the shared custom framework.
status
— (String
)The status of the share request.
Possible values include:"ACTIVE"
"REPLICATING"
"SHARED"
"EXPIRING"
"FAILED"
"EXPIRED"
"DECLINED"
"REVOKED"
sourceAccount
— (String
)The Amazon Web Services account of the sender.
destinationAccount
— (String
)The Amazon Web Services account of the recipient.
destinationRegion
— (String
)The Amazon Web Services Region of the recipient.
expirationTime
— (Date
)The time when the share request expires.
creationTime
— (Date
)The time when the share request was created.
lastUpdated
— (Date
)Specifies when the share request was last updated.
comment
— (String
)An optional comment from the sender about the share request.
standardControlsCount
— (Integer
)The number of standard controls that are part of the shared custom framework.
customControlsCount
— (Integer
)The number of custom controls that are part of the shared custom framework.
complianceType
— (String
)The compliance type that the shared custom framework supports, such as CIS or HIPAA.
-
(AWS.Response)
—
Returns:
updateAssessmentStatus(params = {}, callback) ⇒ AWS.Request
Updates the status of an assessment in Audit Manager.
Service Reference:
Examples:
Calling the updateAssessmentStatus operation
var params = { assessmentId: 'STRING_VALUE', /* required */ status: ACTIVE | INACTIVE /* required */ }; auditmanager.updateAssessmentStatus(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
assessmentId
— (String
)The unique identifier for the assessment.
status
— (String
)The current status of the assessment.
Possible values include:"ACTIVE"
"INACTIVE"
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:assessment
— (map
)The name of the updated assessment that the
UpdateAssessmentStatus
API returned.arn
— (String
)The Amazon Resource Name (ARN) of the assessment.
awsAccount
— (map
)The Amazon Web Services account that's associated with the assessment.
id
— (String
)The identifier for the Amazon Web Services account.
emailAddress
— (String
)The email address that's associated with the Amazon Web Services account.
name
— (String
)The name of the Amazon Web Services account.
metadata
— (map
)The metadata for the assessment.
name
— (String
)The name of the assessment.
id
— (String
)The unique identifier for the assessment.
description
— (String
)The description of the assessment.
complianceType
— (String
)The name of the compliance standard that's related to the assessment, such as PCI-DSS.
status
— (String
)The overall status of the assessment.
Possible values include:"ACTIVE"
"INACTIVE"
assessmentReportsDestination
— (map
)The destination that evidence reports are stored in for the assessment.
destinationType
— (String
)The destination type, such as Amazon S3.
Possible values include:"S3"
destination
— (String
)The destination bucket where Audit Manager stores assessment reports.
scope
— (map
)The wrapper of Amazon Web Services accounts and services that are in scope for the assessment.
awsAccounts
— (Array<map>
)The Amazon Web Services accounts that are included in the scope of the assessment.
id
— (String
)The identifier for the Amazon Web Services account.
emailAddress
— (String
)The email address that's associated with the Amazon Web Services account.
name
— (String
)The name of the Amazon Web Services account.
awsServices
— (Array<map>
)The Amazon Web Services services that are included in the scope of the assessment.
This API parameter is no longer supported. If you use this parameter to specify one or more Amazon Web Services, Audit Manager ignores this input. Instead, the value for
awsServices
will show as empty.serviceName
— (String
)The name of the Amazon Web Service.
roles
— (Array<map>
)The roles that are associated with the assessment.
roleType
— required — (String
)The type of customer persona.
Note: InPossible values include:CreateAssessment
,roleType
can only bePROCESS_OWNER
. InUpdateSettings
,roleType
can only bePROCESS_OWNER
. InBatchCreateDelegationByAssessment
,roleType
can only beRESOURCE_OWNER
."PROCESS_OWNER"
"RESOURCE_OWNER"
roleArn
— required — (String
)The Amazon Resource Name (ARN) of the IAM role.
delegations
— (Array<map>
)The delegations that are associated with the assessment.
id
— (String
)The unique identifier for the delegation.
assessmentName
— (String
)The name of the assessment that's associated with the delegation.
assessmentId
— (String
)The identifier for the assessment that's associated with the delegation.
status
— (String
)The status of the delegation.
Possible values include:"IN_PROGRESS"
"UNDER_REVIEW"
"COMPLETE"
roleArn
— (String
)The Amazon Resource Name (ARN) of the IAM role.
roleType
— (String
)The type of customer persona.
