Creating a new custom control from scratch - AWS Audit Manager
Step 1: Specify control detailsStep 2: Set up data sourcesStep 3: Define action planStep 4: Review and createWhat can I do next?

Creating a new custom control from scratch

You can create a new custom control from scratch by following these steps.

Important

We strongly recommend that you never put sensitive identifying information into free-form fields such as Control details, Testing information, or Action plan. If you create custom controls that contain sensitive information, you can’t share any of your custom frameworks that contain these controls.

Step 1: Specify control details

Start by specifying the details of your custom control.

To specify control details

  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. In the navigation pane, choose Control library, and then choose Create custom control.

  3. Under Control details, enter the following information about the control.

    • Control – Enter a friendly name, a title, or a risk assessment question. This value helps you to identify your control in the control library.

    • Description (optional) – Enter details to help others understand the control's objective. This description appears on the control details page.

  4. Under Testing information, enter the recommended steps for testing the control.

  5. Under Tags, choose Add new tag to associate a tag with the control. You can specify a key for each tag that best describes the compliance framework that this control supports. The tag key is mandatory and can be used as a search criteria when you search for this control in the control library.

  6. Choose Next.

Step 2: Set up data sources

Next, define up to 10 data sources. A data source determines where your custom control collects evidence from.

If you want to collect automated evidence, each data source must include a data source type and a data source mapping. These details map to your AWS usage, and tell Audit Manager where to collect the evidence from. If you want to provide your own evidence instead, you’ll name your data source and then choose a manual evidence option.

Important

To successfully use AWS Config and Security Hub as automated data sources, make sure that you do the following:

  • Follow the instructions to set up AWS Config and set up Security Hub for use with Audit Manager.

  • Include both AWS Config and Security Hub as services in scope in your assessment.

Audit Manager can then collect evidence each time an evaluation occurs for the AWS Config rules or the Security Hub controls that you specify in this step.

To set up data sources

  1. Under Data source name, replace the placeholder text with a descriptive name for the data source.

  2. Under Evidence collection method, choose how you want to collect evidence for this control.

    1. If you want Audit Manager to collect evidence, choose Automated and follow these steps:

      • Under Data source type, specify where Audit Manager collects automated evidence from.

        • For AWS CloudTrail, choose an event name keyword from the dropdown list.

        • For AWS Config, select a rule type and then choose a rule identifier keyword from the dropdown list.

        • For AWS Security Hub, choose a Security Hub control from the dropdown list.

        • For AWS API calls, choose an API call and then select an evidence collection frequency.

        Tip

        For an overview of each data source type and related troubleshooting tips, see Overview of automated data sources.

        If you need to validate your data source configuration with a domain expert, set the evidence collection method as Manual for now. That way, you can create the control and add it to a framework now, and then edit the control as needed later.

    2. If you want to provide your own evidence, choose Manual and select a Manual evidence option.

      • File upload – Select this option if the control requires documentation as evidence.

      • Text response – Select this option if the control requires an answer to a risk assessment question.

  3. (Optional) Under Additional details, enter a data source description and a troubleshooting description.

  4. (Optional) To add another data source, choose Add data source and repeat steps 1-3.

  5. (Optional) To remove a data source, choose Remove at the top of the data source configuration box.

  6. When you're finished, choose Next.

Step 3 (Optional): Define an action plan

Next, specify the actions to take if this control needs to be remediated.

To define an action plan

  1. Under Title, enter a descriptive title for the action plan.

  2. Under Action plan instructions, enter detailed instructions for the action plan.

  3. Choose Next.

Step 4: Review and create the control

Review the information for the control. To change the information for a step, choose Edit.

When you're finished, choose Create custom control.

What can I do next?

After you create a new custom control, you can add it to a custom framework. To learn more, see Creating a custom framework or Editing a custom framework.

After you add the custom control to a custom framework, you can create an assessment from that custom framework and start collecting evidence. To learn more, see Creating an assessment.

For troubleshooting tips, see Troubleshooting control and control set issues.