AWS Config Rules supported by AWS Audit Manager - AWS Audit Manager

AWS Config Rules supported by AWS Audit Manager

You can use AWS Audit Manager to capture AWS Config evaluations as evidence for audits. When you create or edit a custom control, you can specify one or more AWS Config rules as a data source mapping for evidence collection. AWS Config performs compliance checks based on these rules, and Audit Manager reports the results as compliance check evidence.

In addition to managed rules, you can also map your custom rules to a control data source.

Note

Audit Manager doesn’t collect evidence from service-linked AWS Config rules, with the exception of service-linked rules from Conformance Packs and from AWS Organizations. For more information, see the Troubleshooting section of this guide.

Using AWS Config managed rules with AWS Audit Manager

263 AWS Config managed rules are currently supported by Audit Manager. You can use any of the following managed rule identifier keywords when you set up a data source for a custom control. For more information about any of the managed rules listed below, choose an item from the list or see AWS Config Managed Rules in the AWS Config User Guide.

Tip

When you choose a managed rule in the Audit Manager console during custom control creation, make sure that you look for one of the following rule identifier keywords, and not the rule name. For information about the difference between the rule name and rule identifier, and how to find the identifier for a managed rule, see the Troubleshooting section of this user guide.

Supported AWS Config managed rule keywords

Using AWS Config custom rules with AWS Audit Manager

You can now use AWS Config custom rules as a data source for audit reporting. When a control has a data source that's mapped to an AWS Config rule, Audit Manager adds the evaluation that was created by the AWS Config rule.

The custom rules that you can use depend on the AWS account that you sign in to Audit Manager with. If you can access a custom rule in AWS Config, you can use it as a data source mapping in Audit Manager.

  • For individual AWS accounts – You can use any of the custom rules that you created with your account.

  • For accounts that are part of an organization – Either, you can use any of your member-level custom rules. Or, you can use any of the organization-level custom rules that are available to you in AWS Config.

For instructions on how to create a control that uses custom rules as a data source, see Creating a new control from scratch and Customizing an existing control.

Tip

Keep in mind that managed rules aren't shown in the dropdown list of custom rules in Audit Manager.

If you want to verify if an AWS Config rule is a managed rule or a custom rule, you can do this using the AWS Config console. From the left navigation menu, choose Rules and look for the rule in the table. If it's a managed rule, the Type column shows AWS managed.


              A managed rule as shown in the AWS Config console.

To map a managed rule as a data source, you can look for the managed rule identifier keyword in Audit Manager in the dropdown list of managed rules. For more information, see the Troubleshooting section of this guide.

After you map your custom rules as a data source for a control, you can associate that control with a custom framework in Audit Manager. For instructions on how to create a custom framework that uses your custom control, see Creating a new framework from scratch and Customizing an existing framework. For instructions on how to add your control to an existing custom framework, see Editing an existing framework.

For information about creating a custom rule in AWS Config, see Developing a custom rule for AWS Config in the AWS Config Developer Guide.

Troubleshooting AWS Config integration with AWS Audit Manager

To find answers to common questions and issues, see AWS Config integration in the Troubleshooting section of this guide.