Creating an assessment - AWS Audit Manager

Creating an assessment

This topic builds on the Getting started: Creating an assessment tutorial. It contains detailed instructions on how to create an assessment from a framework. Follow these steps to create an assessment and start the ongoing collection of evidence.

Step 1: Specify assessment details

Start by selecting a framework and providing basic information for your assessment.

To specify assessment details
  1. Open the AWS Audit Manager console at

  2. In the navigation pane, choose Assessments, and then choose Create assessment.

    • Alternatively, in the navigation pane, choose Getting started, and then choose Create assessment.

  3. Under Assessment name, enter a name for your assessment.

  4. (Optional) Under Assessment description, enter a description for your assessment.

  5. Under Assessment reports destination, select an existing Amazon S3 bucket where you intend to save your assessment reports.


    The default assessment report destination is based on your Audit Manager settings. For more information, see AWS Audit Manager settings, Assessment report destination. If you prefer, you can create and use multiple S3 buckets to help you organize your assessment reports.

  6. Under Frameworks, select the framework that you want to create your assessment from. You can also use the search bar to look up a framework by name, or by compliance standard or regulation.


    To learn more about a framework, choose the framework name. This opens the framework summary page. On this page, you can review the contents of that framework. This includes the controls and data sources of the framework.

  7. Under Tags, choose Add new tag to associate a tag with your assessment. You can specify a key and a value for each tag. The tag key is mandatory and can be used as a search criteria when you search for this assessment. For more information about tags in Audit Manager, see Tagging AWS Audit Manager resources.

  8. Choose Next.


It's important to make sure that your assessment collects the correct evidence for a given framework. Before you begin evidence collection, we recommend that you review the requirements for your chosen framework. Then, validate these requirements against your current AWS Config rule parameters. To ensure that your rule parameters align with framework requirements, you can update the rule in AWS Config.

For example, suppose that you’re creating an assessment for CIS v1.2.0. This framework has a control named 1.9 – Ensure IAM password policy requires a minimum length of 14 or greater. In AWS Config, the iam-password-policy rule has a MinimumPasswordLength parameter that checks password length. The default value for this parameter is 14 characters. As a result, the rule aligns with the control requirements. If you aren’t using the default parameter value, ensure that the value you’re using is equal to or greater than the 14 character requirement from CIS v1.2.0. You can find the default parameter details for each managed rule in the AWS Config documentation.

Step 2: Specify AWS accounts in scope

You can specify multiple AWS accounts to be in the scope of an assessment. Audit Manager supports multiple accounts through integration with AWS Organizations. This means that Audit Manager assessments can be run over multiple accounts, with the evidence that's collected consolidated into a delegated administrator account. To enable Organizations in Audit Manager, see Enable AWS Organizations (optional).


Audit Manager can support up to approximately 150 accounts in the scope of an assessment. If you try to include over 150 accounts, the assessment creation might fail.

To specify AWS accounts in scope
  1. Under AWS accounts, select the AWS accounts that you want to include in the scope of your assessment.

    • If you enabled Organizations in Audit Manager, multiple accounts are displayed. You can choose one or more accounts from the list. Alternatively, you can also search for an account by the account name, ID, or email.

    • If you didn't enable Organizations in Audit Manager, only your current AWS account is listed.

  2. Choose Next.


When an in-scope account is removed from your organization, Audit Manager no longer collects evidence for that account. However, the account continues to show in your assessment under the AWS accounts tab. To remove the account from the list of accounts in scope, you can edit the assessment. The removed account no longer shows in the list during editing, and you can save your changes without that account in scope.

Step 3: Specify AWS services in scope

The framework that you selected earlier defines the AWS services that Audit Manager monitors and collects evidence for. If a listed AWS service isn't selected, or it's selected but you didn't enable it in your environment, then Audit Manager doesn't collect evidence from resources related to that service.

You can specify the AWS services in scope as follows.

When you use the Audit Manager console to create an assessment from a standard framework, the list of AWS services in scope is selected by default. This list can’t be edited. This is because Audit Manager automatically maps and selects the data sources and services for you. This selection is made according to the requirements of the standard framework. If the standard framework that you selected contains only manual controls, no AWS services are in scope for your assessment, and you can't add any services to your assessment.

To proceed, review the list and choose Next.


If you need to edit the list of services in scope, you can do so by using the CreateAssessment API that's provided by Audit Manager.

Alternatively, you can customize the standard framework and then create an assessment from the custom framework.

If you selected a custom framework in step 1, you can review and modify the list of AWS services that are in scope for your assessment. If the custom framework that you selected contains manual controls only, all AWS services are displayed but none are selected. You can select zero or more services to be in the scope of your assessment.

To specify AWS services in scope (for assessments created from custom frameworks only)
  1. Under AWS services, select the services that you want to include in your assessment. You can find additional services by using the search bar to search by service, category, or description. To add a service, select the check box next to the service name. To remove a service, clear the check box.

  2. When you're finished selecting AWS services, choose Next.

Step 4: Specify audit owners

In this step, you specify the audit owners for your assessment. Audit owners are the individuals in your workplace—usually from GRC, SecOps, or DevOps teams—who are responsible for managing the Audit Manager assessment. We recommend that they use the AWSAuditManagerAdministratorAccess policy.

To specify audit owners
  1. Under Audit owners, review the current list of audit owners. The Audit owner column displays the user IDs and roles. The AWS account column displays the associated AWS account of that audit owner.

  2. Audit owners that have a selected check box are included in your assessment. Clear the check box for any audit owner to remove them from the assessment. You can find additional audit owners by using the search bar to search by name or AWS account.

  3. When you're finished, choose Next.

Step 5: Review and create

Review the information for your assessment. To change the information for a step, choose Edit. When you're finished, choose Create assessment.

This action starts the ongoing collection of evidence for your assessment. After you create an assessment, evidence collection continues until you change the assessment status to inactive. Alternatively, you can stop evidence collection for a specific control by changing the control status to inactive.


Automated evidence becomes available 24 hours after your assessment's created. Audit Manager automatically collects evidence from multiple data sources, and the frequency of that evidence collection is based on the evidence type. To learn more, see Evidence collection frequency in this guide.

What can I do next?

After you create your assessment, you can learn more about the following: