AWS API calls supported by AWS Audit Manager
You can use Audit Manager to capture snapshots of your AWS environment as evidence for audits. When you create or edit a custom control, you can specify one or more AWS API calls as a data source mapping for evidence collection. Audit Manager then makes API calls to the relevant AWS services, and collects a snapshot of the configuration details for your AWS resources.
For every resource that's in the scope of an API call, Audit Manager captures a configuration snapshot and converts it into evidence. This results in one piece of evidence per resource, as opposed to one piece of evidence per API call.
For example, if the ec2_DescribeRouteTables
API call captures configuration
snapshots from five route tables, then you'll get five pieces of evidence in total for the
single API call. Each piece of evidence is a snapshot of the configuration of an individual
route table.
Topics
Key points
Paginated API calls
Many AWS services collect and store a large amount of data. As a result, when a
list
, describe
, or get
API call attempts to
return your data, there can be a lot of results. If the amount of data is too large to
return in a single response, the results can be broken into more manageable pieces through
the use of pagination. This divides the results into
"pages" of data, making the responses easier to handle.
Some of the Supported API calls for custom control data sources are paginated. This means that they return partial results at first, and require subsequent requests to return the entire result set. For example, the Amazon RDS DescribeDBInstances operation returns up to 100 instances at a time, and subsequent requests are needed to return the next page of results.
As of March 08, 2023, Audit Manager supports paginated API calls as a data source for evidence collection. Previously, if a paginated API call was used as a data source, only a subset of your resources was returned in the API response (up to 100 results). Now, Audit Manager calls the paginated API operation multiple times, and gets each page of results until all resources are returned. For each resource, Audit Manager then captures a configuration snapshot and saves it as evidence. Because your complete set of resources is now captured in the API response, it’s likely that you’ll notice an increase in the amount of evidence that’s collected after March 08, 2023.
Audit Manager handles API call pagination for you automatically. If you create a custom control that uses a paginated API call as a data source, you don’t need to specify any pagination parameters.
Supported API calls for custom control data sources
In your custom controls, you can use any of the following API calls as a data source. Audit Manager can then use these API calls to collect evidence about your AWS usage.
Supported API call | How Audit Manager uses this API to collect evidence |
---|---|
acm_GetAccountConfiguration | Collect a snapshot of the account configuration options associated with your AWS account. |
acm_ListCertificates | Retrieve a list of certificate ARNs and domain names. |
autoscaling_DescribeAutoScalingGroups | Collect a snapshot about the Auto Scaling groups in your AWS account. |
backup_ListBackupPlans | Retrieve a list of all active backup plans in your AWS account. |
bedrock_GetModelInvocationLoggingConfiguration | Collect a snapshot of the current configuration values for model invocation logging for models in your AWS account. |
cloudfront_ListDistributions |
Retrieve a list of all distributions in your AWS account. |
Collect a snapshot of the settings for one or more trails associated with the current Region for your AWS account. | |
cloudtrail_ListTrails | Retrieve a list of the trails that are in your AWS account. |
Collect a configuration snapshot of the alarms that are used for your AWS account. | |
config_DescribeConfigRules | Retrieve details about your AWS Config rules. |
config_DescribeDeliveryChannels | Collect a configuration snapshot for the delivery channels in your in your AWS account. |
directconnect_DescribeDirectConnectGateways | Retrieve a list of all your AWS Direct Connect gateways . |
directconnect_DescribeVirtualGateways | Retrieve a list of the virtual private gateways owned by your AWS account. |
docdb_DescribeCertificates | Collect a list of certificates for your AWS account. |
docdb_DescribeDBClusterParameterGroups | Collect a list of DBCLusterParameterGroup descriptions for your
AWS account. |
docdb_DescribeDBInstances | Collect information about provisioned Amazon DynamoDB instances for your AWS account. |
Collect information about the alarms in your AWS account. | |
Collect a snapshot of the settings for one or more trails associated with your AWS account. | |
Collect configuration snapshots for the DynamoDB tables in your AWS account. When you use this API as a data source, you don't need to provide the name
of a specific DynamoDB table. Instead, Audit Manager uses the |
|
dynamodb_ListBackups | Retrieve a list of the DynamoDB backups that are associated with your AWS account. |
Retrieve a list of all of the table names that are associated with your AWS account and your current endpoint. | |
ec2_DescribeAddresses | Collect a snapshot of your Elastic IP addresses. |
ec2_DescribeCustomerGateways | Collect a snapshot of your VPN customer gateways. |
