Changing the evidence collection frequency for a control - AWS Audit Manager

Changing the evidence collection frequency for a control

AWS Audit Manager collects evidence from multiple data sources at varying frequencies. The supported evidence collection frequency depends on the type of evidence that’s being collected for your control.

  • For Configuration snapshots from API calls, Audit Manager collects evidence using a describe API call to another AWS service. You can specify the evidence collection frequency directly in Audit Manager (for custom controls only).

  • For Compliance checks for resource configurations from AWS Config, Audit Manager collects evidence from AWS Config. The evidence collection frequency follows the triggers defined in your AWS Config Rules.

  • For Compliance checks for security findings from AWS Security Hub, Audit Manager collects evidence from Security Hub. The evidence collection frequency follows the schedule of your Security Hub checks.

  • For User activity logs from AWS CloudTrail, Audit Manager collects evidence continuously from CloudTrail. You can’t change the frequency for this evidence type.

The following sections provide more information about the evidence collection frequency for each control data source, and how to change it (if applicable).

Configuration snapshots from AWS API calls

Note

The following applies only to custom controls. You can't change the evidence collection frequency for a standard control that uses API calls as a data source.

If your custom control uses API calls as a data source, you can change the evidence collection frequency in AWS Audit Manager by performing the following steps.

To change the evidence collection frequency for a custom control with an API call data source

  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. In the left navigation pane, choose Control library, and then choose the Custom controls tab.

  3. Choose the custom control that you want to edit, and then choose Edit.

  4. On the Edit control details page, choose Next.

  5. Find the data source box that you want to edit. In the data source box, ensure that you have selected Automated evidence and Configuration snapshots from AWS API calls, and verify that the name of the API call is the one that you want to change the frequency for.

  6. Under Custom control frequency, choose how often you want to collect evidence for the custom control.

  7. Repeat steps 5-6 as needed for any additional API call data sources that you want to edit for the custom control.

  8. Choose Next.

  9. On the Edit an action plan page, choose Next.

  10. On the Review and update the control page, review the information for your custom control. To change the information for a step, choose Edit.

  11. When you are finished, choose Save changes.

After you edit a control with Configuration data from AWS API calls as the data source, the changes take effect at 00:00 UTC the following day in all active assessments that include the control.

Compliance checks for resource configurations from AWS Config

Note

The following applies to both standard and custom controls that use AWS Config Rules as a data source.

If your control uses AWS Config as a data source, you can’t change the evidence collection frequency directly in AWS Audit Manager. This is because the evidence collection frequency follows the triggers defined in your AWS Config Rules.

There are two types of triggers for AWS Config Rules:

  1. Configuration changes - AWS Config runs evaluations for the rule when certain types of resources are created, changed, or deleted.

  2. Periodic - AWS Config runs evaluations for the rule at a frequency that you choose (for example, every 24 hours).

To learn more about the triggers for AWS Config Rules, see Trigger types in the AWS Config Developer Guide.

For instructions on how to manage AWS Config Rules, see Managing your AWS Config rules.

Compliance checks for security findings from Security Hub

Note

The following applies to both standard and custom controls that use Security Hub checks as a data source.

If your control uses Security Hub as a data source, you can’t change the evidence collection frequency directly in AWS Audit Manager. This is because the evidence collection frequency follows the schedule of your Security Hub checks.

  • Periodic checks run automatically within 12 hours after the most recent run. You cannot change the periodicity.

  • Change-triggered checks run when the associated resource changes state. Even if the resource does not change state, the updated at time for change-triggered checks is refreshed every 18 hours. This helps to indicate that the control is still enabled. In general, Security Hub uses change-triggered rules whenever possible.

To learn more, see Schedule for running security checks in the AWS Security Hub User Guide.

User activity logs from AWS CloudTrail

Note

The following applies to both standard and custom controls that use AWS CloudTrail user activity logs as a data source.

You can’t change the evidence collection frequency for controls that use activity logs from CloudTrail as a data source. AWS Audit Manager collects this evidence type from CloudTrail in a continuous manner. The evidence collection frequency is continuous because user activity can happen at any time of the day.