AWS Audit Manager concepts and terminology - AWS Audit Manager

AWS Audit Manager concepts and terminology

To help you get started, this page defines terms and explains some of the key concepts of AWS Audit Manager.

Assessment

You can use an Audit Manager assessment to automatically collect evidence that’s relevant for an audit.

An assessment is based on a framework, which is a grouping of controls that are related to your audit. Depending on your business requirements, you can create an assessment from a standard framework or a custom framework. Standard frameworks contain prebuilt control sets that support a specific compliance standard or regulation. In contrast, custom frameworks contain controls that you can customize and group according to your internal audit requirements. Using the framework of your choice as a starting point, you can create an assessment that specifies the AWS accounts and services that you want to include in the scope of your audit.

When you create an assessment, Audit Manager automatically starts to assess resources in your AWS accounts and services based on the controls that are defined in the framework. Next, it collects the relevant evidence and converts it into an auditor-friendly format. After doing this, it then attaches the evidence to the controls in your assessment. When it's time for an audit, you—or a delegate of your choice—can review the collected evidence and then add it to an assessment report. This assessment report helps you to demonstrate that your controls are working as intended.

Evidence collection is an ongoing process that starts when you create your assessment. You can stop evidence collection by changing the assessment status to inactive. Alternatively, you can stop evidence collection at the control level. You can do this by changing the status of a specific control within your assessment to inactive.

For instructions on how to create and manage assessments, see Assessments in AWS Audit Manager.

Assessment report

An assessment report is a finalized document that's generated from an AWS Audit Manager assessment. These reports summarize the relevant evidence that's collected for your audit. They link to the relevant evidence folders. The folders are named and organized according to the controls that are specified in your assessment. For each assessment, you can review the evidence that Audit Manager collects, and decide which evidence you want to include in the assessment report.

To learn more about assessment reports, see Assessment reports. To learn how to generate an assessment report, see Generating an assessment report.

Audit

An audit is an independent examination of the assets, operations, or business integrity of your organization. An information technology (IT) audit specifically examines the controls within the information systems of your organization. The goal of an IT audit is to determine if information systems safeguard assets, operate effectively, and maintain data integrity. All of these are important to meeting the regulatory requirements that are mandated by a compliance standard or regulation.

Audit owner

The term audit owner has two different meanings depending on the context.

In the context of Audit Manager, an audit owner is an IAM user or role that manages an assessment and its related resources. The responsibilities of this Audit Manager persona include creating assessments, reviewing evidence, and generating assessment reports. Audit Manager is a collaborative service, and audit owners benefit when other stakeholders participate in their assessments. For example, you can add other audit owners to your assessment to share management tasks. Or, if you’re an audit owner and you need help interpreting the evidence that was collected for a control, you can delegate that control set to a stakeholder who has subject matter expertise in that area. Such a person is known as a delegate persona.

In business terms, an audit owner is someone who coordinates and oversees the audit readiness efforts of their company, and presents evidence to an auditor. Typically, this is a governance, risk, and compliance (GRC) professional, such as a Compliance Officer or a GDPR Data Protection Officer. GRC professionals have the expertise and authority to manage audit preparation. More specifically, they understand compliance requirements, and can analyze, interpret, and prepare reporting data. However, other business roles can also assume the Audit Manager persona of an audit owner—not only GRC professionals take on this role. For example, you might choose to have your Audit Manager assessments set up and managed by a technical expert from one of the following teams:

  • SecOps

  • IT/DevOps

  • Security Operations Center/Incident Response

  • Similar teams that own, develop, remediate, and deploy cloud assets, and understand the cloud infrastructure of your organization

Who you choose to assign as an audit owner in your Audit Manager assessment depends greatly on your organization. It also depends on how you structure your security operations and the specifics of the audit. In Audit Manager, the same individual can assume the audit owner persona in one assessment, and the delegate persona in another.

No matter how you choose to use Audit Manager, you can manage the separation of duties across your organization using the audit owner/delegate persona and granting specific IAM policies to each user. Through this two-step approach, Audit Manager ensures that you have full control over all of the specifics of an individual assessment. For more information, see Recommended policies for user personas in AWS Audit Manager.

