AWS Audit Manager settings - AWS Audit Manager

AWS Audit Manager settings

You can review and configure your AWS Audit Manager settings at any time.

To access settings

  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. In the left navigation pane, choose Settings.

  3. Review and update your settings as needed, and then choose Save.

Permissions

AWS Audit Manager uses a service-linked role to connect to data sources on your behalf. For more information, see Using service-linked roles for AWS Audit Manager.

To review the details of the service-linked role that Audit Manager uses, choose View IAM service-linked role permission.

For more information about service-linked roles, see Using service-linked roles in the IAM User Guide.

Data encryption

AWS Audit Manager automatically creates a unique AWS managed key for the secure storage of your data. By default, your Audit Manager data is encrypted with this KMS key. Alternatively, if you want to customize your data encryption settings, you can specify your own symmetric encryption customer managed key. Using your own KMS key gives you more flexibility, including the ability to create, rotate, and disable keys.

You can review and change your encryption settings as follows:

  • To use the default KMS key that's provided by Audit Manager, clear Customize encryption settings (advanced).

  • To use a customer managed key, select Customize encryption settings (advanced). You can then choose an existing KMS key, or create one.

Important

To generate assessment reports successfully, your customer managed key (if you provide one) must be in the same AWS Region as your assessment. For a list of Audit Manager Regions, see AWS Audit Manager endpoints and quotas in the Amazon Web Services General Reference.

Note

When you change your Audit Manager data encryption settings, these changes apply to any new assessments that you create. This includes any assessment reports that you create from your new assessments.

The changes don't apply to existing assessments that you created before you changed your encryption settings. This includes new assessment reports that you create from existing assessments in addition to existing assessment reports. Existing assessments and all their assessment reports continue to use the old KMS key.

If the IAM identity that generates the assessment report can't use the old KMS key, grant permissions at the key policy level. For instructions, see Allowing users in other accounts to use a KMS key in the AWS Key Management Service Developer Guide.

For instructions on how to create keys, see Creating keys in the AWS Key Management Service User Guide.

Default audit owners (optional)

You can specify the default audit owners who have primary access to your assessments in Audit Manager. You can choose from the AWS accounts listed in the table, or use the search bar to look for other AWS accounts.

You can review and change your default audit owners as follows:

  • To add a default audit owner, select the check box next to the account name under Audit owner.

  • To remove a default audit owner, clear the check box next to the account name under Audit owner.

For more information about audit owners, see Audit owners in the Concepts and terminology section of this guide.

Assessment report destination (optional)

You can choose the Amazon S3 bucket that AWS Audit Manager stores your assessment reports in. As a best practice, we recommend that you use an S3 bucket that's in the same AWS Region as your assessment.

You can review and change where Audit Manager stores your assessment reports as follows:

  • To use an existing S3 bucket, choose a bucket name from the dropdown list.

  • To create a new S3 bucket, choose Create new bucket.

For instructions on how to create an S3 bucket, see Creating a bucket in the Amazon S3 User Guide.

Notifications (optional)

AWS Audit Manager can send notifications to the SNS topic that you specify in this setting. If you're subscribed to that SNS topic, you receive notifications when you sign in to Audit Manager.

You can review and change where Audit Manager sends notifications as follows:

  • To use an existing Amazon SNS topic, select the topic name from the dropdown menu.

  • To create a new Amazon SNS topic, choose Create new topic.

Note

You can use either a standard SNS topic or a FIFO (first-in-first-out) SNS topic. Although Audit Manager supports sending notifications to FIFO topics, the order that messages are sent in isn't guaranteed.

If you want to use an Amazon SNS topic that you don't own, configure your AWS Identity and Access Management (IAM) policy for this. More specifically, you must configure it to allow publishing from the Amazon Resource Name (ARN) of the topic. For more information about IAM, see Identity and access management for AWS Audit Manager.

To learn more about the list of actions that invoke notifications in Audit Manager, see Notifications in AWS Audit Manager.

For instructions on how to create an Amazon SNS topic, see Creating an Amazon SNS topic in the Amazon SNS User Guide.

Delegated administrator (optional)

If you use AWS Organizations and want to enable multi-account support for AWS Audit Manager, you can designate a member account in your organization as the delegated administrator for Audit Manager.

