Assessment settings - AWS Audit Manager

Assessment settings

Use this tab to review and update your assessment settings.

Default audit owners (optional)

You can specify the default audit owners who have primary access to your assessments in Audit Manager.

You can update this setting using the Audit Manager console, the AWS Command Line Interface (AWS CLI), or the Audit Manager API.

Audit Manager console

You can choose from the AWS accounts listed in the table, or use the search bar to look for other AWS accounts.

To update your default audit owners settings (console)
  1. From the Assessment settings tab, go to the Default audit owners section and choose Edit.

  2. To add a default audit owner, select the check box next to the account name under Audit owner.

  3. To remove a default audit owner, clear the check box next to the account name under Audit owner.

  4. When you’re done, choose Save.

AWS CLI
To update your default audit owner settings (AWS CLI)

Run the update-settings command and use the --default-process-owners parameter to specify an audit owner.

In the following example, replace the placeholder text with your own information. Note that roleType can only be PROCESS_OWNER.

aws auditmanager update-settings --default-process-owners roleType=PROCESS_OWNER,roleArn=arn:aws:iam::111122223333:role/Administrator
Audit Manager API
To update your default audit owner settings (API)

Call the UpdateSettings operation and use the defaultProcessOwners parameter to specify default audit owners. Note that roleType can only be PROCESS_OWNER.

For more information about audit owners, see Audit owners in the Concepts and terminology section of this guide.

Assessment report destination (optional)

When you generate an assessment report, Audit Manager publishes the report to the S3 bucket of your choice. This S3 bucket is referred to as an assessment report destination. You can choose the Amazon S3 bucket that Audit Manager stores your assessment reports in.

You can update this setting using the Audit Manager console, the AWS Command Line Interface (AWS CLI), or the Audit Manager API.

Audit Manager console
To update your assessment report destination settings (console)
  1. From the Assessment settings tab, go to the Assessment report destination section.

  2. To use an existing Amazon S3 bucket, select a bucket name from the dropdown menu.

  3. To create a new Amazon S3 bucket, choose Create new bucket.

  4. When you’re done, choose Save.

AWS CLI
To update your assessment report destination settings (AWS CLI)

Run the update-settings command and use the --default-assessment-reports-destination parameter to specify an S3 bucket.

In the following example, replace the placeholder text with your own information:

aws auditmanager update-settings --default-assessment-reports-destination destinationType=S3,destination=s3://doc-example-destination-bucket
Audit Manager API
To update your assessment report destination settings (API)

Call the UpdateSettings operation and use the defaultAssessmentReportsDestination parameter to specify an S3 bucket.

For instructions on how to create an S3 bucket, see Creating a bucket in the Amazon S3 User Guide.

Configuration tips for your assessment report destination

To ensure the successful generation of your assessment report, we recommend that you verify the following configurations for your assessment report destination.

Same-Region buckets

We recommend that you use an S3 bucket that's in the same AWS Region as your assessment. When you use a same-Region bucket and assessment, your assessment report can include up to 22,000 evidence items. Conversely, when you use a cross-Region bucket and assessment, only 3,500 evidence items can be included.

AWS Region

The AWS Region of your customer managed key (if you provided one) must match the Region of your assessment and your assessment report destination S3 bucket. For instructions on how to change the KMS key, see AWS Audit Manager settings, Data encryption. For instructions on how to change the S3 bucket, see AWS Audit Manager settings, Assessment report destination. For a list of supported Audit Manager Regions, see AWS Audit Manager endpoints and quotas in the Amazon Web Services General Reference.

S3 bucket encryption

If your assessment report destination has a bucket policy that requires server-side encryption (SSE) using SSE-KMS, then the KMS key used in that bucket policy must match the KMS key that you configured in your Audit Manager data encryption settings. If you haven't configured a KMS key in your Audit Manager settings, and your assessment report destination bucket policy requires SSE, ensure that the bucket policy allows SSE-S3. For instructions on how to configure the KMS key that's used for data encryption, see Data encryption settings.

Cross-account S3 buckets

Using a cross-account S3 bucket as your assessment report destination isn’t supported in the Audit Manager console. It’s possible to specify a cross-account bucket as your assessment report destination by using the AWS CLI or one of the AWS SDKs, but for simplicity, we recommend that you not do this. If you do choose to use a cross-account S3 bucket as your assessment report destination, consider the following points.

  • By default, S3 objects—such as assessment reports—are owned by the AWS account that uploads the object. You can use the S3 Object Ownership setting to change this default behavior so that any new objects that are written by accounts with the bucket-owner-full-control canned access control list (ACL) automatically become owned by the bucket owner.

    Although it’s not a requirement, we recommend that you make the following changes to your cross-account bucket settings. Making these changes ensures that the bucket owner has full control of the assessment reports that you publish to their bucket.

  • To allow Audit Manager to publish reports in a cross-account S3 bucket, you must add the following S3 bucket policy to your assessment report destination. Replace the placeholder text with your own information. The Principal element in this policy is the user or role that owns the assessment and creates the assessment report. The Resource specifies the cross-account S3 bucket where the report is published.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "Allow cross account assessment report publishing", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::AssessmentOwnerAccountId:user/AssessmentOwnerUserName" }, "Action": [ "s3:ListBucket", "s3:PutObject", "s3:GetObject", "s3:GetBucketLocation", "s3:PutObjectAcl", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::CROSS-ACCOUNT-BUCKET", "arn:aws:s3:::CROSS-ACCOUNT-BUCKET/*" ] } ] }

Notifications (optional)

Audit Manager can send notifications to the Amazon SNS topic that you specify in this setting. If you're subscribed to that SNS topic, you receive notifications when you sign in to Audit Manager.

You can update this setting using the Audit Manager console, the AWS Command Line Interface (AWS CLI), or the Audit Manager API.

Audit Manager console
To update your notification settings (console)
  1. From the Assessment settings tab, go to the Notifications section.

  2. To use an existing SNS topic, select the topic name from the dropdown menu.

  3. To create a new SNS topic, choose Create new topic.

  4. When you’re done, choose Save.

AWS CLI
To update your notification settings (AWS CLI)

Run the update-settings command and use the --sns-topic parameter to specify an SNS topic.

In the following example, replace the placeholder text with your own information:

aws auditmanager update-settings --sns-topic arn:aws:sns:us-east-1:111122223333:my-assessment-topic
Audit Manager API
To update your notification settings (API)

Call the UpdateSettings operation and use the snsTopic parameter to specify an SNS topic.

Note

You can use either a standard SNS topic or a FIFO (first-in-first-out) SNS topic. Although Audit Manager supports sending notifications to FIFO topics, the order that messages are sent in isn't guaranteed.

If you want to use an Amazon SNS topic that you don't own, configure your AWS Identity and Access Management (IAM) policy for this. More specifically, you must configure it to allow publishing from the Amazon Resource Name (ARN) of the topic. For more information about IAM, see Identity and access management for AWS Audit Manager.

To learn more about the list of actions that invoke notifications in Audit Manager, see Notifications in AWS Audit Manager.

For instructions on how to create an Amazon SNS topic, see Creating an Amazon SNS topic in the Amazon SNS User Guide.