Changelog

For each control in an assessment, AWS Audit Manager captures changelogs to track user activity for that control. You can then review an audit trail of activities that are related to a specific control. For more information about which user activities are captured in changelogs, see Changelog tab.

Cloud compliance

Cloud compliance is the general principle that cloud-delivered systems must be compliant with the standards that are faced by cloud customers.

Compliance regulation

A compliance regulation is a law, rule, or other order that's prescribed by an authority, typically to regulate conduct. One example is GDPR.

Compliance standard

A compliance standard is a structured set of guidelines that detail the processes of an organization for maintaining accordance with established regulations, specifications, or legislation. Examples include PCI DSS, HIPAA, and HITRUST.

Control

A control is a prescriptive description that describes how to conform to a given rule. It provides an assurance that the resources that are used by your organization operate as intended, that data is reliable, and that your organization is in compliance with applicable laws and regulations. A compliance standard or regulation contains multiple controls, which are grouped into control sets.

There are two types of control in AWS Audit Manager:

  • Standard controls — Predefined controls that are based on AWS best practices for several compliance standards and regulations. You can use these controls to assist you with audit preparation for common compliance standards and regulations.

  • Custom controls — Customized controls that you define as an AWS Audit Manager user. You can use these controls to help you meet your specific compliance requirements.

For more information, see Examples of AWS Audit Manager controls. For instructions on how to create and manage controls, see Control library.

Control data source

A control data source defines the resource where AWS Audit Manager collects evidence from to support the requirements of a control. Examples in AWS include the following data sources:

  • AWS CloudTrail log

  • AWS Config rule

  • AWS Security Hub check

  • Amazon EC2 instance

  • Amazon S3 bucket

  • AWS Identity and Access Management (IAM) user or role

  • Network component such as an Amazon Virtual Private Cloud (VPC), security group, or network access control list (ACL) table

A single control can have multiple data sources.

Control domains

You can think of a control domain as a general category of controls that isn’t specific to any one framework. Control domain groupings are one of the most powerful features of the Audit Manager dashboard. Audit Manager highlights the controls in your assessments that have non-compliant evidence, and groups them by control domain. This enables you to focus your remediation efforts on specific subject domains as you prepare for an audit.

Note

A control domain is different to a control set. A control set is a framework-specific grouping of controls that’s typically defined by a regulatory body. For example, the PCI DSS framework has a control set named Requirement 8: Identify and authenticate access to system components. This control set falls under the control domain of Identity and access management.

Audit Manager categorizes controls under the following control domains.

Control domain name Description of what these controls govern

Business continuity and contingency planning

How you establish processes that protect critical business operations from the effects of major system and network disruptions.

Change management

How you test, approve, implement, and document changes to your cloud infrastructure.

Data security and privacy

How you secure the privacy, availability, and integrity of your data.

Development and configuration management

How you maintain your cloud infrastructure in a desired and consistent state.

Governance and oversight

How you align your use of cloud computing with your legal, regulatory, and ethical obligations.

Identity and access management

How you ensure that the right users have the appropriate access to your technology resources.

Incident management

How you establish responsibilities and procedures that ensure a quick and effective response to security incidents.

Logging and monitoring

How you review user activity for indications that unauthorized activity was attempted or performed.

Network management How you administer and operate your data network using a network management system.

Personnel management

How you assess and manage personnel security risks at an organizational level.

Physical security

How you detect and prevent physical security issues in your facilities.

Risk management

How you evaluate potential risks and losses, and how you reduce or eliminate such threats.

Supply chain management

How you identify, assess, and mitigate the risks that are associated with IT products, vendors, and supply chains.

User device management

How you reduce the risk that your employees' IT hardware is lost, damaged, or compromised.

Vulnerability management

How you define, assess, and remediate all known vulnerabilities for assets within your cloud infrastructure.

Delegate

A delegate is an AWS Audit Manager user with limited permissions. Delegates typically have specialized business or technical expertise. For example, these expertises might be in data retention policies, training plans, network infrastructure, or identity management. Delegates help audit owners review collected evidence for controls that are in their area of expertise. Delegates can review control sets and their related evidence, add comments, upload additional evidence, and update the status of each of the controls that you assign to them for review.

