Creating an assessment - AWS Audit Manager

Creating an assessment

You can use a framework in AWS Audit Manager to create an assessment and define the accounts and services that you want to include in your audit. This topic builds on the Creating an assessment tutorial. It contains detailed instructions on how to create an assessment using the framework and settings of your choice.

Step 1: Specify assessment details

Start by selecting a framework and providing basic information for your assessment.

To specify assessment details

  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. In the navigation pane, choose Assessments, and then choose Create assessment.

    • Alternatively, in the navigation pane, choose Getting started, and then choose Create assessment.

  3. Under Assessment name, enter a name for your assessment.

  4. (Optional) Under Assessment description, enter a description for your assessment.

  5. Under Assessment reports destination, select an existing Amazon S3 bucket where you intend to save your assessment reports in.

  6. Under Frameworks, select the framework that you want to create your assessment from. You can also use the search bar to look up a framework by name, or by compliance standard or regulation.

  7. Under Tags, choose Add new tag to associate a tag with your assessment. You can specify a key and a value for each tag. The tag key is mandatory and can be used as a search criteria when you search for this assessment. For more information about tags in AWS Audit Manager, see Tagging AWS Audit Manager resources.

  8. Choose Next.

Tip
  • To learn more about a framework before selecting one, choose the framework name. This opens the framework summary page. On this page, you can review the contents of that framework, such as all of its controls and data sources.

  • The default assessment report destination is based on your AWS Audit Manager settings. For more information, see AWS Audit Manager settings, Assessment report destination. If you'd prefer, you can create and use multiple S3 buckets to help you organize your assessment reports.

Step 2: Specify AWS accounts in scope

Specify the accounts to include in the scope of your assessment.

You can specify multiple AWS accounts to be in the scope of an assessment. AWS Audit Manager supports multiple accounts through integration with AWS Organizations. This means that Audit Manager assessments can be run over multiple accounts, with the evidence that's collected consolidated into a delegated administrator account. To enable Organizations in AWS Audit Manager, see Step 3: Enable AWS Organizations (optional).

To specify AWS accounts in scope

  1. Under AWS accounts, select the AWS accounts that you want to include in the scope of your assessment.

    • If you enabled Organizations in AWS Audit Manager, multiple accounts are displayed. You can choose one or more accounts from the list. Alternatively, you can also search for an account by the account name, ID, or email.

    • If you didn't enable Organizations in Audit Manager, only your current AWS account is listed.

  2. Choose Next.

Note

When an in-scope account is removed from your organization, AWS Audit Manager no longer collects evidence for that account. However, the account continues to show in your assessment under the AWS accounts tab. To remove the account from the list of accounts in scope, you can edit the assessment. The removed account no longer shows in the list during editing, and you can save your changes without that account in scope.

Step 3: Specify AWS services in scope

The framework that you selected earlier defines the AWS services that Audit Manager monitors and collects evidence for. If a listed AWS service isn't selected, or it's selected but you haven't subscribed to it in your environment, then Audit Manager doesn't collect evidence from resources related to that service.

You can specify the AWS services in scope as follows.

If you selected a standard framework in step 1, the list of AWS services in scope is selected by default and can’t be edited. This is because when you create an assessment from a standard framework, Audit Manager automatically maps and selects the data sources and services for you. This selection is made according to the requirements of the standard framework. If the standard framework that you selected contains only manual controls, no AWS services are in scope for your assessment, and you can't add any services.

To proceed, review the list and choose Next.

Tip

If you’ve selected a standard framework and you want to be able to edit the services in scope, we recommend that you customize the framework and then use the custom framework to create your assessment.

If you selected a custom framework in step 1, you can review and modify the list of AWS services that are in scope for your assessment. If the custom framework that you selected contains manual controls only, all AWS services are displayed but none are selected. You can select zero or more services to be in the scope of your assessment.

To specify AWS services in scope (for assessments created from custom frameworks only)

  1. Under AWS services, select the services that you want to include in your assessment. You can find additional services by using the search bar to search by service, category, or description. To add a service, select the check box next to the service name. To remove a service, clear the check box.

  2. When you're finished selecting AWS services, choose Next.

Step 4: Specify audit owners

In this step, you specify the audit owners for your assessment. Audit owners are the individuals who drive audit preparation across your organization. Audit owners must have the necessary permissions to manage the assessment. We recommend that you use the AWSAuditManagerAdministratorAccess policy.

To specify audit owners

  1. Under Audit owners, review the current list of audit owners. The Audit owner column displays the IAM user IDs and roles. The AWS account column displays the associated AWS account of that audit owner.

  2. Audit owners that have a selected check box are included in your assessment. Clear the check box for any audit owner to remove them from the assessment. You can find additional audit owners by using the search bar to search by name or AWS account.

    • If you're an administrator and you need to create a new IAM identity for an audit owner, see I'm an administrator and want to allow others to access AWS Audit Manager.

    • If you want to create a new IAM identity for an audit owner and you don't have the permissions to do so, contact your administrator for assistance. Your administrator is the person who provided you with your user name and password.

  3. When you're finished, choose Next.

Step 5: Review and create

Review the information for your assessment. To change the information for a step, choose Edit. When you're finished, choose Create assessment.

Note

Automated evidence becomes available 24 hours after your assessment's created. AWS Audit Manager automatically collects evidence from multiple data sources, and the frequency of that evidence collection is based on the evidence type. To learn more, see Evidence collection frequency in this guide.

What can I do next?

After you create your assessment, you can learn more about the following: