Creating an assessment in AWS Audit Manager

This topic builds on the Tutorial for Audit Owners: Creating an assessment. You'll find detailed instructions on this page that show you how to create an assessment from a framework. Follow these steps to create an assessment and start the ongoing collection of evidence.

Prerequisites

Before you start this tutorial, make sure that you meet the following conditions:

• You completed all the prerequisites that are described in Setting up AWS Audit Manager with the recommended settings. You must use your AWS account and the Audit Manager console to complete this tutorial.

• Your IAM identity has appropriate permissions to create and manage an assessment in Audit Manager. Two suggested policies that grant these permissions are AWSAuditManagerAdministratorAccess and Allow users management access to AWS Audit Manager.

Procedure

Tasks

• Step 1: Specify assessment details
• Step 2: Specify AWS accounts in scope
• Step 3: Specify audit owners
• Step 4: Review and create

Step 1: Specify assessment details

Start by selecting a framework and providing basic information for your assessment.

To specify assessment details

1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

2. In the navigation pane, choose Assessments, and then choose Create assessment.

3. Under Name, enter a name for your assessment.

4. (Optional) Under Description, enter a description for your assessment.

5. Under Assessment reports destination, select the S3 bucket where you want to save your assessment reports.

   Tip

   The default assessment report destination is based on your assessment settings. If you prefer, you can create and use multiple S3 buckets to help you organize your assessment reports for different assessments.

6. Under Select framework, select the framework that you want to create your assessment from. You can also use the search bar to look up a framework by name, or by compliance standard or regulation.

   Tip

   To learn more about a framework, choose the framework name to see the framework details page.

7. (Optional) Under Tags, choose Add new tag to associate a tag with your assessment. You can specify a key and a value for each tag. The tag key is mandatory and can be used as a search criteria when you search for this assessment.

8. Choose Next.

Note

It's important to make sure that your assessment collects the correct evidence for a given framework. Before you start evidence collection, we recommend that you review the requirements for your chosen framework. Then, validate these requirements against your current AWS Config rule parameters. To ensure that your rule parameters align with framework requirements, you can update the rule in AWS Config.

For example, suppose that you’re creating an assessment for CIS v1.2.0. This framework has a control named 1.9 – Ensure IAM password policy requires a minimum length of 14 or greater. In AWS Config, the iam-password-policy rule has a MinimumPasswordLength parameter that checks password length. The default value for this parameter is 14 characters. As a result, the rule aligns with the control requirements. If you aren’t using the default parameter value, ensure that the value you’re using is equal to or greater than the 14 character requirement from CIS v1.2.0. You can find the default parameter details for each managed rule in the AWS Config documentation.

Step 2: Specify AWS accounts in scope

You can specify multiple AWS accounts to be in the scope of an assessment. Audit Manager supports multiple accounts through integration with AWS Organizations. This means that Audit Manager assessments can be run over multiple accounts, and the evidence that's collected is consolidated into a delegated administrator account. To enable Organizations in Audit Manager, see Enable and set up AWS Organizations (optional).

Note

Audit Manager can support up to 200 accounts in the scope of an assessment. If you try to include over 200 accounts, the assessment creation might fail.

To specify AWS accounts in scope

1. Under AWS accounts, select the AWS accounts that you want to include in the scope of your assessment.

   • If you enabled Organizations in Audit Manager, multiple accounts are displayed. You can choose one or more accounts from the list. Alternatively, you can also search for an account by the account name, ID, or email.

   • If you didn't enable Organizations in Audit Manager, only your current AWS account is listed.

2. Choose Next.

Note

When an in-scope account is removed from your organization, Audit Manager no longer collects evidence for that account. However, the account continues to show in your assessment under the AWS accounts tab. To remove the account from the list of accounts in scope, edit the assessment. The removed account no longer shows in the list during editing, and you can save your changes without that account in scope.

Step 3: Specify audit owners

In this step, you specify the audit owners for your assessment. Audit owners are the individuals in your workplace—usually from GRC, SecOps, or DevOps teams—who are responsible for managing the Audit Manager assessment. We recommend that they use the AWSAuditManagerAdministratorAccess policy.

To specify audit owners

1. Under Audit owners, review the current list of audit owners. The Audit owner column displays the user IDs and roles. The AWS account column displays the AWS account of that audit owner.

2. Audit owners that have a selected check box are included in your assessment. Clear the check box for any audit owner to remove them from the assessment. You can find additional audit owners by using the search bar to search by name or AWS account.

3. When you're finished, choose Next.

Step 4: Review and create

Review the information for your assessment. To change the information for a step, choose Edit. When you're finished, choose Create assessment.

This action starts the ongoing collection of evidence for your assessment. After you create an assessment, evidence collection continues until you change the assessment status to inactive. Alternatively, you can stop evidence collection for a specific control by change the control status to inactive.

Note

Automated evidence becomes available 24 hours after your assessment is created. Audit Manager automatically collects evidence from multiple data sources, and the frequency of that evidence collection is based on the evidence type. To learn more, see Evidence collection frequency in this guide.

Next steps

To revisit your assessment at a later date, see Finding your assessments in AWS Audit Manager. You can follow these steps to locate your assessment so that you can view, edit, or continue working on it.

Additional resources

For solutions to assessment issues in Audit Manager, see Troubleshooting assessment and evidence collection issues.