AWS API calls supported by AWS Audit Manager - AWS Audit Manager

AWS API calls supported by AWS Audit Manager

You can use Audit Manager to capture snapshots of your AWS environment as evidence for audits. When you create or edit a custom control, you can specify one or more AWS API calls as a data source mapping for evidence collection. Audit Manager then makes API calls to the relevant AWS services, and collects a snapshot of the configuration details for your AWS resources.

For every resource that's in the scope of an API call, Audit Manager captures a configuration snapshot and converts it into evidence. This results in one piece of evidence per resource, as opposed to one piece of evidence per API call.

For example, if the ec2_DescribeRouteTables API call captures configuration snapshots from five route tables, then you'll get five pieces of evidence in total for the single API call. Each piece of evidence is a snapshot of the configuration of an individual route table.

Key points

Paginated API calls

Many AWS services collect and store a large amount of data. As a result, when a list, describe, or get API call attempts to return your data, there can be a lot of results. If the amount of data is too large to return in a single response, the results can be broken into more manageable pieces through the use of pagination. This divides the results into "pages" of data, making the responses easier to handle.

Some of the Supported API calls for custom control data sources are paginated. This means that they return partial results at first, and require subsequent requests to return the entire result set. For example, the Amazon RDS DescribeDBInstances operation returns up to 100 instances at a time, and subsequent requests are needed to return the next page of results.

As of March 08, 2023, Audit Manager supports paginated API calls as a data source for evidence collection. Previously, if a paginated API call was used as a data source, only a subset of your resources was returned in the API response (up to 100 results). Now, Audit Manager calls the paginated API operation multiple times, and gets each page of results until all resources are returned. For each resource, Audit Manager then captures a configuration snapshot and saves it as evidence. Because your complete set of resources is now captured in the API response, it’s likely that you’ll notice an increase in the amount of evidence that’s collected after March 08, 2023.

Audit Manager handles API call pagination for you automatically. If you create a custom control that uses a paginated API call as a data source, you don’t need to specify any pagination parameters.

Supported API calls for custom control data sources

In your custom controls, you can use any of the following API calls as a data source. Audit Manager can then use these API calls to collect evidence about your AWS usage.

Supported API call How Audit Manager uses this API to collect evidence
acm_GetAccountConfiguration Collect a snapshot of the account configuration options associated with your AWS account.
acm_ListCertificates Retrieve a list of certificate ARNs and domain names.
autoscaling_DescribeAutoScalingGroups Collect a snapshot about the Auto Scaling groups in your AWS account.
backup_ListBackupPlans Retrieve a list of all active backup plans in your AWS account.
bedrock_GetModelInvocationLoggingConfiguration Collect a snapshot of the current configuration values for model invocation logging for models in your AWS account.
cloudfront_ListDistributions

Retrieve a list of all distributions in your AWS account.

cloudtrail_DescribeTrails

Collect a snapshot of the settings for one or more trails associated with the current Region for your AWS account.
cloudtrail_ListTrails Retrieve a list of the trails that are in your AWS account.

cloudwatch_DescribeAlarms

Collect a configuration snapshot of the alarms that are used for your AWS account.
config_DescribeConfigRules Retrieve details about your AWS Config rules.
config_DescribeDeliveryChannels Collect a configuration snapshot for the delivery channels in your in your AWS account.
directconnect_DescribeDirectConnectGateways Retrieve a list of all your AWS Direct Connect gateways .
directconnect_DescribeVirtualGateways Retrieve a list of the virtual private gateways owned by your AWS account.
docdb_DescribeCertificates Collect a list of certificates for your AWS account.
docdb_DescribeDBClusterParameterGroups Collect a list of DBCLusterParameterGroup descriptions for your AWS account.
docdb_DescribeDBInstances Collect information about provisioned Amazon DynamoDB instances for your AWS account.

cloudwatch_DescribeAlarms

Collect information about the alarms in your AWS account.

cloudtrail_DescribeTrails

Collect a snapshot of the settings for one or more trails associated with your AWS account.

dynamodb_DescribeTable

Collect configuration snapshots for the DynamoDB tables in your AWS account.

