Supported control data sources for automated evidence

When you create a custom control in AWS Audit Manager, you can set up your control to collect automated evidence from the following data source types:

AWS CloudTrail
AWS Security Hub
AWS Config
AWS API calls

The following topics summarize each of these automated data source types, and list the specific AWS Security Hub controls, AWS Config rules, and AWS API calls that are supported by Audit Manager.

Topics

Overview of automated data sources

The following table provides an overview of each automated data source type.

Data source type	Description	Evidence collection frequency	To use this data source type...	When this control is active in an assessment...	Related troubleshooting tips
AWS CloudTrail	Tracks a specific user activity.	Continuous.	Select from the list of supported event names.	Audit Manager filters your CloudTrail logs based on the keyword that you choose. The results are imported as User activity evidence.	My assessment isn’t collecting user activity evidence from AWS CloudTrail
AWS Config	Captures a snapshot of your resource security posture by reporting findings from AWS Config.	Based on the triggers defined in the AWS Config rule.	Choose a rule type, then select a rule. For managed rules, select from the list of supported managed rule keywords. For custom rules, select from the list of your available rules.	Audit Manager gets the findings for this rule directly from AWS Config. The result is imported as Compliance check evidence.	My assessment isn’t collecting compliance check evidence from AWS Config AWS Config integration issues
AWS Security Hub	Captures a snapshot of your resource security posture by reporting findings from Security Hub.	Based on the schedule of the Security Hub check.	Select from the list of supported Security Hub control IDs.	Audit Manager gets the result of the security check directly from Security Hub. The result is imported as Compliance check evidence.	My assessment isn’t collecting compliance check evidence from AWS Security Hub
AWS API calls	Takes a snapshot of your resource configuration directly through an API call to the specified AWS service.	Daily, weekly, or monthly.	Select from the list of supported API calls, then select your preferred frequency.	Audit Manager makes the API call based on the frequency that you specify. The response is imported as Configuration data evidence.	My assessment isn’t collecting configuration data evidence for an AWS API call

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Changing evidence collection frequency

AWS Config