AWS Audit Manager concepts and terminology

Assessment

You can use an Audit Manager assessment to automatically collect evidence that’s relevant for an audit.

An assessment is based on a framework, which is a grouping of controls that are related to your audit. Depending on your business requirements, you can create an assessment from a standard framework or a custom framework. Standard frameworks contain prebuilt control sets that support a specific compliance standard or regulation. In contrast, custom frameworks contain controls that you can customize and group according to your internal audit requirements. Using a framework as a starting point, you can create an assessment that specifies the AWS accounts and services that you want to include in the scope of your audit.

When you create an assessment, Audit Manager automatically starts to assess resources in your AWS accounts and services based on the controls that are defined in the framework. Next, it collects the relevant evidence and converts it into an auditor-friendly format. After doing this, it then attaches the evidence to the controls in your assessment. When it's time for an audit, you—or a delegate of your choice—can review the collected evidence and then add it to an assessment report. This assessment report helps you to demonstrate that your controls are working as intended.

Evidence collection is an ongoing process that starts when you create your assessment. You can stop evidence collection by changing the assessment status to inactive. Alternatively, you can stop evidence collection at the control level. You can do this by changing the status of a specific control within your assessment to inactive.

For instructions on how to create and manage assessments, see Assessments in AWS Audit Manager.

Assessment report

An assessment report is a finalized document that's generated from an Audit Manager assessment. These reports summarize the relevant evidence that's collected for your audit. They link to the relevant evidence folders. The folders are named and organized according to the controls that are specified in your assessment. For each assessment, you can review the evidence that Audit Manager collects, and decide which evidence you want to include in the assessment report.

To learn more about assessment reports, see Assessment reports. To learn how to generate an assessment report, see Generating an assessment report.

Assessment report destination

An assessment report destination is the default S3 bucket where Audit Manager saves your assessment reports. To learn more, see Assessment report destination (optional).

Audit

An audit is an independent examination of the assets, operations, or business integrity of your organization. An information technology (IT) audit specifically examines the controls within the information systems of your organization. The goal of an IT audit is to determine if information systems safeguard assets, operate effectively, and maintain data integrity. All of these are important to meeting the regulatory requirements that are mandated by a compliance standard or regulation.

Audit owner

The term audit owner has two different meanings depending on the context.

In the context of Audit Manager, an audit owner is a user or role that manages an assessment and its related resources. The responsibilities of this Audit Manager persona include creating assessments, reviewing evidence, and generating assessment reports. Audit Manager is a collaborative service, and audit owners benefit when other stakeholders participate in their assessments. For example, you can add other audit owners to your assessment to share management tasks. Or, if you’re an audit owner and you need help interpreting the evidence that was collected for a control, you can delegate that control set to a stakeholder who has subject matter expertise in that area. Such a person is known as a delegate persona.

In business terms, an audit owner is someone who coordinates and oversees the audit readiness efforts of their company, and presents evidence to an auditor. Typically, this is a governance, risk, and compliance (GRC) professional, such as a Compliance Officer or a GDPR Data Protection Officer. GRC professionals have the expertise and authority to manage audit preparation. More specifically, they understand compliance requirements, and can analyze, interpret, and prepare reporting data. However, other business roles can also assume the Audit Manager persona of an audit owner—not only GRC professionals take on this role. For example, you might choose to have your Audit Manager assessments set up and managed by a technical expert from one of the following teams:

SecOps
IT/DevOps
Security Operations Center/Incident Response
Similar teams that own, develop, remediate, and deploy cloud assets, and understand the cloud infrastructure of your organization

Who you choose to assign as an audit owner in your Audit Manager assessment depends greatly on your organization. It also depends on how you structure your security operations and the specifics of the audit. In Audit Manager, the same individual can assume the audit owner persona in one assessment, and the delegate persona in another.

No matter how you choose to use Audit Manager, you can manage the separation of duties across your organization using the audit owner/delegate persona and granting specific IAM policies to each user. Through this two-step approach, Audit Manager ensures that you have full control over all of the specifics of an individual assessment. For more information, see Recommended policies for user personas in AWS Audit Manager.

Changelog

For each control in an assessment, Audit Manager captures changelogs to track user activity for that control. You can then review an audit trail of activities that are related to a specific control. For more information about which user activities are captured in changelogs, see Changelog tab.

Cloud compliance

Cloud compliance is the general principle that cloud-delivered systems must be compliant with the standards that are faced by cloud customers.

Compliance regulation

A compliance regulation is a law, rule, or other order that's prescribed by an authority, typically to regulate conduct. One example is GDPR.

Compliance standard

A compliance standard is a structured set of guidelines that detail the processes of an organization for maintaining accordance with established regulations, specifications, or legislation. Examples include PCI DSS and HIPAA.