Note: InPossible values include:CreateAssessment
,roleType
can only bePROCESS_OWNER
. InUpdateSettings
,roleType
can only bePROCESS_OWNER
. InBatchCreateDelegationByAssessment
,roleType
can only beRESOURCE_OWNER
."PROCESS_OWNER"
"RESOURCE_OWNER"
creationTime
— (Date
)Specifies when the delegation was created.
lastUpdated
— (Date
)Specifies when the delegation was last updated.
controlSetId
— (String
)The identifier for the control set that's associated with the delegation.
comment
— (String
)The comment that's related to the delegation.
createdBy
— (String
)The user or role that created the delegation.
creationTime
— (Date
)Specifies when the assessment was created.
lastUpdated
— (Date
)The time of the most recent update.
framework
— (map
)The framework that the assessment was created from.
id
— (String
)The unique identifier for the framework.
arn
— (String
)The Amazon Resource Name (ARN) of the framework.
metadata
— (map
)The metadata of a framework, such as the name, ID, or description.
name
— (String
)The name of the framework.
description
— (String
)The description of the framework.
logo
— (String
)The logo that's associated with the framework.
complianceType
— (String
)The compliance standard that's associated with the framework. For example, this could be PCI DSS or HIPAA.
controlSets
— (Array<map>
)The control sets that are associated with the framework.
id
— (String
)The identifier of the control set in the assessment. This is the control set name in a plain string format.
description
— (String
)The description for the control set.
status
— (String
)The current status of the control set.
Possible values include:"ACTIVE"
"UNDER_REVIEW"
"REVIEWED"
roles
— (Array<map>
)The roles that are associated with the control set.
roleType
— required — (String
)The type of customer persona.
Note: InPossible values include:CreateAssessment
,roleType
can only bePROCESS_OWNER
. InUpdateSettings
,roleType
can only bePROCESS_OWNER
. InBatchCreateDelegationByAssessment
,roleType
can only beRESOURCE_OWNER
."PROCESS_OWNER"
"RESOURCE_OWNER"
roleArn
— required — (String
)The Amazon Resource Name (ARN) of the IAM role.
controls
— (Array<map>
)The list of controls that's contained with the control set.
id
— (String
)The identifier for the control.
name
— (String
)The name of the control.
description
— (String
)The description of the control.
status
— (String
)The status of the control.
Possible values include:"UNDER_REVIEW"
"REVIEWED"
"INACTIVE"
response
— (String
)The response of the control.
Possible values include:"MANUAL"
"AUTOMATE"
"DEFER"
"IGNORE"
comments
— (Array<map>
)The list of comments that's attached to the control.
authorName
— (String
)The name of the user who authored the comment.
commentBody
— (String
)The body text of a control comment.
postedDate
— (Date
)The time when the comment was posted.
evidenceSources
— (Array<String>
)The list of data sources for the evidence.
evidenceCount
— (Integer
)The amount of evidence that's collected for the control.
assessmentReportEvidenceCount
— (Integer
)The amount of evidence in the assessment report.
delegations
— (Array<map>
)The delegations that are associated with the control set.
id
— (String
)The unique identifier for the delegation.
assessmentName
— (String
)The name of the assessment that's associated with the delegation.
assessmentId
— (String
)The identifier for the assessment that's associated with the delegation.
status
— (String
)The status of the delegation.
Possible values include:"IN_PROGRESS"
"UNDER_REVIEW"
"COMPLETE"
roleArn
— (String
)The Amazon Resource Name (ARN) of the IAM role.
roleType
— (String
)The type of customer persona.
Note: InPossible values include:CreateAssessment
,roleType
can only bePROCESS_OWNER
. InUpdateSettings
,roleType
can only bePROCESS_OWNER
. InBatchCreateDelegationByAssessment
,roleType
can only beRESOURCE_OWNER
."PROCESS_OWNER"
"RESOURCE_OWNER"
creationTime
— (Date
)Specifies when the delegation was created.
lastUpdated
— (Date
)Specifies when the delegation was last updated.
controlSetId
— (String
)The identifier for the control set that's associated with the delegation.
comment
— (String
)The comment that's related to the delegation.
createdBy
— (String
)The user or role that created the delegation.
systemEvidenceCount
— (Integer
)The total number of evidence objects that are retrieved automatically for the control set.
manualEvidenceCount
— (Integer
)The total number of evidence objects that are uploaded manually to the control set.
tags
— (map<String>
)The tags that are associated with the assessment.
