AWS Audit Manager settings - AWS Audit Manager

AWS Audit Manager settings

You can review and configure your AWS Audit Manager settings at any time.

To access settings

  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. In the left navigation pane, choose Settings.

  3. Review and update your settings as needed, and then choose Save.

Permissions

AWS Audit Manager uses a service-linked role to connect to data sources on your behalf. For more details, see Using service-linked roles for AWS Audit Manager.

To review the AWS Identity and Access Management (IAM) policies that Audit Manager uses, choose View IAM service-linked role permission.

For information about service-linked roles, see Using service-linked roles in the IAM User Guide.

Data encryption

AWS Audit Manager automatically creates a unique AWS managed customer managed key. By default, your data is encrypted with this KMS key. Alternatively, you can specify a symmetric customer managed customer managed key that you created as the default key for Audit Manager encryption. Using your own KMS key gives you more flexibility, including the ability to create, rotate, and disable keys. By default, your data is encrypted with a KMS key that AWS owns and manages on your behalf. You can choose a different KMS key if you want to customize your encryption settings.

You can review and change your encryption settings as follows.

  • To use the default KMS key that's provided by AWS Audit Manager, clear Customize encryption settings (advanced).

  • To use a customer managed key, select Customize encryption settings (advanced). You can then choose an existing KMS key, or create one.

Important

To generate assessment reports successfully, your customer managed key (if you provide one) must be in the same AWS Region as your assessment. For a list of AWS Audit Manager Regions, see AWS Regions and Endpoints in the Amazon Web Services General Reference.

Note

When you change your Audit Manager data encryption settings, these changes apply to the new assessments that you create moving forward. This includes any assessment reports that you create from your new assessments.

The changes don't apply to existing assessments that you created before you changed your encryption settings. This includes new assessment reports that you create from existing assessments, in addition to existing assessment reports. Existing assessments—and all their assessment reports—continue to use the old KMS key.

If the IAM identity that’s generating the assessment report doesn’t have permissions to use the old KMS key, you can grant permissions at the key policy level. For instructions, see Allowing users in other accounts to use a KMS key in the AWS Key Management Service Service Developer Guide.

For more information about how to create keys, see Creating keys in the AWS Key Management Service User Guide.

Default audit owners (optional)

You can specify the default audit owners who have primary access your assessments in AWS Audit Manager. You can choose from the AWS accounts listed in the table, or use the search bar to look for other AWS accounts.

You can review and change your default audit owners as follows.

  • To add a default audit owner, select the check box next to the account name under Audit owner.

  • To remove a default audit owner, clear the check box next to the account name under Audit owner.

For more information about audit owners, see AWS Audit Manager concepts and terminology.

Assessment report destination (optional)

You can choose an Amazon S3 bucket in which AWS Audit Manager stores the assessment reports from your assessments.

You can review and change where Audit Manager stores your assessment reports as follows.

  • To use an existing S3 bucket, choose the S3 bucket name in the dropdown list.

  • To create a new S3 bucket, choose Create new bucket.

Important

To generate assessment reports successfully, your S3 bucket must be in the same AWS Region as your assessment. For a list of AWS Audit Manager Regions, see AWS Regions and Endpoints in the Amazon Web Services General Reference.

For more information about how to create an S3 bucket, see Creating a bucket in the Amazon S3 User Guide.

Notifications (optional)

AWS Audit Manager can send notifications to the SNS topic that you specify in this setting. If you are subscribed to that SNS topic, you will receive notifications when you sign in to Audit Manager.

You can review and change where AWS Audit Manager sends notifications as follows.

  • To use an existing Amazon SNS topic, select the topic name from the dropdown menu.

  • To create a new Amazon SNS topic, choose Create new topic.

To learn more about the list of actions that invoke notifications in AWS Audit Manager, see Notifications in AWS Audit Manager.

For information about how to create an Amazon SNS topic, see Creating an Amazon SNS topic in the Amazon SNS User Guide.

Delegated administrator (optional)

If you use AWS Organizations and want to enable multi-account support for AWS Audit Manager, you can designate a member account in your organization as the delegated administrator for Audit Manager.

Prerequisites

Issues to consider

  • You can't use your AWS Organizations management account as a delegated administrator in Audit Manager.

  • If you want to enable Audit Manager in more than one AWS Region, you must designate a delegated administrator account separately in each Region. In your Audit Manager settings, you should use the same delegated administrator account across all Regions.

You can review and change your delegated administrator account settings as follows.

Warning

After you designate a delegated administrator in your Audit Manager settings, your management account can no longer create additional assessments in AWS Audit Manager, and evidence collection stops for any existing assessments created by the management account. Instead, Audit Manager collects and attaches evidence to the delegated administrator account, which is the main account for managing your organization's assessments.

To add a delegated administrator

  1. From the Delegated administrator section of the Audit Manager settings page, choose Add delegated administrator.

  2. Under Delegated administrator account ID, enter the ID of the delegated administrator account.

  3. Choose Delegate.

Warning

When you change the delegated administrator, you continue to have access to the evidence that you previously collected under that account. However, Audit Manager stops collecting and attaching evidence to that delegated administrator account moving forward.

To change the current delegated administrator

  1. From the Delegated administrator section of the Audit Manager settings page, choose Edit.

  2. Choose Remove to remove the current delegated administrator account.

  3. In the pop-up window that appears, choose Remove to confirm.

  4. Under Delegated administrator account ID, enter the ID of the new delegated administrator account.

  5. Choose Delegate.

Warning

When you remove a delegated administrator from your Audit Manager settings, or when you deregister a delegated administrator from AWS Organizations, you continue to have access to the evidence that you previously collected under that account. However, Audit Manager stops collecting and attaching evidence to that delegated administrator account moving forward.

To remove the current delegated administrator

  1. From the Delegated administrator section of the Audit Manager settings page, choose Edit.

  2. Choose Remove to remove the current delegated administrator account.

  3. In the pop-up window that appears, choose Remove to confirm.

AWS Config (optional)

You can allow AWS Audit Manager to collect log data from AWS Config. Audit Manager will then perform additional analysis, and annotate that data to generate evidence automatically for the AWS services that feed logs into AWS Config. We recommend that you enable AWS Config for an optimal experience in Audit Manager.

To enable AWS Config, choose Enable on AWS Config to go to the page for that service. For information on how to enable AWS Config, see Setting up AWS Config in the AWS Config Developer Guide.

Security Hub (optional)

You can allow AWS Audit Manager to import AWS Security Hub findings for supported compliance standards such as the CIS Foundations Benchmark and PCI. When AWS Security Hub is enabled, Audit Manager also analyzes user events gathered from CloudTrail, CloudWatch, and AWS Config, matches them to Security Hub findings, and uses them to generate audit evidence. We recommend that you enable AWS Security Hub for an optimal experience in Audit Manager.

To enable AWS Security Hub, choose Enable Security Hub to go to the page for that service. For information on how to enable AWS Security Hub, see Setting up AWS Security Hub in the Security Hub User Guide.

Disable AWS Audit Manager

You can disable AWS Audit Manager if you no longer want to use the service.

Warning

When you disable Audit Manager, your access is revoked and the service will no longer collect evidence for any existing assessments. You will not be able to access anything in the service unless you register again.

To disable Audit Manager, choose Disable AWS Audit Manager.

To re-enable AWS Audit Manager after you disable it, you must go to the service homepage and follow the steps to set up Audit Manager as a new user. For more information, see Setting up AWS Audit Manager.