Assessment reports
An assessment report summarizes the selected evidence that was collected for an assessment. It also contains links to PDF files with details about each piece of evidence. The specific contents, organization, and naming convention of an assessment report depend on the parameters that you choose when you generate the report.
Assessment reports help you to select and compile the evidence that's relevant for your audit. However, they don't assess the compliance of the evidence itself. Instead, Audit Manager simply provides the selected evidence details as an output that you can share with your auditor.
Contents
Understanding the assessment report folder structure
When you download an assessment report, Audit Manager produces a zip folder. This contains your assessment report and related evidence files in nested subfolders.
The zip folder is structured as follows:
-
Assessment folder (example:
myAssessmentName-a1b2c3d4
) – The root folder.-
Assessment report folder (example:
reportName-a1b2c3d4e5f6g7
) – A subfolder where you can find the AssessmentReportSummary.pdf, digest.txt, and README.txt files.-
Evidence by control folder (example:
controlName-a1b2c3d4e5f6g
) – A subfolder that groups evidence files by the related control.-
Evidence by data source folder (example:
CloudTrail
,Security Hub
) – A subfolder that groups evidence files by the data source type.-
Evidence by date folder (example:
2022-07-01
) – A subfolder that groups evidence files by the evidence collection date.-
Evidence files – The files that contain details about individual pieces of evidence.
-
-
-
-
-
Navigating an assessment report
Start by opening the zip folder and navigating one level down to the assessment report folder. Here, you can find the assessment report PDF and the README.txt file.
You can review the README.txt file to understand the structure and the contents of the zip folder. It also provides reference information about the naming conventions for each file. This information can help you navigate directly to a subfolder or evidence file if you’re looking for a specific item.
Otherwise, to browse evidence and locate the information that you need, open the assessment report PDF. This gives you a high-level overview of the report, and a summary of the assessment that the report was created from.
Next, use the table of contents (TOC) to explore the report. You can choose any hyperlinked control in the TOC to jump directly to a summary of that control.
When you're ready to review evidence details for a control, you can do so by choosing the hyperlinked evidence name. For automated evidence, the hyperlink opens a new PDF file with details about that evidence. For manual evidence, the hyperlink takes you to the S3 bucket that contains the evidence.
Tip
The breadcrumb navigation at the top of each page shows your current location in the assessment report as you browse controls and evidence. Select the hyperlinked TOC to navigate back to the TOC at any time.
Reviewing the sections of an assessment report
Use the following information to learn more about each section of an assessment report.
Note
When you see a hyphen (-) next to any of the attributes in the following sections, this indicates that the value of that attribute is null, or a value doesn't exist.
Cover page
The cover page includes the name of the assessment report. It also displays the date and time that the report was generated, along with the account ID of the user who generated the report.
The cover page is formatted as follows. Audit Manager replaces the
placeholders
with the information that's relevant to your
report.
Assessment report name
Report generated onMM/DD/YYYY
atHH:MM:SS AM/PM UCT
byAccountID
Overview page
The overview page has two parts: a summary of the report itself, and a summary of the assessment that's being reported on.
Report summary
This section summarizes the assessment report.
Name | Description |
---|---|
Report name |
The name of the report. |
Description |
The description that's entered by the audit owner when they generate the report. |
Date generated |
The date when the report was generated. The time is represented in Coordinated Universal Time (UTC). |
Total controls included |
The number of controls that are included in the report and have collected evidence. This is a subset of the total number of controls in the assessment. |
AWS accounts included |
The number of AWS accounts that are included in the report and have collected evidence. This is a subset of the total number of AWS accounts in the assessment. |
Assessment report selection |
The number of evidence items that are selected for inclusion in the report. This includes the total number of compliance check issues that are found in the report. |
Assessment summary
This section summarizes the assessment that the report relates to.
Name | Description |
---|---|
Assessment name |
The name of the assessment that the report was generated from. |
Status |
The status of the assessment at the time when the report was generated. |
Assessnent Region |
The AWS Region that the assessment was created in. |
AWS accounts in scope |
The list of AWS accounts that are in the scope of the assessment. |
Framework name |
The name of the framework that the assessment was created from. |
Audit owners |
The user or role of the assessment's audit owners. |
Last updated |
The date when the assessment was last updated. The time is represented in UTC. |
Table of contents page
The TOC displays the full contents of the assessment report. The contents are grouped and organized based on the control sets that are included in the assessment. Controls are listed underneath their respective control set.
