API calls supported by AWS Audit Manager

AWS Audit Manager makes API calls to AWS services to collect a snapshot of the configuration details for your AWS resources. You can specify these API calls as a data source mapping when you configure a custom control in Audit Manager.

For every resource that's in the scope of an API call, Audit Manager captures a configuration snapshot and converts it into evidence. This results in one piece of evidence per resource, as opposed to one piece of evidence per API call.

For example, if the ec2_DescribeRouteTables API call captures configuration snapshots from five route tables, then you'll get five pieces of evidence in total for the single API call. Each piece of evidence is a snapshot of the configuration of an individual route table.

Supported API calls for custom control data sources

The following list of API calls are supported in Audit Manager.

• iam_GenerateCredentialReport

• iam_GetAccountSummary

• iam_ListPolicies

• iam_GetAccountPasswordPolicy

• iam_ListUsers

• iam_ListRoles

• iam_ListGroups

• ec2_DescribeInstances

• ec2_DescribeFlowLogs

• ec2_DescribeVpcs

• ec2_DescribeSecurityGroups

• ec2_DescribeNetworkAcls

• ec2_DescribeRouteTables

• ec2_DescribeVpcEndpoints

• cloudtrail_DescribeTrails

• config_DescribeDeliveryChannels

• config_DescribeConfigRules

• kms_ListKeys

• cloudwatch_DescribeAlarms

• elasticfilesystem_DescribeFileSystems

API calls used in the AWS License Manager standard framework

In the AWS License Manager standard framework, Audit Manager uses a custom activity called GetLicenseManagerSummary to collect evidence. This activity calls the following three License Manager APIs:

• ListLicenseConfigurations

• ListAssociationsForLicenseConfiguration

• ListUsageForLicenseConfiguration

The data that’s returned is then converted into evidence and attached to the relevant controls in your assessment.

Example

Let's say that you use two licensed products (SQL Service 2017 and Oracle Database Enterprise Edition). First, the GetLicenseManagerSummary activity calls the ListLicenseConfigurations API, which provides details of license configurations in your account. Next, it adds additional contextual data for each license configuration by calling ListUsageForLicenseConfiguration and ListAssociationsForLicenseConfiguration. Finally, it converts the license configuration data into evidence and attaches it to the respective controls in the framework (4.5 - Customer managed license for SQL Server 2017 and 3.0.4 - Customer managed license for Oracle Database Enterprise Edition).

If you’re using a licensed product that isn’t covered by any of the controls in the framework, that license configuration data is attached as evidence to the following control: 5.0 - Customer managed license for other licenses.