ec2_DescribeEgressOnlyInternetGateways | Collect a snapshot of your egress-only internet gateways. |
Collect a snapshot of your flow logs. | |
Collect a snapshot of your instances. | |
ec2_DescribeInternetGateways | Collect a snapshot of your internet gateways. |
ec2_DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations | Collect a description of the associations between the virtual interface groups and the local gateway route tables in your AWS account. |
ec2_DescribeLocalGateways | Collect a snapshot of your local gateways. |
ec2_DescribeLocalGatewayVirtualInterfaces | Collect a snapshot of your local gateway virtual interfaces. |
ec2_DescribeNatGateways | Collect a snapshot of your NAT gateways. |
Collect a snapshot of your network ACLs. | |
Collect a snapshot of your route tables. | |
Collect a snapshot of your security groups. | |
ec2_DescribeSecurityGroupRules | Collect a snapshot of one or more of your security group rules. |
ec2_DescribeTransitGateways | Collect a snapshot of your transit gateways. |
Collect a snapshot of your VPC endpoints. | |
Collect a snapshot of your VPCs. | |
Collect a snapshot of your VPC endpoints. | |
ec2_DescribeVpcEndpointConnections | Collect a snapshot of the VPC endpoint connections to your VPC endpoint services, including any endpoints that are pending your acceptance. |
ec2_DescribeVpcEndpointServiceConfigurations | Collect a snapshot of the VPC endpoint service configurations in your AWS account. |
ec2_DescribeVpcPeeringConnections | Collect a snapshot of your VPN connections. |
ec2_DescribeVpnConnections | Collect a snapshot of your VPN connections. |
ec2_DescribeVpnGateways | Collect a snapshot of your virtual private gateways. |
ec2_GetEbsDefaultKmsKeyId | Collect a snapshot of the default AWS KMS key for EBS encryption for your AWS account in the current Region. |
ec2_GetEbsEncryptionByDefault | Describe whether EBS encryption by default is enabled for your AWS account in the current Region. |
ecs_DescribeClusters | Collect a snapshot of your ECS clusters. |
eks_DescribeAddonVersions | Collect a snapshot of your add-on versions. |
elasticache_DescribeCacheClusters | Collect a snapshot of your provisioned clusters. |
elasticache_DescribeServiceUpdates | Collect a snapshot of service updates for Amazon ElastiCache. |
elasticfilesystem_DescribeAccessPoints | Collect a snapshot of the Amazon EFS access points in your AWS account. |
Collect a snapshot of your Amazon EFS file systems. | |
elasticloadbalancingv2_DescribeLoadBalancers |
Collect a snapshot of the load balancers in your AWS account. |
elasticloadbalancingv2_DescribeSSLPolicies | Collect a snapshot of the policies that you use for SSL negotiation. |
elasticloadbalancingv2_DescribeTargetGroups | Collect a snapshot of your ELB target groups. |
elasticmapreduce_ListSecurityConfigurations | Retrieve a list of the security configurations that are visible to your AWS account, along with their creation dates and times, and their names. |
events_ListConnections | Retrieve a list of the Amazon EventBridge connections in your AWS account. |
events_ListEventBuses | Retrieve a list of the Amazon EventBridge event buses in your AWS account, including the default event bus, custom event buses, and partner event buses. |
events_ListEventSources | Retrieve a list of the partner event sources that have been shared with your AWS account. |
events_ListRules | Retrieve a list of your Amazon EventBridge rules. |
firehose_ListDeliveryStreams | Retrieve a list of your delivery streams. |
fsx_DescribeFileSystems | Collect a snapshot of the file systems that are owned by your AWS account. |
guardduty_ListDetectors |
Retrieve a list of the |
Generate a credential report for your AWS account. | |
Collect a snapshot of the password policy for your AWS account. | |
Collect a snapshot of the IAM entity usage and IAM quotas in your AWS account. | |
Retrieve a list of the IAM groups that are associated with a path prefix that's available in your AWS account. | |
iam_ListOpenIDConnectProviders | Retrieve a list of the IAM OpenID Connect (OIDC) provider resource objects that are defined in your AWS account. |
Retrieve a list of all the managed policies that are available in your AWS account, including your own customer-defined managed policies and all AWS managed policies. | |
Retrieve a list of the IAM roles that are associated with a path prefix that's available in your AWS account. | |
iam_ListSAMLProviders | Retrieve a list of the SAML provider resource objects defined in IAM in your AWS account. |
Retrieve a list of the IAM users in your AWS account. | |
iam_ListVirtualMFADevices | Retrieve a list of the virtual MFA devices that are defined in your AWS account. |
kafka_ListClusters | Retrieve a list of the Amazon MSK clusters in your AWS account. |
kafka_ListKafkaVersions | Retrieve a list of the Apache Kafka version objects in your AWS account. |
kinesis_ListStreams | Retrieve a list of your Kinesis data streams. |
Audit Manager uses this API to collect a snapshot of the key policies for the AWS KMS keys in your AWS account. When you use this API as a data source, you don't need to provide the name
of a specific AWS KMS key. Instead, Audit Manager uses the |
|
Audit Manager uses this API to collect a snapshot of whether automatic rotation is enabled for the AWS KMS keys in your AWS account. When you use this API as a data source, you don't need to provide the name