-
(AWS.Response)
—
Returns:
updateControl(params = {}, callback) ⇒ AWS.Request
Updates a custom control in Audit Manager.
Service Reference:
Examples:
Calling the updateControl operation
var params = { controlId: 'STRING_VALUE', /* required */ controlMappingSources: [ /* required */ { sourceDescription: 'STRING_VALUE', sourceFrequency: DAILY | WEEKLY | MONTHLY, sourceId: 'STRING_VALUE', sourceKeyword: { keywordInputType: SELECT_FROM_LIST | UPLOAD_FILE | INPUT_TEXT, keywordValue: 'STRING_VALUE' }, sourceName: 'STRING_VALUE', sourceSetUpOption: System_Controls_Mapping | Procedural_Controls_Mapping, sourceType: AWS_Cloudtrail | AWS_Config | AWS_Security_Hub | AWS_API_Call | MANUAL | Common_Control | Core_Control, troubleshootingText: 'STRING_VALUE' }, /* more items */ ], name: 'STRING_VALUE', /* required */ actionPlanInstructions: 'STRING_VALUE', actionPlanTitle: 'STRING_VALUE', description: 'STRING_VALUE', testingInformation: 'STRING_VALUE' }; auditmanager.updateControl(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
controlId
— (String
)The identifier for the control.
name
— (String
)The name of the updated control.
description
— (String
)The optional description of the control.
testingInformation
— (String
)The steps that you should follow to determine if the control is met.
actionPlanTitle
— (String
)The title of the action plan for remediating the control.
actionPlanInstructions
— (String
)The recommended actions to carry out if the control isn't fulfilled.
controlMappingSources
— (Array<map>
)The data mapping sources for the control.
sourceId
— (String
)The unique identifier for the source.
sourceName
— (String
)The name of the source.
sourceDescription
— (String
)The description of the source.
sourceSetUpOption
— (String
)The setup option for the data source. This option reflects if the evidence collection method is automated or manual. If you don’t provide a value for
Possible values include:sourceSetUpOption
, Audit Manager automatically infers and populates the correct value based on thesourceType
that you specify."System_Controls_Mapping"
"Procedural_Controls_Mapping"
sourceType
— (String
)Specifies which type of data source is used to collect evidence.
-
The source can be an individual data source type, such as
AWS_Cloudtrail
,AWS_Config
,AWS_Security_Hub
,AWS_API_Call
, orMANUAL
. -
The source can also be a managed grouping of data sources, such as a
Core_Control
or aCommon_Control
.
"AWS_Cloudtrail"
"AWS_Config"
"AWS_Security_Hub"
"AWS_API_Call"
"MANUAL"
"Common_Control"
"Core_Control"
-
sourceKeyword
— (map
)A keyword that relates to the control data source.
For manual evidence, this keyword indicates if the manual evidence is a file or text.
For automated evidence, this keyword identifies a specific CloudTrail event, Config rule, Security Hub control, or Amazon Web Services API name.
To learn more about the supported keywords that you can use when mapping a control data source, see the following pages in the Audit Manager User Guide:
keywordInputType
— (String
)The input method for the keyword.
-
SELECT_FROM_LIST
is used when mapping a data source for automated evidence.-
When
keywordInputType
isSELECT_FROM_LIST
, a keyword must be selected to collect automated evidence. For example, this keyword can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
-
-
UPLOAD_FILE
andINPUT_TEXT
are only used when mapping a data source for manual evidence.-
When
keywordInputType
isUPLOAD_FILE
, a file must be uploaded as manual evidence. -
When
keywordInputType
isINPUT_TEXT
, text must be entered as manual evidence.
