Supported data source types for automated evidence - AWS Audit Manager

Supported data source types for automated evidence

When you create a custom control in AWS Audit Manager, you can set up your control to collect automated evidence from the following data source types:

  • AWS CloudTrail

  • AWS Security Hub

  • AWS Config

  • AWS API calls

The following topics summarize each of these automated data source types, and list the specific AWS Security Hub controls, AWS Config rules, and AWS API calls that are supported by Audit Manager.

Overview of automated data sources

The following table provides an overview of each automated data source type.

Data source type Description Evidence collection frequency To use this data source type... When this control is active in an assessment... Related troubleshooting tips

AWS CloudTrail

Tracks a specific user activity.

Continuous.

Select from the list of supported event names.

Audit Manager filters your CloudTrail logs based on the keyword that you choose. The results are imported as User activity evidence.

My assessment isn’t collecting user activity evidence from AWS CloudTrail

AWS Config

Captures a snapshot of your resource security posture by reporting findings from AWS Config.

Based on the triggers defined in the AWS Config rule.

Choose a rule type, then select a rule.

Audit Manager gets the findings for this rule directly from AWS Config. The result is imported as Compliance check evidence.

My assessment isn’t collecting compliance check evidence from AWS Config

AWS Config integration issues

AWS Security Hub

Captures a snapshot of your resource security posture by reporting findings from Security Hub.

Based on the schedule of the Security Hub check.

Select from the list of supported Security Hub control IDs.

Audit Manager gets the result of the security check directly from Security Hub. The result is imported as Compliance check evidence.

My assessment isn’t collecting compliance check evidence from AWS Security Hub
AWS API calls

Takes a snapshot of your resource configuration directly through an API call to the specified AWS service.

Daily, weekly, or monthly. Select from the list of supported API calls, then select your preferred frequency. Audit Manager makes the API call based on the frequency that you specify. The response is imported as Configuration data evidence. My assessment isn’t collecting configuration data evidence for an AWS API call