of a specific AWS KMS key. Instead, Audit Manager uses the |
|
kms_ListKeys | Retrieve a list of the AWS KMS keys in your AWS account. |
lambda_ListFunctions | Retrieve a list of Lambda functions in your AWS account, with the version-specific configuration of each. |
rds_DescribeDBClusters | Collect a snapshot of the existing Amazon Aurora DB clusters and Multi-AZ DB clusters in your AWS account. |
Collect a snapshot of the provisioned RDS instances in your AWS account. | |
rds_DescribeDbInstanceAutomatedBackups | Collect a snapshot of the backups for both current and deleted instances in your AWS account. |
rds_DescribeDbSecurityGroups | Collect a snapshot of the DBSecurityGroups in your AWS account. |
Collect a snapshot of the provisioned Amazon Redshift clusters in your AWS account. | |
Collect a snapshot that shows the default encryption configuration for your S3 buckets. When you use this API as a data source, you don't need to provide the name
of a specific S3 bucket. Instead, Audit Manager uses the Audit Manager can only provide the encryption status for buckets that were created in the same AWS Region as your assessment. If you need to see the encryption status of all your S3 buckets across multiple AWS Regions, we recommend that you create an assessment in each AWS Region where you have an S3 bucket. |
|
Retrieve a list of the S3 buckets in your AWS account. | |
sagemaker_ListAlgorithms | Retrieve a list of the machine learning algorithms in your AWS account. |
sagemaker_ListDomains | Retrieve a list of the domains in your AWS account. |
sagemaker_ListEndpoints | Retrieve a list of the endpoints in your AWS account. |
sagemaker_ListEndpointConfigs | Retrieve a list of the endpoint configurations in your AWS account. |
sagemaker_ListFlowDefinitions | Retrieve a list of the flow definitions in your AWS account. |
sagemaker_ListHumanTaskUis | Retrieve a list of the human task interfaces in your AWS account. |
sagemaker_ListLabelingJobs | Retrieve a list of the labeling jobs in your AWS account. |
sagemaker_ListModels | Retrieve a list of the models in your AWS account. |
sagemaker_ListModelBiasJobDefinitions | Retrieve a list of the model bias job definitions in your AWS account. |
sagemaker_ListModelCards | Retrieve a list of the model cards in your AWS account. |
sagemaker_ListModelQualityJobDefinitions | Retrieve a list of the model quality monitoring job definitions in your AWS account. |
sagemaker_ListMonitoringAlerts | Retrieve a list of the alerts for a given monitoring schedule. |
sagemaker_ListMonitoringSchedules | Retrieve a list of all monitoring schedules in your AWS account. |
sagemaker_ListTrainingJobs | Retrieve a list of training jobs in your AWS account. |
sagemaker_ListUserProfiles | Retrieve a list of user profiles in your AWS account. |
secretsmanager_ListSecrets | Retrieve a list of the secrets that are stored in your AWS account, not including secrets that are marked for deletion. |
sns_ListTopics | Retrieve a list of the SNS topics in your AWS account. |
sqs_ListQueues | Retrieve a list of the SQS queues in your AWS account. |
waf-regional_ListWebAcls | Retrieve a list of the WebACLSummary objects for your AWS account. |
waf-regional_ListRules | Retrieve a list of the RuleSummary objects for your AWS account. |
waf_ListRuleGroups | Retrieve a list of the RuleGroupSummary objects for the rule groups in your AWS account. |
waf_ListRules | Retrieve a list of the RuleSummary objects for your AWS account. |
waf_ListWebAcls | Retrieve a list of the WebACLSummary objects for your AWS account. |
API calls used in the AWS License Manager standard framework
In the AWS License Manager standard
framework, Audit Manager uses a custom activity called GetLicenseManagerSummary
to
collect evidence. This activity calls the following three License Manager APIs:
The data that’s returned is then converted into evidence and attached to the relevant controls in your assessment.
Example
Let's say that you use two licensed products (SQL Service
2017 and Oracle Database Enterprise
Edition). First, the GetLicenseManagerSummary
activity calls
the ListLicenseConfigurations API, which provides details of license
configurations in your account. Next, it adds additional contextual data for each
license configuration by calling ListUsageForLicenseConfiguration and ListAssociationsForLicenseConfiguration. Finally, it converts the license
configuration data into evidence and attaches it to the respective controls in the
framework (4.5 - Customer managed license for SQL Server
2017 and 3.0.4 - Customer managed license for
Oracle Database Enterprise Edition).
If you’re using a licensed product that isn’t covered by any of the controls in the framework, that license configuration data is attached as evidence to the following control: 5.0 - Customer managed license for other licenses.
Additional resources
-
To find help with evidence collection issues for this data source type, see My assessment isn’t collecting configuration data evidence for an AWS API call.
-
To create a custom control using this data source type, see Creating a custom control in AWS Audit Manager.
-
To create a custom framework that uses your custom control, see Creating a custom framework in AWS Audit Manager.
-
To add your custom control to an existing custom framework, see Editing a custom framework in AWS Audit Manager.