-
"SELECT_FROM_LIST"
"UPLOAD_FILE"
"INPUT_TEXT"
-
keywordValue
— (String
)The value of the keyword that's used when mapping a control data source. For example, this can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
If you’re mapping a data source to a rule in Config, the
keywordValue
that you specify depends on the type of rule:-
For managed rules, you can use the rule identifier as the
keywordValue
. You can find the rule identifier from the list of Config managed rules. For some rules, the rule identifier is different from the rule name. For example, the rule namerestricted-ssh
has the following rule identifier:INCOMING_SSH_DISABLED
. Make sure to use the rule identifier, not the rule name.Keyword example for managed rules:
-
Managed rule name: s3-bucket-acl-prohibited
keywordValue
:S3_BUCKET_ACL_PROHIBITED
-
-
For custom rules, you form the
keywordValue
by adding theCustom_
prefix to the rule name. This prefix distinguishes the custom rule from a managed rule.Keyword example for custom rules:
-
Custom rule name: my-custom-config-rule
keywordValue
:Custom_my-custom-config-rule
-
-
For service-linked rules, you form the
keywordValue
by adding theCustom_
prefix to the rule name. In addition, you remove the suffix ID that appears at the end of the rule name.Keyword examples for service-linked rules:
-
Service-linked rule name: CustomRuleForAccount-conformance-pack-szsm1uv0w
keywordValue
:Custom_CustomRuleForAccount-conformance-pack
-
Service-linked rule name: OrgConfigRule-s3-bucket-versioning-enabled-dbgzf8ba
keywordValue
:Custom_OrgConfigRule-s3-bucket-versioning-enabled
-
The
keywordValue
is case sensitive. If you enter a value incorrectly, Audit Manager might not recognize the data source mapping. As a result, you might not successfully collect evidence from that data source as intended.Keep in mind the following requirements, depending on the data source type that you're using.
-
For Config:
-
For managed rules, make sure that the
keywordValue
is the rule identifier inALL_CAPS_WITH_UNDERSCORES
. For example,CLOUDWATCH_LOG_GROUP_ENCRYPTED
. For accuracy, we recommend that you reference the list of supported Config managed rules. -
For custom rules, make sure that the
keywordValue
has theCustom_
prefix followed by the custom rule name. The format of the custom rule name itself may vary. For accuracy, we recommend that you visit the Config console to verify your custom rule name.
-
-
For Security Hub: The format varies for Security Hub control names. For accuracy, we recommend that you reference the list of supported Security Hub controls.
-
For Amazon Web Services API calls: Make sure that the
keywordValue
is written asserviceprefix_ActionName
. For example,iam_ListGroups
. For accuracy, we recommend that you reference the list of supported API calls. -
For CloudTrail: Make sure that the
keywordValue
is written asserviceprefix_ActionName
. For example,cloudtrail_StartLogging
. For accuracy, we recommend that you review the Amazon Web Service prefix and action names in the Service Authorization Reference.
-
sourceFrequency
— (String
)Specifies how often evidence is collected from the control mapping source.
Possible values include:"DAILY"
"WEEKLY"
"MONTHLY"
troubleshootingText
— (String
)The instructions for troubleshooting the control.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:control
— (map
)The name of the updated control set that the
UpdateControl
API returned.arn
— (String
)The Amazon Resource Name (ARN) of the control.
id
— (String
)The unique identifier for the control.
type
— (String
)Specifies whether the control is a standard control or a custom control.
Possible values include:"Standard"
"Custom"
"Core"
name
— (String
)The name of the control.
description
— (String
)The description of the control.
testingInformation
— (String
)The steps that you should follow to determine if the control has been satisfied.
actionPlanTitle
— (String
)The title of the action plan for remediating the control.
actionPlanInstructions
— (String
)The recommended actions to carry out if the control isn't fulfilled.
controlSources
— (String
)The data source types that determine where Audit Manager collects evidence from for the control.
controlMappingSources
— (Array<map>
)The data mapping sources for the control.
sourceId
— (String
)The unique identifier for the source.
sourceName
— (String
)The name of the source.
sourceDescription
— (String
)The description of the source.
sourceSetUpOption
— (String
)The setup option for the data source. This option reflects if the evidence collection method is automated or manual. If you don’t provide a value for
Possible values include:sourceSetUpOption
, Audit Manager automatically infers and populates the correct value based on thesourceType
that you specify."System_Controls_Mapping"
"Procedural_Controls_Mapping"
sourceType
— (String
)Specifies which type of data source is used to collect evidence.
-
The source can be an individual data source type, such as
AWS_Cloudtrail
,AWS_Config
,AWS_Security_Hub
,AWS_API_Call
, orMANUAL
. -
The source can also be a managed grouping of data sources, such as a
Core_Control
or aCommon_Control
.
