Prerequisites Procedure Next steps Additional resources

Making an editable copy of a control in AWS Audit Manager

Instead of creating a custom control from scratch, you can use an existing standard control or custom control as a starting point and make an editable copy that meets your needs. When you do this, the existing standard control remains in the control library, and a new control is created with your custom settings.

Prerequisites

Make sure your IAM identity has appropriate permissions to create a custom framework in AWS Audit Manager. Two suggested policies that grant these permissions are AWSAuditManagerAdministratorAccess and Allow users management access to AWS Audit Manager.

To successfully collect evidence from AWS Config and Security Hub, make sure that you do the following:

Enable AWS Config, then apply the required settings for using AWS Config with Audit Manager.
Enable Security Hub, then apply the required settings for using Security Hub with Audit Manager.

Audit Manager can then collect evidence each time an evaluation occurs for a given AWS Config rule or Security Hub control.

Procedure

Tasks

Step 1: Specify control details
Step 2: Specify evidence sources
Step 3: (Optional): Define an action plan
Step 4: Review and create the control

Step 1: Specify control details

The control details are inherited from the original control. Review and modify these details as needed.

Important

We strongly recommend that you never put sensitive identifying information into free-form fields such as Control details or Testing information. If you create custom controls that contain sensitive information, you can’t share any of your custom frameworks that contain these controls.

To specify control details

Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.
In the navigation pane, choose Control library.
Select the standard control or custom control that you want to make changes to, and then choose Make a copy.
Specify the new name of the control, and choose Continue.
Under Control details, customize the control details as needed.
Under Testing information, make changes to the instructions as needed.
Under Tags, customize the tags as needed.
Choose Next.

Step 2: Specify evidence sources

Evidence sources are inherited from the original control. You can change, add, or remove evidence sources as needed.

Tip

We recommend that you start by choosing one or more common controls. If you have more fine-grained compliance requirements, you can also choose one or more specific core controls.

To specify an AWS managed source

Under AWS managed sources, review the current selections and make changes as needed.
To add a common control, follow these steps:
1. Select Use a common control that matches your compliance goal.
2. Choose a common control from the dropdown list.
3. (Optional) Repeat step 2 as needed. You can add up to five common controls.
To remove a common control, choose the X next to the control name.
To add a core control, follow these steps:
1. Select Use a core control that matches a prescriptive AWS guideline.
2. Choose a common control from the dropdown list.
3. (Optional) Repeat step 4 as needed. You can add up to 50 core controls.
To remove a core control, choose the X next to the control name.
To edit customer managed data sources, use the following procedure. Otherwise, choose Next.

To collect automated evidence from a data source, you must choose a data source type and a data source mapping. These details map to your AWS usage, and tell Audit Manager where to collect the evidence from. If you want to provide your own evidence, you’ll choose a manual data source instead.

Note

You're responsible for maintaining the data source mappings that you create in this step.

To specify a customer managed source

Under Customer managed sources, review the current data sources and make changes as needed.
To remove a data source, select a data source from the table and choose Remove.
To add a new data source, follow these steps:
1. Select Use a data source to collect manual or automated evidence.
2. Choose Add.
3. Choose one of the following options:
  - Choose AWS API calls, then choose an API call and an evidence collection frequency.
  - Choose AWS CloudTrail event, then choose an event name.
  - Choose AWS Config managed rule, then choose a rule identifier.
  - Choose AWS Config custom rule, then choose a rule identifier.
  - Choose AWS Security Hub control, then choose a Security Hub control.
  - Choose Manual data source, then choose an option:
    File upload – Use this option if the control requires documentation as evidence.
    
    Text response – Use this option if the control requires an answer to a risk assessment question.
  Tip
  For information about automated data source types and troubleshooting tips, see Supported data source types for automated evidence.
  If you need to validate your data source setup with an expert, choose Manual data source for now. That way, you can create the control and add it to a framework now, and then edit the control as needed later.
4. Under Data source name, provide a descriptive name.
5. (Optional) Under Additional details, enter a data source description and a troubleshooting description.
6. Choose Add data source.
7. (Optional) To add another data source, choose Add and repeat step 3. You can add up to 100 data sources.
When you're finished, choose Next.

Step 3: (Optional): Define an action plan

The action plan is inherited from the original control. You can edit this action plan as needed.

Important

We strongly recommend that you never put sensitive identifying information into free-form fields such as Action plan. If you create custom controls that contain sensitive information, you can’t share any of your custom frameworks that contain these controls.

To specify instructions

Under Title, review the title and make changes as needed.
Under Instructions, review the instructions and make changes as needed.
Choose Next.

Step 4: Review and create the control

Review the information for the control. To change the information for a step, choose Edit. When you're finished, choose Create custom control.

Next steps

After you create a new custom control, you can add it to a custom framework. To learn more, see Creating a custom framework in AWS Audit Manager or Editing a custom framework in AWS Audit Manager.

After you add a custom control to a custom framework, you can create an assessment and start collecting evidence. To learn more, see Creating an assessment in AWS Audit Manager.

To revisit your custom control at a later date, see Finding the available controls in AWS Audit Manager. You can follow these steps to locate your custom control so that you can view, edit, or delete it.

Additional resources

For solutions to control issues in Audit Manager, see Troubleshooting control and control set issues.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Creating from scratch

Editing a custom control