AWS Audit Manager settings - AWS Audit Manager

AWS Audit Manager settings

You can review and configure your AWS Audit Manager settings at any time.

To access settings

  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. In the left navigation pane, choose Settings.

  3. Review and update your settings as needed, and then choose Save.

Permissions

AWS Audit Manager uses a service-linked role to connect to data sources on your behalf. For more details, see Using service-linked roles for AWS Audit Manager.

To review the details of the service-linked role that Audit Manager uses, choose View IAM service-linked role permission.

For more information about service-linked roles, see Using service-linked roles in the IAM User Guide.

Data encryption

AWS Audit Manager automatically creates a unique AWS managed customer managed key. By default, your data is encrypted with this KMS key. Alternatively, you can specify a symmetric encryption customer managed key that you created as the default key for Audit Manager encryption. Using your own KMS key gives you more flexibility, including the ability to create, rotate, and disable keys. By default, your data is encrypted with a KMS key that AWS owns and manages on your behalf. You can choose a different KMS key if you want to customize your encryption settings.

You can review and change your encryption settings as follows.

  • To use the default KMS key that's provided by AWS Audit Manager, clear Customize encryption settings (advanced).

  • To use a customer managed key, select Customize encryption settings (advanced). You can then choose an existing KMS key, or create one.

Important

To generate assessment reports successfully, your customer managed key (if you provide one) must be in the same AWS Region as your assessment. For a list of AWS Audit Manager Regions, see AWS Audit Manager endpoints and quotas in the Amazon Web Services General Reference.

Note

When you change your Audit Manager data encryption settings, these changes apply to the new assessments that you create moving forward. This includes any assessment reports that you create from your new assessments.

The changes don't apply to existing assessments that you created before you changed your encryption settings. This includes new assessment reports that you create from existing assessments, in addition to existing assessment reports. Existing assessments—and all their assessment reports—continue to use the old KMS key.

If the IAM identity that’s generating the assessment report doesn’t have permissions to use the old KMS key, you can grant permissions at the key policy level. For instructions, see Allowing users in other accounts to use a KMS key in the AWS Key Management Service Service Developer Guide.

For instructions on how to create keys, see Creating keys in the AWS Key Management Service User Guide.

Default audit owners (optional)

You can specify the default audit owners who have primary access your assessments in AWS Audit Manager. You can choose from the AWS accounts listed in the table, or use the search bar to look for other AWS accounts.

You can review and change your default audit owners as follows.

  • To add a default audit owner, select the check box next to the account name under Audit owner.

  • To remove a default audit owner, clear the check box next to the account name under Audit owner.

For more information about audit owners, see Audit owners in the Concepts and terminology section of this guide.

Assessment report destination (optional)

You can choose the Amazon S3 bucket that AWS Audit Manager stores your assessment reports in. As a best practice, we recommend that you use an S3 bucket that's in the same AWS Region as your assessment.

You can review and change where Audit Manager stores your assessment reports as follows.

  • To use an existing S3 bucket, choose a bucket name from the dropdown list.

  • To create a new S3 bucket, choose Create new bucket.

For instructions on how to create an S3 bucket, see Creating a bucket in the Amazon S3 User Guide.

Notifications (optional)

AWS Audit Manager can send notifications to the SNS topic that you specify in this setting. If you're subscribed to that SNS topic, you'll receive notifications when you sign in to Audit Manager.

You can review and change where AWS Audit Manager sends notifications as follows.

  • To use an existing Amazon SNS topic, select the topic name from the dropdown menu.

  • To create a new Amazon SNS topic, choose Create new topic.

Notes
  • You can use either a standard SNS topic or a FIFO (first-in-first-out) SNS topic. Although Audit Manager supports sending notifications to FIFO topics, the order in which messages are sent isn't guaranteed.

  • If you want to use an Amazon SNS topic that you don't own, you must configure your AWS Identity and Access Management (IAM) policy for this. More specifically, you must configure it to allow publishing from the Amazon Resource Name (ARN) of the topic. For more information about IAM, see Identity and access management for AWS Audit Manager.

To learn more about the list of actions that invoke notifications in AWS Audit Manager, see Notifications in AWS Audit Manager.

For instructions on how to create an Amazon SNS topic, see Creating an Amazon SNS topic in the Amazon SNS User Guide.

Delegated administrator (optional)

If you use AWS Organizations and want to enable multi-account support for AWS Audit Manager, you can designate a member account in your organization as the delegated administrator for Audit Manager.

Prerequisites

Issues to consider

  • You can't use your AWS Organizations management account as a delegated administrator in Audit Manager.