Prerequisites

Important considerations for delegated administrators in Audit Manager

Take note of the following factors that define how the delegated administrator operates in Audit Manager:

Management account usage

You can't use your AWS Organizations management account as a delegated administrator in Audit Manager.

Using delegated administrators across multiple AWS Regions

If you want to enable Audit Manager in more than one AWS Region, you must designate a delegated administrator account separately in each Region. In your Audit Manager settings, you should use the same delegated administrator account across all Regions.

Evidence finder cleanup task

Before you use your management account to remove or change a delegated administrator, make sure that the current delegated administrator account signs in to Audit Manager and disables evidence finder. Disabling evidence finder automatically deletes the event data store that was created in the account when evidence finder was enabled.

If this task isn’t completed, the event data store remains in their account. In this case, we recommend that the original delegated administrator uses CloudTrail Lake to manually delete the event data store.

This cleanup task is necessary to ensure that you don't end up with multiple event data stores. Audit Manager ignores an unused event data store after you remove or change a delegated administrator account. However, if you don't delete the unused event data store, the event data store continues to incur storage costs from CloudTrail Lake.

Data deletion

When you remove a delegated administrator account for Audit Manager, the data for that account isn’t deleted. If you want to delete resource data for a delegated administrator account, you must perform that task separately before you remove the account. Either, you can do this in the Audit Manager console. Or, you can use one of the delete API operations that are provided by Audit Manager. At this time, Audit Manager doesn't provide an option to delete evidence. For a list of available delete operations, see Deleting Audit Manager resource data.

Managing your delegated administrator account for Audit Manager

You can review and change your delegated administrator account settings as follows.

Note

After you add a delegated administrator in your Audit Manager settings, your management account can no longer create additional assessments in Audit Manager. Additionally, evidence collection stops for any existing assessments created by the management account. Audit Manager collects and attaches evidence to the delegated administrator account, which is the main account for managing your organization's assessments.

To add a delegated administrator

  1. From the Delegated administrator section of the Audit Manager settings page, choose Add delegated administrator.

  2. Under Delegated administrator account ID, enter the account ID of the delegated administrator.

  3. Choose Delegate.

Warning

When you remove a delegated administrator, you continue to have access to the evidence that you previously collected under that delegated administrator account. However, Audit Manager stops collecting and attaching evidence to the old delegated administrator account.

To change the current delegated administrator

  1. (Optional) If the current delegated administrator (account A) enabled evidence finder, perform the following cleanup task:

    1. Before assigning account B as the new delegated administrator, make sure that account A signs in to Audit Manager and disables evidence finder.

      Disabling evidence finder automatically deletes the event data store that was created when account A enabled evidence finder. If you don't complete this step, then account A must go to CloudTrail Lake and manually delete the event data store. Otherwise, the event data store remains in account A and continues to incur CloudTrail Lake storage charges.

  2. Return to the Audit Manager settings page, and under the Delegated administrator section, choose Edit.

  3. Choose Remove to remove the current delegated administrator account.

  4. In the pop-up window that appears, choose Remove to confirm.

  5. Under Delegated administrator account ID, enter the ID of the new delegated administrator account.

  6. Choose Delegate.

Warning

When you remove a delegated administrator, you continue to have access to the evidence that you previously collected under that delegated administrator account. However, Audit Manager stops collecting and attaching evidence to the old delegated administrator account.

To remove the current delegated administrator

  1. (Optional) If the current delegated administrator enabled evidence finder, perform the following cleanup task:

    1. Make sure that the current delegated administrator account signs in to Audit Manager and disables evidence finder.

      Disabling evidence finder automatically deletes the event data store that was created in their account when they enabled evidence finder. If this step isn't completed, the delegated administrator account must use CloudTrail Lake to manually delete the event data store. Otherwise, the event data store remains in their account and continues to incur CloudTrail Lake storage charges.

  2. Return to the Audit Manager settings page, and under the Delegated administrator section, choose Edit.

  3. Choose Remove to remove the current delegated administrator account.

  4. In the pop-up window that appears, choose Remove to confirm.

For solutions to common Organizations and delegated administrator issues in Audit Manager, see Troubleshooting delegated administrator and AWS Organizations issues.

