Configuration snapshots from API calls Compliance checks from AWS Config Compliance checks from Security Hub User activity logs from AWS CloudTrail

Changing the evidence collection frequency for a control

AWS Audit Manager collects evidence from multiple data sources at varying frequencies. The supported evidence collection frequency depends on the type of evidence that is collected for the control.

For AWS API calls, Audit Manager collects evidence using a describe API call to another AWS service. You can specify the evidence collection frequency directly in Audit Manager (for custom controls only).
For AWS Config, Audit Manager reports the result of a compliance check directly from AWS Config. The frequency follows the triggers that are defined in the AWS Config rule.
For AWS Security Hub, Audit Manager reports the result of a compliance check directly from Security Hub. The frequency follows the schedule of the Security Hub check.
For AWS CloudTrail, Audit Manager collects evidence continuously from CloudTrail. You can’t change the frequency for this evidence type.

The following sections provide more information about the evidence collection frequency for each control data source type, and how to change it (if applicable).

Configuration snapshots from AWS API calls

Note

The following applies only to custom controls. You can't change the evidence collection frequency for a standard control that uses API calls as a data source.

If a custom control uses AWS API calls as a data source type, you can change the evidence collection frequency in Audit Manager by following these steps.

To change the evidence collection frequency for a custom control with an API call data source

Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.
In the navigation pane, choose Control library, and then choose the Custom controls tab.
Choose the custom control that you want to edit, and then choose Edit.
On the Edit control details page, choose Next.
Find the data source box that you want to edit, and verify that the following information is correct:
- The evidence collection method is Automated.
- The data source type is AWS API calls.
- The selected API call is the one that you want to change the frequency for.
Under Frequency, choose how often you want to collect evidence for the custom control.
Repeat steps 5-6 as needed for any additional API call data sources that you want to edit.
Choose Next.
On the Edit an action plan page, choose Next.
On the Review and update the control page, review the information for the custom control. To change the information for a step, choose Edit.
When you're finished, choose Save changes.

After you edit a control with AWS API calls as the data source type, the changes take effect at 00:00 UTC the following day in all active assessments that include the control.

Compliance checks from AWS Config

Note

The following applies to both standard controls and custom controls that use AWS Config Rules as a data source.

If a control uses AWS Config as a data source type, you can’t change the evidence collection frequency directly in Audit Manager. This is because the frequency follows the triggers that are defined in the AWS Config rule.

There are two types of triggers for AWS Config Rules:

Configuration changes - AWS Config runs evaluations for the rule when certain types of resources are created, changed, or deleted.
Periodic - AWS Config runs evaluations for the rule at a frequency that you choose (for example, every 24 hours).

To learn more about the triggers for AWS Config Rules, see Trigger types in the AWS Config Developer Guide.

For instructions on how to manage AWS Config Rules, see Managing your AWS Config rules.

Compliance checks from Security Hub

Note

The following applies to both standard controls and custom controls that use Security Hub checks as a data source.

If a control uses Security Hub as a data source type, you can’t change the evidence collection frequency directly in Audit Manager. This is because the frequency follows the schedule of the Security Hub checks.

Periodic checks run automatically within 12 hours after the most recent run. You cannot change the periodicity.
Change-triggered checks run when the associated resource changes state. Even if the resource doesn't change state, the updated at time for change-triggered checks is refreshed every 18 hours. This helps to indicate that the control is still enabled. In general, Security Hub uses change-triggered rules whenever possible.

To learn more, see Schedule for running security checks in the AWS Security Hub User Guide.

User activity logs from AWS CloudTrail

Note

The following applies to both standard controls and custom controls that use AWS CloudTrail user activity logs as a data source.

You can’t change the evidence collection frequency for controls that use activity logs from CloudTrail as a data source type. Audit Manager collects this evidence type from CloudTrail in a continuous manner. The frequency is continuous because user activity can happen at any time of the day.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Deleting a custom control

Control data sources