"AWS_Cloudtrail"
"AWS_Config"
"AWS_Security_Hub"
"AWS_API_Call"
"MANUAL"
"Common_Control"
"Core_Control"
-
sourceKeyword
— (map
)A keyword that relates to the control data source.
For manual evidence, this keyword indicates if the manual evidence is a file or text.
For automated evidence, this keyword identifies a specific CloudTrail event, Config rule, Security Hub control, or Amazon Web Services API name.
To learn more about the supported keywords that you can use when mapping a control data source, see the following pages in the Audit Manager User Guide:
keywordInputType
— (String
)The input method for the keyword.
-
SELECT_FROM_LIST
is used when mapping a data source for automated evidence.-
When
keywordInputType
isSELECT_FROM_LIST
, a keyword must be selected to collect automated evidence. For example, this keyword can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
-
-
UPLOAD_FILE
andINPUT_TEXT
are only used when mapping a data source for manual evidence.-
When
keywordInputType
isUPLOAD_FILE
, a file must be uploaded as manual evidence. -
When
keywordInputType
isINPUT_TEXT
, text must be entered as manual evidence.
-
"SELECT_FROM_LIST"
"UPLOAD_FILE"
"INPUT_TEXT"
-
keywordValue
— (String
)The value of the keyword that's used when mapping a control data source. For example, this can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
If you’re mapping a data source to a rule in Config, the
keywordValue
that you specify depends on the type of rule:-
For managed rules, you can use the rule identifier as the
keywordValue
. You can find the rule identifier from the list of Config managed rules. For some rules, the rule identifier is different from the rule name. For example, the rule namerestricted-ssh
has the following rule identifier:INCOMING_SSH_DISABLED
. Make sure to use the rule identifier, not the rule name.Keyword example for managed rules:
-
Managed rule name: s3-bucket-acl-prohibited
keywordValue
:S3_BUCKET_ACL_PROHIBITED
-
-
For custom rules, you form the
keywordValue
by adding theCustom_
prefix to the rule name. This prefix distinguishes the custom rule from a managed rule.Keyword example for custom rules:
-
Custom rule name: my-custom-config-rule
keywordValue
:Custom_my-custom-config-rule
-
-
For service-linked rules, you form the
keywordValue
by adding theCustom_
prefix to the rule name. In addition, you remove the suffix ID that appears at the end of the rule name.Keyword examples for service-linked rules:
-
Service-linked rule name: CustomRuleForAccount-conformance-pack-szsm1uv0w
keywordValue
:Custom_CustomRuleForAccount-conformance-pack
-
Service-linked rule name: OrgConfigRule-s3-bucket-versioning-enabled-dbgzf8ba
keywordValue
:Custom_OrgConfigRule-s3-bucket-versioning-enabled
-
The
keywordValue
is case sensitive. If you enter a value incorrectly, Audit Manager might not recognize the data source mapping. As a result, you might not successfully collect evidence from that data source as intended.Keep in mind the following requirements, depending on the data source type that you're using.
-
For Config:
-
For managed rules, make sure that the
keywordValue
is the rule identifier inALL_CAPS_WITH_UNDERSCORES
. For example,CLOUDWATCH_LOG_GROUP_ENCRYPTED
. For accuracy, we recommend that you reference the list of supported Config managed rules. -
For custom rules, make sure that the
keywordValue
has theCustom_
prefix followed by the custom rule name. The format of the custom rule name itself may vary. For accuracy, we recommend that you visit the Config console to verify your custom rule name.
-
-
For Security Hub: The format varies for Security Hub control names. For accuracy, we recommend that you reference the list of supported Security Hub controls.
-
For Amazon Web Services API calls: Make sure that the
keywordValue
is written asserviceprefix_ActionName
. For example,iam_ListGroups
. For accuracy, we recommend that you reference the list of supported API calls. -
For CloudTrail: Make sure that the
keywordValue
is written asserviceprefix_ActionName
. For example,cloudtrail_StartLogging
. For accuracy, we recommend that you review the Amazon Web Service prefix and action names in the Service Authorization Reference.
-
sourceFrequency
— (String
)Specifies how often evidence is collected from the control mapping source.