When you use this API as a data source, you don't need to provide the name of a specific DynamoDB table. Instead, Audit Manager uses the ListTables operation to list all of your tables. For every table that's listed, Audit Manager then performs the DescribeTable operation to generate evidence for that resource.

dynamodb_ListBackups Retrieve a list of the DynamoDB backups that are associated with your AWS account.

dynamodb_ListTables

Retrieve a list of all of the table names that are associated with your AWS account and your current endpoint.
ec2_DescribeAddresses Collect a snapshot of your Elastic IP addresses.
ec2_DescribeCustomerGateways Collect a snapshot of your VPN customer gateways.
ec2_DescribeEgressOnlyInternetGateways Collect a snapshot of your egress-only internet gateways.

ec2_DescribeFlowLogs

Collect a snapshot of your flow logs.

ec2_DescribeInstances

Collect a snapshot of your instances.
ec2_DescribeInternetGateways Collect a snapshot of your internet gateways.
ec2_DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations Collect a description of the associations between the virtual interface groups and the local gateway route tables in your AWS account.
ec2_DescribeLocalGateways Collect a snapshot of your local gateways.
ec2_DescribeLocalGatewayVirtualInterfaces Collect a snapshot of your local gateway virtual interfaces.
ec2_DescribeNatGateways Collect a snapshot of your NAT gateways.

ec2_DescribeNetworkAcls

Collect a snapshot of your network ACLs.

ec2_DescribeRouteTables

Collect a snapshot of your route tables.

ec2_DescribeSecurityGroups

Collect a snapshot of your security groups.
ec2_DescribeSecurityGroupRules Collect a snapshot of one or more of your security group rules.
ec2_DescribeTransitGateways Collect a snapshot of your transit gateways.

ec2_DescribeVolumes

Collect a snapshot of your VPC endpoints.

ec2_DescribeVpcs

Collect a snapshot of your VPCs.

ec2_DescribeVpcEndpoints

Collect a snapshot of your VPC endpoints.
ec2_DescribeVpcEndpointConnections Collect a snapshot of the VPC endpoint connections to your VPC endpoint services, including any endpoints that are pending your acceptance.
ec2_DescribeVpcEndpointServiceConfigurations Collect a snapshot of the VPC endpoint service configurations in your AWS account.
ec2_DescribeVpcPeeringConnections Collect a snapshot of your VPN connections.
ec2_DescribeVpnConnections Collect a snapshot of your VPN connections.
ec2_DescribeVpnGateways Collect a snapshot of your virtual private gateways.
ec2_GetEbsDefaultKmsKeyId Collect a snapshot of the default AWS KMS key for EBS encryption for your AWS account in the current Region.
ec2_GetEbsEncryptionByDefault Describe whether EBS encryption by default is enabled for your AWS account in the current Region.
ecs_DescribeClusters Collect a snapshot of your ECS clusters.
eks_DescribeAddonVersions Collect a snapshot of your add-on versions.
elasticache_DescribeCacheClusters Collect a snapshot of your provisioned clusters.
elasticache_DescribeServiceUpdates Collect a snapshot of service updates for Amazon ElastiCache.
elasticfilesystem_DescribeAccessPoints Collect a snapshot of the Amazon EFS access points in your AWS account.

elasticfilesystem_DescribeFileSystems

Collect a snapshot of your Amazon EFS file systems.
elasticloadbalancingv2_DescribeLoadBalancers

Collect a snapshot of the load balancers in your AWS account.