Audit owners assign specific control sets to delegates, not entire assessments. As a result, delegates have limited access to assessments. For instructions on how to delegate a control set, see Delegations in AWS Audit Manager.

Evidence

Evidence is a record that contains the information needed to demonstrate compliance with the requirements that a control specifies. Examples of evidence include a change activity invoked by a user and a system configuration snapshot.

There are two main types of evidence in AWS Audit Manager: automated and manual.

  • Automated evidence — This is the evidence that AWS Audit Manager collects automatically. This includes the following three categories of automated evidence:

    • Compliance check — The result of a compliance check is captured from AWS Security Hub, AWS Config, or both, with varied frequencies (for example, you can use AWS Security Hub to configure periodic checks every 12 hours or continually if invoked by change events). Examples of compliance checks include a security check in AWS Security Hub for a PCI DSS control and an AWS Config rule evaluation from AWS Config for HIPAA.

    • User activity — User activity that changes a resource configuration is captured from AWS CloudTrail logs as that activity occurs. Examples of user activities include a route table update, an Amazon RDS instance backup setting change, and an Amazon S3 bucket encryption policy change.

    • Configuration data — A snapshot of the resource configuration is captured directly from an AWS service on a daily, weekly, or monthly basis. Examples of configuration snapshots include a list of routes for a VPC route table, an Amazon RDS instance backup setting, and an Amazon S3 bucket encryption policy.

  • Manual evidence — This is the evidence that you can upload to AWS Audit Manager manually as an additional support document.

Automated evidence collection starts when you create an assessment. This is an ongoing process, and Audit Manager collects evidence at different frequencies depending on the evidence type and the underlying data source. For more information about evidence collection, see How AWS Audit Manager collects evidence. For instructions on how to review evidence in an assessment, see Reviewing the evidence in an assessment.

Framework

An AWS Audit Manager framework is a file that's used to structure and automate assessments for a specific standard or risk governance principle. These frameworks help map your AWS resources to the requirements in a control. They include a collection of prebuilt or customer defined controls. The collection has descriptions and testing procedures for each control. These controls are organized and grouped based on the requirements of a specified compliance standard or regulation. Examples include PCI DSS, and GDPR.

There are two types of framework in AWS Audit Manager:

  • Standard frameworks — Prebuilt frameworks that are based on AWS best practices for various compliance standards and regulations. You can use these frameworks to assist with audit preparation.

  • Custom frameworks — Customized frameworks that you define as an AWS Audit Manager user. You can use these frameworks to assist with audit preparation according to your specific compliance or risk governance requirements.

For instructions on how to create and manage frameworks, see Framework library.

Note

AWS Audit Manager assists in collecting evidence that's relevant for verifying compliance with specific compliance standards and regulations. However, it doesn't assess your compliance itself. The evidence that's collected through AWS Audit Manager therefore might not include all the information about your AWS usage that's needed for audits. AWS Audit Manager isn't a substitute for legal counsel or compliance experts.

Framework sharing

You can use the custom framework sharing feature of Audit Manager to quickly share your custom frameworks across AWS accounts and Regions. To share a custom framework, you create a share request. The recipient of the share request then has 120 days to accept or decline the request. When they accept, Audit Manager replicates the shared custom framework into their framework library. In addition to replicating the custom framework, Audit Manager also replicates any custom control sets and controls that are contained within that framework. These custom controls are added to the recipient’s control library. Audit Manager doesn’t replicate standard frameworks or controls. This is because these resources are already available by default in each account and Region.

Resource

A resource is a physical or information asset that's assessed in an audit. Examples of AWS resources include Amazon EC2 instances, Amazon RDS instances, Amazon S3 buckets, and Amazon VPC subnets.

Resource assessment

A resource assessment is the process of assessing an individual resource. This assessment is based on the requirement of a control. While an assessment is active, AWS Audit Manager runs resource assessments for each individual resource in the scope of the assessment. A resource assessment runs the following set of tasks:

  1. Collects evidence including resource configurations, event logs, and findings

  2. Translates and maps evidence to controls

  3. Stores and tracks the lineage of evidence to enable integrity