Possible values include:"DAILY"
"WEEKLY"
"MONTHLY"
troubleshootingText
— (String
)The instructions for troubleshooting the control.
createdAt
— (Date
)The time when the control was created.
lastUpdatedAt
— (Date
)The time when the control was most recently updated.
createdBy
— (String
)The user or role that created the control.
lastUpdatedBy
— (String
)The user or role that most recently updated the control.
tags
— (map<String>
)The tags associated with the control.
state
— (String
)The state of the control. The
Possible values include:END_OF_SUPPORT
state is applicable to standard controls only. This state indicates that the standard control can still be used to collect evidence, but Audit Manager is no longer updating or maintaining that control."ACTIVE"
"END_OF_SUPPORT"
-
(AWS.Response)
—
Returns:
updateSettings(params = {}, callback) ⇒ AWS.Request
Updates Audit Manager settings for the current account.
Service Reference:
Examples:
Calling the updateSettings operation
var params = { defaultAssessmentReportsDestination: { destination: 'STRING_VALUE', destinationType: S3 }, defaultExportDestination: { destination: 'STRING_VALUE', destinationType: S3 }, defaultProcessOwners: [ { roleArn: 'STRING_VALUE', /* required */ roleType: PROCESS_OWNER | RESOURCE_OWNER /* required */ }, /* more items */ ], deregistrationPolicy: { deleteResources: ALL | DEFAULT }, evidenceFinderEnabled: true || false, kmsKey: 'STRING_VALUE', snsTopic: 'STRING_VALUE' }; auditmanager.updateSettings(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
snsTopic
— (String
)The Amazon Simple Notification Service (Amazon SNS) topic that Audit Manager sends notifications to.
defaultAssessmentReportsDestination
— (map
)The default S3 destination bucket for storing assessment reports.
destinationType
— (String
)The destination type, such as Amazon S3.
Possible values include:"S3"
destination
— (String
)The destination bucket where Audit Manager stores assessment reports.
defaultProcessOwners
— (Array<map>
)A list of the default audit owners.
roleType
— required — (String
)The type of customer persona.
Note: InPossible values include:CreateAssessment
,roleType
can only bePROCESS_OWNER
. InUpdateSettings
,roleType
can only bePROCESS_OWNER
. InBatchCreateDelegationByAssessment
,roleType
can only beRESOURCE_OWNER
."PROCESS_OWNER"
"RESOURCE_OWNER"
roleArn
— required — (String
)The Amazon Resource Name (ARN) of the IAM role.
kmsKey
— (String
)The KMS key details.
evidenceFinderEnabled
— (Boolean
)Specifies whether the evidence finder feature is enabled. Change this attribute to enable or disable evidence finder.
When you use this attribute to disable evidence finder, Audit Manager deletes the event data store that’s used to query your evidence data. As a result, you can’t re-enable evidence finder and use the feature again. Your only alternative is to deregister and then re-register Audit Manager.
deregistrationPolicy
— (map
)The deregistration policy for your Audit Manager data. You can use this attribute to determine how your data is handled when you deregister Audit Manager.
deleteResources
— (String
)Specifies which Audit Manager data will be deleted when you deregister Audit Manager.
-
If you set the value to
ALL
, all of your data is deleted within seven days of deregistration. -
If you set the value to
DEFAULT
, none of your data is deleted at the time of deregistration. However, keep in mind that the Audit Manager data retention policy still applies. As a result, any evidence data will be deleted two years after its creation date. Your other Audit Manager resources will continue to exist indefinitely.
"ALL"
"DEFAULT"
-
defaultExportDestination
— (map
)The default S3 destination bucket for storing evidence finder exports.
destinationType
— (String
)The destination type, such as Amazon S3.
Possible values include:"S3"
destination
— (String
)The destination bucket where Audit Manager stores exported files.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:settings
— (map
)The current list of settings.
isAwsOrgEnabled
— (Boolean
)Specifies whether Organizations is enabled.
snsTopic
— (String
)The designated Amazon Simple Notification Service (Amazon SNS) topic.
defaultAssessmentReportsDestination
— (map
)The default S3 destination bucket for storing assessment reports.
destinationType
— (String
)The destination type, such as Amazon S3.
Possible values include:"S3"
destination
— (String
)The destination bucket where Audit Manager stores assessment reports.
defaultProcessOwners
— (Array<map>
)The designated default audit owners.
roleType
— required — (String
)The type of customer persona.