elasticloadbalancingv2_DescribeSSLPolicies Collect a snapshot of the policies that you use for SSL negotiation.
elasticloadbalancingv2_DescribeTargetGroups Collect a snapshot of your ELB target groups.
elasticmapreduce_ListSecurityConfigurations Retrieve a list of the security configurations that are visible to your AWS account, along with their creation dates and times, and their names.
events_ListConnections Retrieve a list of the Amazon EventBridge connections in your AWS account.
events_ListEventBuses Retrieve a list of the Amazon EventBridge event buses in your AWS account, including the default event bus, custom event buses, and partner event buses.
events_ListEventSources Retrieve a list of the partner event sources that have been shared with your AWS account.
events_ListRules Retrieve a list of your Amazon EventBridge rules.
firehose_ListDeliveryStreams Retrieve a list of your delivery streams.
fsx_DescribeFileSystems Collect a snapshot of the file systems that are owned by your AWS account.
guardduty_ListDetectors

Retrieve a list of the detectorIds for your Amazon GuardDuty detector resources.

iam_GenerateCredentialReport

Generate a credential report for your AWS account.

iam_GetAccountPasswordPolicy

Collect a snapshot of the password policy for your AWS account.

iam_GetAccountSummary

Collect a snapshot of the IAM entity usage and IAM quotas in your AWS account.

iam_ListGroups

Retrieve a list of the IAM groups that are associated with a path prefix that's available in your AWS account.
iam_ListOpenIDConnectProviders Retrieve a list of the IAM OpenID Connect (OIDC) provider resource objects that are defined in your AWS account.

iam_ListPolicies

Retrieve a list of all the managed policies that are available in your AWS account, including your own customer-defined managed policies and all AWS managed policies.

iam_ListRoles

Retrieve a list of the IAM roles that are associated with a path prefix that's available in your AWS account.
iam_ListSAMLProviders Retrieve a list of the SAML provider resource objects defined in IAM in your AWS account.

iam_ListUsers

Retrieve a list of the IAM users in your AWS account.
iam_ListVirtualMFADevices Retrieve a list of the virtual MFA devices that are defined in your AWS account.
kafka_ListClusters Retrieve a list of the Amazon MSK clusters in your AWS account.
kafka_ListKafkaVersions Retrieve a list of the Apache Kafka version objects in your AWS account.
kinesis_ListStreams Retrieve a list of your Kinesis data streams.

kms_GetKeyPolicy

Audit Manager uses this API to collect a snapshot of the key policies for the AWS KMS keys in your AWS account.

When you use this API as a data source, you don't need to provide the name of a specific AWS KMS key. Instead, Audit Manager uses the ListKeys operation to list all of your KMS keys. For every KMS key that's listed, Audit Manager then performs the GetKeyPolicy operation to generate evidence for that resource.

kms_GetKeyRotationStatus

Audit Manager uses this API to collect a snapshot of whether automatic rotation is enabled for the AWS KMS keys in your AWS account.

When you use this API as a data source, you don't need to provide the name of a specific AWS KMS key. Instead, Audit Manager uses the ListKeys operation to list all of your KMS keys. For every KMS key that's listed, Audit Manager then performs the GetKeyRotationStatus operation to generate evidence for that resource.

kms_ListKeys Retrieve a list of the AWS KMS keys in your AWS account.
lambda_ListFunctions Retrieve a list of Lambda functions in your AWS account, with the version-specific configuration of each.
rds_DescribeDBClusters Collect a snapshot of the existing Amazon Aurora DB clusters and Multi-AZ DB clusters in your AWS account.

rds_DescribeDBInstances

Collect a snapshot of the provisioned RDS instances in your AWS account.
rds_DescribeDbInstanceAutomatedBackups Collect a snapshot of the backups for both current and deleted instances in your AWS account.
rds_DescribeDbSecurityGroups Collect a snapshot of the DBSecurityGroups in your AWS account.

redshift_DescribeClusters

Collect a snapshot of the provisioned Amazon Redshift clusters in your AWS account.

s3_GetBucketEncryption

Collect a snapshot that shows the default encryption configuration for your S3 buckets.