Control

A control is a safeguard or countermeasure that’s prescribed for an information system or an organization. Controls are designed to protect the confidentiality, integrity, and availability of your information, and to meet a set of defined security requirements. They provide an assurance that your resources are operating as intended, your data is reliable, and your organization is in compliance with applicable laws and regulations.

In Audit Manager, a control can also represent a question in a vendor risk assessment questionnaire. In this case, a control is a specific question that asks information about an organization’s security and compliance posture.

Controls collect evidence continually when they’re active in your Audit Manager assessments. You can also manually add evidence to any control. Each piece of evidence becomes a record that helps you to demonstrate compliance with the control’s requirements.

There are two types of control in Audit Manager:

Standard controls — These are prebuilt controls that are associated with a specific framework in Audit Manager. Use standard controls to assist you with audit preparation for various compliance standards and regulations.
Custom controls — These are customized controls that you define as an Audit Manager user. Use custom controls to help you meet specific compliance requirements for internal audits or vendor risk assessments.

For more information, see Examples of AWS Audit Manager controls. For instructions on how to create and manage controls, see Control library.

Control domains

You can think of a control domain as a general category of controls that isn’t specific to any one framework. Control domain groupings are one of the most powerful features of the Audit Manager dashboard. Audit Manager highlights the controls in your assessments that have non-compliant evidence, and groups them by control domain. This enables you to focus your remediation efforts on specific subject domains as you prepare for an audit.

Note

A control domain is different to a control set. A control set is a framework-specific grouping of controls that’s typically defined by a regulatory body. For example, the PCI DSS framework has a control set named Requirement 8: Identify and authenticate access to system components. This control set falls under the control domain of Identity and access management.

Audit Manager categorizes controls under the following control domains.

Control domain name	Description of what these controls govern
Business continuity and contingency planning	How you establish processes that protect critical business operations from the effects of major system and network disruptions.
Change management	How you test, approve, implement, and document changes to your cloud infrastructure.
Data security and privacy	How you secure the privacy, availability, and integrity of your data.
Development and configuration management	How you maintain your cloud infrastructure in a desired and consistent state.
Governance and oversight	How you align your use of cloud computing with your legal, regulatory, and ethical obligations.
Identity and access management	How you ensure that the right users have the appropriate access to your technology resources.
Incident management	How you establish responsibilities and procedures that ensure a quick and effective response to security incidents.
Logging and monitoring	How you review user activity for indications that unauthorized activity was attempted or performed.
Network management	How you administer and operate your data network using a network management system.
Personnel management	How you assess and manage personnel security risks at an organizational level.
Physical security	How you detect and prevent physical security issues in your facilities.
Risk management	How you evaluate potential risks and losses, and how you reduce or eliminate such threats.
Supply chain management	How you identify, assess, and mitigate the risks that are associated with IT products, vendors, and supply chains.
User device management	How you reduce the risk that your employees' IT hardware is lost, damaged, or compromised.
Vulnerability management	How you define, assess, and remediate all known vulnerabilities for assets within your cloud infrastructure.

Data source

Audit Manager uses a data source to collect evidence for a control. The following terminology describes what a data source is and how it works.

A Data source type defines where Audit Manager collects evidence from for a control. If you upload your own evidence, the data source type is Manual. If Audit Manager collects the evidence on your behalf, the data source type is one of the following: AWS Security Hub, AWS Config, AWS CloudTrail, or AWS API calls. The Audit Manager API refers to a data source type as a sourceType (singular) or controlSources (plural).
A Mapping is a specific keyword that relates to a data source type. For example, this might be a CloudTrail event name or an AWS Config name. The Audit Manager API refers to this as a sourceKeyword (singular) or controlMappingSources (plural).
A Data source name is a name that's given to a data source. In other words, a data source name labels the combination of a data source type and mapping. For standard controls, Audit Manager provides a default data source name (such as Data source 1 and Data source 2). For custom controls, you can provide your own data source name. This might help you to distinguish between multiple mappings that fall under the same data source type. The Audit Manager API refers to a data source name as a sourceName.

A single control can have multiple data source types and multiple mappings. For example, one control might collect evidence from a mixture of data source types (such as AWS Config and Security Hub). Another control might have AWS Config as its only data source type, with multiple AWS Config rules as mappings.

The following table lists the automated data source types and shows examples of some corresponding mappings.