Note: InPossible values include:CreateAssessment
,roleType
can only bePROCESS_OWNER
. InUpdateSettings
,roleType
can only bePROCESS_OWNER
. InBatchCreateDelegationByAssessment
,roleType
can only beRESOURCE_OWNER
."PROCESS_OWNER"
"RESOURCE_OWNER"
roleArn
— required — (String
)The Amazon Resource Name (ARN) of the IAM role.
kmsKey
— (String
)The KMS key details.
evidenceFinderEnablement
— (map
)The current evidence finder status and event data store details.
eventDataStoreArn
— (String
)The Amazon Resource Name (ARN) of the CloudTrail Lake event data store that’s used by evidence finder. The event data store is the lake of evidence data that evidence finder runs queries against.
enablementStatus
— (String
)The current status of the evidence finder feature and the related event data store.
-
ENABLE_IN_PROGRESS
means that you requested to enable evidence finder. An event data store is currently being created to support evidence finder queries. -
ENABLED
means that an event data store was successfully created and evidence finder is enabled. We recommend that you wait 7 days until the event data store is backfilled with your past two years’ worth of evidence data. You can use evidence finder in the meantime, but not all data might be available until the backfill is complete. -
DISABLE_IN_PROGRESS
means that you requested to disable evidence finder, and your request is pending the deletion of the event data store. -
DISABLED
means that you have permanently disabled evidence finder and the event data store has been deleted. You can't re-enable evidence finder after this point.
"ENABLED"
"DISABLED"
"ENABLE_IN_PROGRESS"
"DISABLE_IN_PROGRESS"
-
backfillStatus
— (String
)The current status of the evidence data backfill process.
The backfill starts after you enable evidence finder. During this task, Audit Manager populates an event data store with your past two years’ worth of evidence data so that your evidence can be queried.
-
NOT_STARTED
means that the backfill hasn’t started yet. -
IN_PROGRESS
means that the backfill is in progress. This can take up to 7 days to complete, depending on the amount of evidence data. -
COMPLETED
means that the backfill is complete. All of your past evidence is now queryable.
"NOT_STARTED"
"IN_PROGRESS"
"COMPLETED"
-
error
— (String
)Represents any errors that occurred when enabling or disabling evidence finder.
deregistrationPolicy
— (map
)The deregistration policy for your Audit Manager data. You can use this attribute to determine how your data is handled when you deregister Audit Manager.
deleteResources
— (String
)Specifies which Audit Manager data will be deleted when you deregister Audit Manager.
-
If you set the value to
ALL
, all of your data is deleted within seven days of deregistration. -
If you set the value to
DEFAULT
, none of your data is deleted at the time of deregistration. However, keep in mind that the Audit Manager data retention policy still applies. As a result, any evidence data will be deleted two years after its creation date. Your other Audit Manager resources will continue to exist indefinitely.
"ALL"
"DEFAULT"
-
defaultExportDestination
— (map
)The default S3 destination bucket for storing evidence finder exports.
destinationType
— (String
)The destination type, such as Amazon S3.
Possible values include:"S3"
destination
— (String
)The destination bucket where Audit Manager stores exported files.
-
(AWS.Response)
—
Returns:
validateAssessmentReportIntegrity(params = {}, callback) ⇒ AWS.Request
Validates the integrity of an assessment report in Audit Manager.
Service Reference:
Examples:
Calling the validateAssessmentReportIntegrity operation
var params = { s3RelativePath: 'STRING_VALUE' /* required */ }; auditmanager.validateAssessmentReportIntegrity(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });
Parameters:
-
params
(Object)
(defaults to: {})
—
s3RelativePath
— (String
)The relative path of the Amazon S3 bucket that the assessment report is stored in.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
null
if the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
null
if a request error occurs. Thedata
object has the following properties:signatureValid
— (Boolean
)Specifies whether the signature key is valid.
signatureAlgorithm
— (String
)The signature algorithm that's used to code sign the assessment report file.
signatureDateTime
— (String
)The date and time signature that specifies when the assessment report was created.
signatureKeyId
— (String
)The unique identifier for the validation signature key.
validationErrors
— (Array<String>
)Represents any errors that occurred when validating the assessment report.
-
(AWS.Response)
—
Returns:
Generated on Fri Sep 6 18:21:46 2024 by yard 0.9.36 (ruby-2.5.1). - listAssessmentFrameworks(params = {}, callback) ⇒ AWS.Request