  • If you want to enable Audit Manager in more than one AWS Region, you must designate a delegated administrator account separately in each Region. In your Audit Manager settings, you should use the same delegated administrator account across all Regions.

  • For solutions to common Organizations and delegated administrator issues in AWS Audit Manager, see Troubleshooting delegated administrator and AWS Organizations issues.

You can review and change your delegated administrator account settings as follows.

Warning

After you designate a delegated administrator in your Audit Manager settings, your management account can no longer create additional assessments in AWS Audit Manager, and evidence collection stops for any existing assessments created by the management account. Instead, Audit Manager collects and attaches evidence to the delegated administrator account, which is the main account for managing your organization's assessments.

To add a delegated administrator

  1. From the Delegated administrator section of the Audit Manager settings page, choose Add delegated administrator.

  2. Under Delegated administrator account ID, enter the ID of the delegated administrator account.

  3. Choose Delegate.

Warning

When you change the delegated administrator, you continue to have access to the evidence that you previously collected under that account. However, Audit Manager stops collecting and attaching evidence to that delegated administrator account moving forward.

Note

When you remove a delegated administrator account for Audit Manager, the data for that account isn’t deleted. If you want to delete resource data for a delegated administrator account, you must perform that task separately before you remove the account. Either, you can do this in the Audit Manager console. Or, you can use one of the delete API operations that are provided by Audit Manager. At this time, Audit Manager doesn't provide an option to delete evidence. All available delete operations are listed below.

To delete data before changing a delegated administrator (optional)

To delete your Audit Manager resource data, see the following instructions:

To change the current delegated administrator

  1. From the Delegated administrator section of the Audit Manager settings page, choose Edit.

  2. Choose Remove to remove the current delegated administrator account.

  3. In the pop-up window that appears, choose Remove to confirm.

  4. Under Delegated administrator account ID, enter the ID of the new delegated administrator account.

  5. Choose Delegate.

Warning

When you remove a delegated administrator from your Audit Manager settings, or when you deregister a delegated administrator from AWS Organizations, you continue to have access to the evidence that you previously collected under that account. However, Audit Manager stops collecting and attaching evidence to that delegated administrator account moving forward.

Note

When you remove a delegated administrator account for Audit Manager, the data for that account isn’t deleted. If you want to delete resource data for a delegated administrator account, you must perform that task separately before you remove the account. Either, you can do this in the Audit Manager console. Or, you can use one of the delete API operations that are provided by Audit Manager. At this time, Audit Manager doesn't provide an option to delete evidence. All available delete operations are listed below.

To delete data before removing a delegated administrator (optional)

To delete your Audit Manager resource data, see the following instructions:

To remove the current delegated administrator

  1. From the Delegated administrator section of the Audit Manager settings page, choose Edit.

  2. Choose Remove to remove the current delegated administrator account.

  3. In the pop-up window that appears, choose Remove to confirm.

AWS Config (optional)

You can allow AWS Audit Manager to collect findings from AWS Config. When AWS Config is enabled, Audit Manager can capture snapshots of your resource security posture by reporting the results of rule checks directly from AWS Config. We recommend that you enable AWS Config for an optimal experience in Audit Manager.

To enable AWS Config, choose Enable on AWS Config to go to the page for that service. For information on how to enable AWS Config, see Setting up AWS Config in the AWS Config Developer Guide.

Security Hub (optional)

You can allow AWS Audit Manager to import AWS Security Hub findings for supported compliance standards. When Security Hub is enabled, Audit Manager can capture snapshots of your resource security posture by the results of security checks directly from Security Hub. We recommend that you enable Security Hub for an optimal experience in Audit Manager.

To enable Security Hub, choose Enable Security Hub to go to the page for that service. For information on how to enable Security Hub, see Setting up AWS Security Hub in the Security Hub User Guide.

Disable AWS Audit Manager

You can disable AWS Audit Manager if you no longer want to use the service.

Warning

When you disable Audit Manager, your access is revoked and the service will no longer collect evidence for any existing assessments. You will not be able to access anything in the service unless you re-enable AWS Audit Manager.

Note

When you disable Audit Manager, your data isn’t deleted. If you want to delete your resource data, you must perform that task separately before you disable Audit Manager. Either, you can do this in the Audit Manager console. Or, you can use one of the delete API operations that are provided by Audit Manager. At this time, Audit Manager doesn't provide an option to delete evidence. All available delete operations are listed below.

To delete data before disabling Audit Manager (optional)

To delete your Audit Manager resource data, see the following instructions:

To disable Audit Manager

Choose Disable AWS Audit Manager.

To re-enable AWS Audit Manager after you disable it

Go to the Audit Manager service homepage and follow the steps to set up Audit Manager as a new user. For more information, see Setting up AWS Audit Manager.