Data source type	Description	Mapping example
AWS Security Hub	Use this data source type to capture a snapshot of your resource security posture. Audit Manager uses the name of a Security Hub control as the mapping keyword, and reports the result of that security check directly from Security Hub.	`1.1 – Avoid the use of the "root" account`
AWS Config	Use this data source type to capture a snapshot of your resource security posture. Audit Manager uses the name of an AWS Config rule as the mapping keyword, and reports the result of that rule check directly from AWS Config.	`EC2_INSTANCE_MANAGED_BY_SSM`
AWS CloudTrail	Use this data source type to track a specific user activity that's needed in your audit. Audit Manager uses the name of a CloudTrail event as the mapping keyword, and collects the related user activity from your CloudTrail logs.	`CreateAccessKey`
AWS API calls	Use this data source type to take a snapshot of your resource configuration through an API call to a specific AWS service. Audit Manager uses the name of API call as the mapping keyword, and collects the API response.	`ec2_DescribeSecurityGroups`

The following image shows examples of different data sources as seen in the Audit Manager console.

Screenshot of multiple data sources in the Audit Manager console with different
mappings for a single data source type.

Note

Although some data source types are AWS services, a data source type is different to a service in scope. For more information, see What's the difference between a service in scope and a data source type? in the Troubleshooting section of this guide.

Delegate

A delegate is an AWS Audit Manager user with limited permissions. Delegates typically have specialized business or technical expertise. For example, these expertise might be in data retention policies, training plans, network infrastructure, or identity management. Delegates help audit owners review collected evidence for controls that are in their area of expertise. Delegates can review control sets and their related evidence, add comments, upload additional evidence, and update the status of each of the controls that you assign to them for review.

Audit owners assign specific control sets to delegates, not entire assessments. As a result, delegates have limited access to assessments. For instructions on how to delegate a control set, see Delegations in AWS Audit Manager.

Evidence

Evidence is a record that contains the information that's needed to demonstrate compliance with a control's requirements. Examples of evidence include a change activity invoked by a user, and a system configuration snapshot.

There are two main types of evidence in Audit Manager: automated evidence and manual evidence.

Automated evidence — This is the evidence that Audit Manager collects automatically. This includes the following three categories of automated evidence:
- Compliance check — The result of a compliance check is captured from AWS Security Hub, AWS Config, or both. Examples of compliance checks include a security check result from Security Hub for a PCI DSS control, and an AWS Config rule evaluation for a HIPAA control. For more information, see AWS Config Rules supported by AWS Audit Manager and AWS Security Hub controls supported by AWS Audit Manager.
- User activity — User activity that changes a resource configuration is captured from CloudTrail logs as that activity occurs. Examples of user activities include a route table update, an Amazon RDS instance backup setting change, and an S3 bucket encryption policy change. For more information, see AWS CloudTrail event names supported by AWS Audit Manager.
- Configuration data — A snapshot of the resource configuration is captured directly from an AWS service on a daily, weekly, or monthly basis. Examples of configuration snapshots include a list of routes for a VPC route table, an Amazon RDS instance backup setting, and an S3 bucket encryption policy. For more information, see API calls supported by AWS Audit Manager.
Manual evidence — This is the evidence that you add to Audit Manager yourself. There are three ways to add your own evidence:
- Import a file from Amazon S3
- Upload a file from your browser
- Enter a text response to a risk assessment question
For more information, see Adding manual evidence in AWS Audit Manager.

Automated evidence collection starts when you create an assessment. This is an ongoing process, and Audit Manager collects evidence at different frequencies depending on the evidence type and the underlying data source. For more information about evidence collection, see How AWS Audit Manager collects evidence. For instructions on how to review evidence in an assessment, see Reviewing the evidence in an assessment.

Evidence collection method

There are two ways that a control can collect evidence.

Automated controls automatically collect evidence from AWS data sources. This automated evidence can help you to demonstrate full or partial compliance with the control.
Manual controls require you to upload your own evidence to demonstrate compliance with the control.

Note

You can attach manual evidence to any automated control. In many cases, a combination of automated and manual evidence is needed to demonstrate full compliance with a control. Although Audit Manager can provide automated evidence that’s helpful and relevant, some automated evidence might only demonstrate partial compliance. In this case, you can supplement the automated evidence that Audit Manager provides with your own evidence.

For example:

The AWS generative AI best practices framework contains a control called Error analysis. This control requires you to identify when inaccuracies are detected in your model usage. It also requires you to conduct a thorough error analysis to understand the root causes and take corrective action.
To support this control, Audit Manager collects automated evidence that shows if CloudWatch alarms are enabled for the AWS account where your assessment is running. You can use this evidence to demonstrate partial compliance with the control by proving that your alarms and checks are configured correctly.
To demonstrate full compliance, you can supplement the automated evidence with manual evidence. For example, you can upload a policy or a procedure that shows your error analysis process, your thresholds for escalations and reporting, and the results of your root cause analysis. You can use this manual evidence to demonstrate that established policies are in place, and that corrective action was taken when prompted.