Choose any item in the table of contents to navigate directly to that section of the report. You can either choose a control set or go directly to a control.
Control page
The control page has two parts: a summary of the control itself, and a summary of the evidence that was collected for the control.
Control summary
This section includes the following information.
Name | Description |
---|---|
Control name |
The name of the control. |
Description |
The description of the control. |
Control set |
The name of the control set that the control belongs to. |
Testing information |
The recommended testing procedures for this control. |
Action plan |
The recommended actions to perform if the control isn't fulfilled. |
Assessment report selection |
The number of evidence items related to this control that were included in the assessment report. This includes the number of compliance check issues that were found for this control's evidence. |
Collected evidence
This section shows the evidence that was collected for the control. The evidence is grouped by folders, which are organized and named by the evidence collection date. Next to each evidence folder name is the total number of compliance check issues for that folder.
Underneath each evidence folder name is a list of hyperlinked evidence names.
-
Automated evidence names start with an evidence collection timestamp, followed by the service code, event name (up to 20 characters), account ID, and a unique 12-character unique ID.
For example:
21-30-24_IAM_CreateUser_111122223333_a1b2c3d4e5f6
For automated evidence, the hyperlinked name opens a new PDF file with a summary and further details.
-
Manual evidence names start with an evidence upload timestamp, followed by the
manual
label, account ID, and a 12-character unique ID. They also include the first 10 characters of the file name, and the file extension (up to 10 characters).For example:
00-00-00_manual_111122223333_a1b2c3d4e5f6_myimage.png
For manual evidence, the hyperlinked name takes you to the S3 bucket that contains that evidence.
Next to each evidence name is the result of the compliance check for that item.
-
For automated evidence that's collected from AWS Security Hub or AWS Config, a Compliant, Non-compliant, or Inconclusive result is reported.
-
For automated evidence that's collected from AWS CloudTrail and API calls, and for all manual evidence, an Inconclusive result is shown.
Evidence summary page
The evidence summary page includes the following information.
Name | Description |
---|---|
ID |
The unique identifier for the evidence. |
Date collected |
The date when the evidence was created or uploaded. |
Description |
A description of the evidence, including the account ID and the data source type. |
Assessment name |
The name of the assessment that the report was generated from. |
Framework name |
The name of the framework that the assessment was created from. |
Control name |
The name of the control that the evidence supports. |
Control set name |
The name of the control set that the related control belongs to. |
Control description |
The description of the control that the evidence supports. |
Testing information |
The recommended testing procedures for the control. |
Action plan |
The recommended actions to perform if the control is not fulfilled. |
AWS Region |
The name of the Region that's associated with the evidence. |
IAM ID |
The ARN of the user or role that's associated with the evidence. |
AWS account |
The AWS account ID that's associated with the evidence. |
AWS service |
The name of the AWS service that's associated with the evidence. |
Event name |
The name of the evidence event. |
Event time |
The time when the evidence event occurred. |
Data source |
Where the evidence was collected or uploaded from. The data source type can be either AWS Config, Security Hub, AWS API calls, CloudTrail, or Manual. |
Evidence by type |
The category of the evidence
|
Compliance check status |
The evaluation status for evidence that falls under the compliance check category.
|
Evidence detail page
The evidence detail page shows the name of the evidence and an evidence detail table. This table provides a detailed breakdown of each element of the evidence so that you can understand the data and validate that it's correct. Depending on the data source of the evidence, the contents of the evidence detail page vary.
Tip
The breadcrumb navigation at the top of each page shows your current location as you browse evidence details. Select Evidence summary to navigate back to the evidence summary at any time.
Validating an assessment report
When you generate an assessment report, Audit Manager produces a report file checksum called
digest.txt
. You can use this file to validate the integrity of the report and
ensure that no evidence was modified after the report was created. It contains a JSON object
with signatures and hashes that are invalidated if any part of the report archive is altered.
To validate the integrity of an assessment report, use the ValidateAssessmentReportIntegrity API that's provided by Audit Manager.
Additional resources
To find answers to common questions and issues, see Troubleshooting assessment report issues in the Troubleshooting section of this guide.