Assessment report destinations - AWS Audit Manager

Assessment report destinations

When you generate an assessment report, Audit Manager publishes the report to the S3 bucket of your choice. This S3 bucket is referred to as an assessment report destination. You can specify your preferred assessment report destination when you first create your assessment. For instructions on how to update your preferences, see Settings, Assessment report destination in this guide.

Configuration tips

To ensure the successful publication of your assessment report, we recommend that you verify the following configurations for your assessment report destination.

AWS Region

The AWS Region of your assessment report destination (and your customer managed key, if you provided one) must match the AWS Region of your assessment. For instructions on how to configure the assessment report destination and the KMS key used for data encryption, see AWS Audit Manager settings. For a list of supported Audit Manager Regions, see AWS Regions and Endpoints in the Amazon Web Services General Reference.

S3 bucket encryption

If your assessment report destination has a bucket policy that requires server-side encryption (SSE) using SSE-KMS, then the KMS key used in that bucket policy must match the KMS key that you configured in your Audit Manager data encryption settings. If you haven't configured a KMS key in your Audit Manager settings, and your assessment report destination bucket policy requires SSE, ensure that the bucket policy allows SSE-S3. For instructions on how to configure the assessment report destination and the KMS key used for data encryption, see AWS Audit Manager settings.

Note

If you change your Audit Manager data encryption settings, these changes apply to the new assessments that you create moving forward. This includes any assessment reports that you create from your new assessments.

The changes don't apply to existing assessments that you created before you changed your encryption settings. This includes new assessment reports that you create from existing assessments, in addition to existing assessment reports. Existing assessments—and all their assessment reports—continue to use the old KMS key. If the IAM identity that’s generating the assessment report doesn’t have permissions to use the old KMS key, you can grant permissions at the key policy level. For instructions, see Allowing users in other accounts to use a KMS key in the AWS Key Management Service Service Developer Guide.

Other issues to consider

Cross-account S3 buckets

Note

Using a cross-account S3 bucket as your assessment report destination isn’t supported in the Audit Manager console. It’s possible to specify a cross-account bucket as your assessment report destination by using the AWS CLI or one of the AWS SDKs, but for simplicity, we recommend against this. If you do choose to use a cross-account S3 bucket as your assessment report destination, consider the following points.

  • By default, S3 objects—such as assessment reports—are owned by the AWS account that uploads the object. You can use the S3 Object Ownership setting to change this default behavior so that any new objects that are written by accounts with the bucket-owner-full-control canned access control list (ACL) automatically become owned by the bucket owner.

    Although it’s not a requirement, we recommend that you make the following changes to your cross-account bucket settings. Making these changes ensures that the bucket owner has full control of the assessment reports that you publish to their bucket.

  • To allow Audit Manager to publish reports in a cross-account S3 bucket, you must add the following S3 bucket policy to your assessment report destination. Replace the placeholders with your own information. The Principal element in this policy is the user or role that owns the assessment and creates the assessment report. The Resource specifies the cross-account S3 bucket where the report is published.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "Allow cross account assessment report publishing", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::AssessmentOwnerAccountId:user/AssessmentOwnerUserName" }, "Action": [ "s3:ListBucket", "s3:PutObject", "s3:GetObject", "s3:GetBucketLocation", "s3:PutObjectAcl", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::cross-account-bucket", "arn:aws:s3:::cross-account-bucket/*" ] } ] }