Evidence finder (optional)

We strongly recommend that you enable evidence finder. Enabling this feature is necessary if you want to run search queries on your evidence.

Follow these steps to enable or disable evidence finder.

Enable evidence finder

You must enable evidence finder in each AWS Region where you want to search for evidence. If you're a delegated administrator for Audit Manager, enable evidence finder to search for evidence for all member accounts in your organization.

To enable evidence finder, you need permissions to create and manage an event data store in CloudTrail Lake. To use the feature, you need permissions to perform CloudTrail Lake queries. For an example permission policy that you can use, see Allow full administrator access.

If you need help with permissions, contact your AWS administrator. If you’re an AWS administrator, you can copy the required permission statement and attach it to an IAM policy.

You can complete this task using the Audit Manager console, the AWS Command Line Interface (AWS CLI), or the Audit Manager API.

To request to enable evidence finder

  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. In the left navigation pane, choose Settings.

  3. Go to Evidence finder - optional.

  4. Choose Required permission policy, then View CloudTrail Lake permissions to view the required evidence finder permissions. If you don't already have these permissions, you can copy this policy statement and attach it to an IAM policy.

  5. Choose Enable.

  6. In the pop-up window, choose Request to enable.

  7. Choose Save.

Run the update-settings command with the --evidence-finder-enabled parameter set to TRUE.

aws auditmanager update-settings --evidence-finder-enabled TRUE

Call the UpdateSettings operation with the evidenceFinderEnabled parameter set to TRUE.

For more information, choose the previous links to read more in the Audit Manager API Reference. This includes information about how to use this operation and parameter in one of the language-specific AWS SDKs.

After you submit your request, it takes up to 10 minutes to enable evidence finder and to create an event data store. As soon as the event data store is created, all new evidence is ingested into the event data store moving forward.

When evidence finder is enabled and the event data store is created, we backfill the newly created event data store with up to two years’ worth of your past evidence. This process happens automatically and takes up to 7 days to complete.

You can check the current status of evidence finder using the Audit Manager console, the AWS CLI, or the Audit Manager API.

To see the current status of evidence finder

  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. In the left navigation pane, choose Settings.

  3. Under Enable evidence finder – optional, review the current status.

    Each status is defined as follows:

    • Evidence finder isn't enabled – You haven't successfully enabled evidence finder yet.

    • You have requested to enable evidence finder – Your request is pending the event data store being created.

    • Evidence finder is enabled – The event data store was created. You can now use evidence finder.

      Depending how much evidence you have, it takes up to 7 days to backfill the new event data store with your past evidence data. A blue information panel indicates that the data backfill is in progress. Feel free to start exploring evidence finder in the meantime. However, keep in mind that not all data is available until the backfill is complete.

    • You have requested to disable evidence finder – Your request is pending the event data store being deleted.

    • Evidence finder has been disabled – Evidence finder has been permanently disabled and the event data store is deleted.

Run the get-settings command with the --attribute parameter set to EVIDENCE_FINDER_ENABLEMENT.

aws auditmanager get-settings --attribute EVIDENCE_FINDER_ENABLEMENT

This returns the following information:

enablementStatus

This attribute shows the current status of evidence finder.

  • ENABLE_IN_PROGRESS – You requested to enable evidence finder. An event data store is currently being created to support evidence finder queries.

  • ENABLED – An event data store was created and evidence finder is enabled. We recommend waiting 7 days until the event data store is backfilled with your past evidence data. You can use evidence finder in the meantime, but not all data is available until the backfill is complete.

  • DISABLE_IN_PROGRESS – You requested to disable evidence finder, and your request is pending the event data store being deleted.

  • DISABLED – You permanently disabled evidence finder and the event data store is deleted. You can't re-enable evidence finder after this point.

backfillStatus

This attribute shows the current status of the evidence data backfill.

  • NOT_STARTED – The backfill hasn’t started yet.

  • IN_PROGRESS – The backfill is in progress. This takes up to 7 days to complete, depending on the amount of evidence data.

  • COMPLETED – The backfill is complete. All of your past evidence is now queryable.

Call the GetSettings operation with the attribute parameter set to EVIDENCE_FINDER_ENABLEMENT. This returns the following information:

enablementStatus

This attribute shows the current status of evidence finder.