For a more detailed example, see Controls with mixed data sources.

Export destination

An export destination is the default S3 bucket where Audit Manager saves the files that you export from evidence finder. To learn more, see Export destination (optional).

Framework

An Audit Manager framework is a file that's used to structure and automate assessments for a specific standard or risk governance principle. These frameworks help map your AWS resources to the requirements in a control. They include a collection of prebuilt or customer defined controls. The collection has descriptions and testing procedures for each control. These controls are organized and grouped based on the requirements of a specified compliance standard or regulation. Examples include PCI DSS, and GDPR.

There are two types of framework in Audit Manager:

Standard frameworks — Prebuilt frameworks that are based on AWS best practices for various compliance standards and regulations. You can use these frameworks to assist with audit preparation.
Custom frameworks — Customized frameworks that you define as an Audit Manager user. You can use these frameworks to assist with audit preparation according to your specific compliance or risk governance requirements.

For instructions on how to create and manage frameworks, see Framework library.

Note

AWS Audit Manager assists in collecting evidence that's relevant for verifying compliance with specific compliance standards and regulations. However, it doesn't assess your compliance itself. The evidence that's collected through AWS Audit Manager therefore might not include all the information about your AWS usage that's needed for audits. AWS Audit Manager isn't a substitute for legal counsel or compliance experts.

Framework sharing

You can use the custom framework sharing feature of Audit Manager to quickly share your custom frameworks across AWS accounts and Regions. To share a custom framework, you create a share request. The recipient of the share request then has 120 days to accept or decline the request. When they accept, Audit Manager replicates the shared custom framework into their framework library. In addition to replicating the custom framework, Audit Manager also replicates any custom control sets and controls that are contained within that framework. These custom controls are added to the recipient’s control library. Audit Manager doesn’t replicate standard frameworks or controls. This is because these resources are already available by default in each account and Region.

Resource

A resource is a physical or information asset that's assessed in an audit. Examples of AWS resources include Amazon EC2 instances, Amazon RDS instances, Amazon S3 buckets, and Amazon VPC subnets.

Resource assessment

A resource assessment is the process of assessing an individual resource. This assessment is based on the requirement of a control. While an assessment is active, Audit Manager runs resource assessments for each individual resource in the scope of the assessment. A resource assessment runs the following set of tasks:

Collects evidence including resource configurations, event logs, and findings
Translates and maps evidence to controls
Stores and tracks the lineage of evidence to enable integrity

Resource compliance

Resource compliance refers to the evaluation status of a resource that was assessed when collecting compliance check evidence.

Audit Manager collects compliance check evidence for controls that use AWS Config and Security Hub as a data source type. Multiple resources might be assessed during this evidence collection. As a result, a single piece of compliance check evidence can include one or more resources.

You can use the Resource compliance filter in evidence finder to explore compliance status at the resource level. After your search is complete, you can then preview the resources that matched your search query.

In evidence finder, there are three possible values for resource compliance:

Non-compliant – This refers to resources with compliance check issues. This happens if Security Hub reports a Fail result for the resource, or if AWS Config reports a Non-compliant result.
Compliant – This refers to resources that don’t have compliance check issues. This happens if Security Hub reports a Pass result for the resource, or if AWS Config reports a Compliant result.
Inconclusive – This refers to resources for which a compliance check isn’t available or applicable. This happens if AWS Config or Security Hub is the underlying data source type, but those services aren't enabled. This also happens if the underlying data source type doesn't support compliance checks (such as manual evidence, AWS API calls, or CloudTrail).

Service in scope

This is an AWS service that's included in the scope of your assessment. When you specify a service as being included in the scope of your assessment, Audit Manager assesses that service's resources. Audit Manager can assess a large variety of resources from a service in scope. Some example resources include the following:

An Amazon EC2 instance
An S3 bucket
A user or role
A DynamoDB table
A network component such as an Amazon Virtual Private Cloud (VPC), security group, or network access control list (ACL) table

When you use the Audit Manager console to create or update an assessment from a standard framework, the list of AWS services in scope is preselected by default. This list can’t be edited. This is because Audit Manager automatically maps and selects the data sources and services for you. This selection is made according to the requirements of the standard framework. If a standard framework that contains only manual controls, no AWS services are in scope for your assessment, and you can't add any services to your assessment.

If you need to edit the list of services in scope for a standard framework, you can do so by using the CreateAssessment or UpdateAssessment API operations. Alternatively, you can customize the standard framework and then create an assessment from the custom framework.

Note

Keep in mind that a service in scope is different to a data source type, which can also be an AWS service or something else. For more information, see What's the difference between a service in scope and a data source type? in the Troubleshooting section of this guide.