When you use this API as a data source, you don't need to provide the name of a specific S3 bucket. Instead, Audit Manager uses the ListBuckets operation to list all of your buckets. For every bucket that's listed, Audit Manager then performs the GetBucketEncryption operation to generate evidence for that resource.

Audit Manager can only provide the encryption status for buckets that were created in the same AWS Region as your assessment. If you need to see the encryption status of all your S3 buckets across multiple AWS Regions, we recommend that you create an assessment in each AWS Region where you have an S3 bucket.

s3_ListBuckets

Retrieve a list of the S3 buckets in your AWS account.
sagemaker_ListAlgorithms Retrieve a list of the machine learning algorithms in your AWS account.
sagemaker_ListDomains Retrieve a list of the domains in your AWS account.
sagemaker_ListEndpoints Retrieve a list of the endpoints in your AWS account.
sagemaker_ListEndpointConfigs Retrieve a list of the endpoint configurations in your AWS account.
sagemaker_ListFlowDefinitions Retrieve a list of the flow definitions in your AWS account.
sagemaker_ListHumanTaskUis Retrieve a list of the human task interfaces in your AWS account.
sagemaker_ListLabelingJobs Retrieve a list of the labeling jobs in your AWS account.
sagemaker_ListModels Retrieve a list of the models in your AWS account.
sagemaker_ListModelBiasJobDefinitions Retrieve a list of the model bias job definitions in your AWS account.
sagemaker_ListModelCards Retrieve a list of the model cards in your AWS account.
sagemaker_ListModelQualityJobDefinitions Retrieve a list of the model quality monitoring job definitions in your AWS account.
sagemaker_ListMonitoringAlerts Retrieve a list of the alerts for a given monitoring schedule.
sagemaker_ListMonitoringSchedules Retrieve a list of all monitoring schedules in your AWS account.
sagemaker_ListTrainingJobs Retrieve a list of training jobs in your AWS account.
sagemaker_ListUserProfiles Retrieve a list of user profiles in your AWS account.
secretsmanager_ListSecrets Retrieve a list of the secrets that are stored in your AWS account, not including secrets that are marked for deletion.
sns_ListTopics Retrieve a list of the SNS topics in your AWS account.
sqs_ListQueues Retrieve a list of the SQS queues in your AWS account.
waf-regional_ListWebAcls Retrieve a list of the WebACLSummary objects for your AWS account.
waf-regional_ListRules Retrieve a list of the RuleSummary objects for your AWS account.
waf_ListRuleGroups Retrieve a list of the RuleGroupSummary objects for the rule groups in your AWS account.
waf_ListRules Retrieve a list of the RuleSummary objects for your AWS account.
waf_ListWebAcls Retrieve a list of the WebACLSummary objects for your AWS account.

API calls used in the AWS License Manager standard framework

In the AWS License Manager standard framework, Audit Manager uses a custom activity called GetLicenseManagerSummary to collect evidence. This activity calls the following three License Manager APIs:

The data that’s returned is then converted into evidence and attached to the relevant controls in your assessment.

Example

Let's say that you use two licensed products (SQL Service 2017 and Oracle Database Enterprise Edition). First, the GetLicenseManagerSummary activity calls the ListLicenseConfigurations API, which provides details of license configurations in your account. Next, it adds additional contextual data for each license configuration by calling ListUsageForLicenseConfiguration and ListAssociationsForLicenseConfiguration. Finally, it converts the license configuration data into evidence and attaches it to the respective controls in the framework (4.5 - Customer managed license for SQL Server 2017 and 3.0.4 - Customer managed license for Oracle Database Enterprise Edition).

If you’re using a licensed product that isn’t covered by any of the controls in the framework, that license configuration data is attached as evidence to the following control: 5.0 - Customer managed license for other licenses.

Additional resources