API calls supported by AWS Audit Manager - AWS Audit Manager
Supported API calls for custom control data sourcesPaginated API callsAWS License Manager API calls

API calls supported by AWS Audit Manager

Audit Manager makes API calls to AWS services to collect a snapshot of the configuration details for your AWS resources. You can specify these API calls as a data source mapping when you configure a custom control in Audit Manager.

For every resource that's in the scope of an API call, Audit Manager captures a configuration snapshot and converts it into evidence. This results in one piece of evidence per resource, as opposed to one piece of evidence per API call.

For example, if the ec2_DescribeRouteTables API call captures configuration snapshots from five route tables, then you'll get five pieces of evidence in total for the single API call. Each piece of evidence is a snapshot of the configuration of an individual route table.

Supported API calls for custom control data sources

In your custom controls, you can use any of the following 29 API calls as a data source.

Supported API call Notes

config_DescribeConfigRules

config_DescribeDeliveryChannels

cloudwatch_DescribeAlarms

cloudtrail_DescribeTrails

dynamodb_DescribeTable

When you use this API as a data source, you don't need to provide the name of a specific DynamoDB table. Instead, Audit Manager uses the ListTables operation to list all of your tables. For every table that's listed, Audit Manager then performs the DescribeTable operation to generate evidence for that resource.

dynamodb_ListTables

ec2_DescribeFlowLogs

ec2_DescribeInstances

ec2_DescribeNetworkAcls

ec2_DescribeRouteTables

ec2_DescribeSecurityGroups

ec2_DescribeVolumes

ec2_DescribeVpcs

ec2_DescribeVpcEndpoints

elasticfilesystem_DescribeFileSystems

kms_GetKeyPolicy

When you use this API as a data source, you don't need to provide the name of a specific AWS KMS key. Instead, Audit Manager uses the ListKeys operation to list all of your KMS keys. For every KMS key that's listed, Audit Manager then performs the GetKeyPolicy operation to generate evidence for that resource.

kms_GetKeyRotationStatus

When you use this API as a data source, you don't need to provide the name of a specific AWS KMS key. Instead, Audit Manager uses the ListKeys operation to list all of your KMS keys. For every KMS key that's listed, Audit Manager then performs the GetKeyRotationStatus operation to generate evidence for that resource.

kms_ListKeys

iam_GenerateCredentialReport

iam_GetAccountPasswordPolicy

iam_GetAccountSummary

iam_ListGroups

iam_ListPolicies

iam_ListRoles

iam_ListUsers

rds_DescribeDBInstances

redshift_DescribeClusters

s3_GetBucketEncryption

When you use this API as a data source, you don't need to provide the name of a specific S3 bucket. Instead, Audit Manager uses the ListBuckets operation to list all of your buckets. For every bucket that's listed, Audit Manager then performs the GetBucketEncryption operation to generate evidence for that resource.

Audit Manager can only provide the encryption status for buckets that were created in the same AWS Region as your assessment. If you need to see the encryption status of all your S3 buckets across multiple AWS Regions, we recommend that you create an assessment in each AWS Region where you have an S3 bucket.

s3_ListBuckets

Paginated API calls

Many AWS services collect and store a large amount of data. As a result, when a list, describe, or get API call attempts to return your data, there can be a lot of results. If the amount of data is too large to return in a single response, the results can be broken into more manageable pieces through the use of pagination. This divides the results into "pages" of data, making the responses easier to handle.

Some of the API calls that Audit Manager supports are paginated. This means that they return partial results at first, and require subsequent requests to return the entire result set. For example, the Amazon RDS DescribeDBInstances operation returns up to 100 instances at a time, and subsequent requests are needed to return the next page of results.

As of March 08, 2023, Audit Manager supports paginated API calls as a data source for evidence collection. Previously, if a paginated API call was used as a data source, only a subset of your resources was returned in the API response (up to 100 results). Now, Audit Manager calls the paginated API operation multiple times, and gets each page of results until all resources are returned. For each resource, Audit Manager then captures a configuration snapshot and saves it as evidence. Because your complete set of resources is now captured in the API response, it’s likely that you’ll notice an increase in the amount of evidence that’s collected.

Audit Manager handles API call pagination for you automatically. If you create a custom control that uses a paginated API call as a data source, you don’t need to specify any pagination parameters.

API calls used in the AWS License Manager standard framework

In the AWS License Manager standard framework, Audit Manager uses a custom activity called GetLicenseManagerSummary to collect evidence. This activity calls the following three License Manager APIs:

The data that’s returned is then converted into evidence and attached to the relevant controls in your assessment.

Example

Let's say that you use two licensed products (SQL Service 2017 and Oracle Database Enterprise Edition). First, the GetLicenseManagerSummary activity calls the ListLicenseConfigurations API, which provides details of license configurations in your account. Next, it adds additional contextual data for each license configuration by calling ListUsageForLicenseConfiguration and ListAssociationsForLicenseConfiguration. Finally, it converts the license configuration data into evidence and attaches it to the respective controls in the framework (4.5 - Customer managed license for SQL Server 2017 and 3.0.4 - Customer managed license for Oracle Database Enterprise Edition).

If you’re using a licensed product that isn’t covered by any of the controls in the framework, that license configuration data is attached as evidence to the following control: 5.0 - Customer managed license for other licenses.