  • ENABLE_IN_PROGRESS - You requested to enable evidence finder. An event data store is currently being created to support evidence finder queries.

  • ENABLED - An event data store was created and evidence finder is enabled. We recommend waiting 7 days until the event data store is backfilled with your past evidence data. You can use evidence finder in the meantime, but not all data is available until the backfill is complete.

  • DISABLE_IN_PROGRESS - You requested to disable evidence finder, and your request is pending the deletion of the event data store.

  • DISABLED - You permanently disabled evidence finder and the event data store is deleted. You can't re-enable evidence finder after this point.

backfillStatus

This attribute shows the current status of the evidence data backfill.

  • NOT_STARTED means that the backfill hasn’t started yet.

  • IN_PROGRESS means that the backfill is in progress. This takes up to 7 days to complete, depending on the amount of evidence data.

  • COMPLETED means that the backfill is complete. All of your past evidence is now queryable.

For more information, see evidenceFinderEnablement in the Audit Manager API Reference.

Disable evidence finder

If you no longer want to use evidence finder, you can disable this feature at any time.

Warning

Disabling evidence finder deletes the CloudTrail Lake event data store that Audit Manager created. As a result, you can’t re-enable the feature. To re-use evidence finder after you disable it, you must disable AWS Audit Manager, and then re-enable the service completely.

To disable evidence finder, you need permissions to delete an event data store in CloudTrail Lake. For an example policy that you can use, see Permissions to disable evidence finder.

If you need help with permissions, contact your AWS administrator. If you’re an AWS administrator, you can attach the required permission statement to an IAM policy.

You can complete this task using the Audit Manager console, the AWS Command Line Interface (AWS CLI), or the Audit Manager API.

To disable evidence finder

  1. In the Evidence finder section of the Audit Manager settings page, choose Disable.

  2. In the pop-up window that appears, enter Yes to confirm your decision.

  3. Choose Request to disable.

Run the update-settings command with the --evidence-finder-enabled parameter set to FALSE.

aws auditmanager update-settings --evidence-finder-enabled FALSE

Call the UpdateSettings operation with the evidenceFinderEnabled parameter set to FALSE.

For more information, choose the previous links to read more in the Audit Manager API Reference. This includes information about how to use this operation and parameter in one of the language-specific AWS SDKs.

AWS Config (optional)

You can allow Audit Manager to collect findings from AWS Config. When AWS Config is enabled, Audit Manager can capture snapshots of your resource security posture by reporting the results of rule checks directly from AWS Config. We recommend that you enable AWS Config for an optimal experience in Audit Manager.

To enable AWS Config, choose Enable on AWS Config to go to the page for that service. For instructions on how to enable AWS Config, see Setting up AWS Config in the AWS Config Developer Guide.

Security Hub (optional)

You can allow Audit Manager to import AWS Security Hub findings for supported compliance standards. When Security Hub is enabled, Audit Manager can capture snapshots of your resource security posture by the results of security checks directly from Security Hub. We recommend that you enable Security Hub for an optimal experience in Audit Manager.

To enable Security Hub, choose Enable Security Hub to go to the page for that service. For instructions on how to enable Security Hub, see Setting up AWS Security Hub in the Security Hub User Guide.

Disable AWS Audit Manager

You can disable Audit Manager if you no longer want to use the service.

Warning

When you disable Audit Manager, your access is revoked and the service no longer collects evidence for any existing assessments. You can't access anything in the service unless you re-enable Audit Manager.

Note

When you disable Audit Manager, your data isn’t deleted. If you want to delete your resource data, you must perform that task separately before you disable Audit Manager. Either, you can do this in the Audit Manager console. Or, you can use one of the delete API operations that are provided by Audit Manager. At this time, Audit Manager doesn't provide an option to delete evidence. For a list of available delete operations, see Deleting Audit Manager resource data.

To disable Audit Manager

Choose Disable AWS Audit Manager.

To re-enable Audit Manager after you disable it

Go to the Audit Manager service homepage and follow the steps to set up Audit Manager as a new user. For more information, see Setting up AWS Audit Manager.

Deleting Audit Manager resource data

For instructions on how to delete your Audit Manager resource data, see the following:

To delete other resource data that you might have created when using Audit Manager, see the following: