Creating a new custom control from scratch
You can create a new custom control from scratch by following these steps.
Important
We strongly recommend that you never put sensitive identifying information into free-form fields such as Control details, Testing information, or Action plan. If you create custom controls that contain sensitive information, you can’t share any of your custom frameworks that contain these controls.
Topics
Step 1: Specify control details
Start by specifying the details of your custom control.
To specify control details
Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home
. -
In the navigation pane, choose Control library, and choose Create custom control.
-
Under Control details, enter a name and description for the control.
-
Under Testing information, enter the recommended testing information. This should include the steps that you'd follow to determine if the control has been satisfied.
-
Under Tags, choose Add new tag to associate a tag with the control. You can specify a key for each tag that best describes the compliance framework that this control supports. The tag key is mandatory and can be used as a search criteria when you search for this control in the control library.
-
Choose Next.
Step 2: Set up data sources
Next, specify a data source to determine where you want to collect evidence from for this control. You can define up to 10 data sources for each custom control.
To set up data sources
-
Under Data source name, enter a descriptive name for the data source configuration.
-
Under Evidence collection method, choose how you want to collect evidence for this control.
-
If you want Audit Manager to collect evidence, choose Automated. Then, proceed to the next step to specify the data source type.
-
If you want to upload your own evidence, choose Manual. Then, proceed to the step after next to provide additional details.
Tip
You might need to validate your data source configuration with a domain expert. If you do, we recommend that you choose Manual for now. That way, you can create the control and add it to a framework now, and then edit the control to your specific requirements later on.
-
-
Under Data source type, specify where Audit Manager collects automated evidence from.
-
For AWS CloudTrail, choose an event name keyword from the dropdown list.
-
For AWS Config, select a rule type and then choose a rule identifier keyword from the dropdown list. For instructions on how to find the identifier for a rule, see the Troubleshooting section of this user guide.
-
For AWS Security Hub, choose a Security Hub control from the dropdown list.
-
For AWS API calls, choose an API call and then select an evidence collection frequency.
Note
The table at the end of this procedure provides a detailed overview about each of these options. For troubleshooting tips, see Troubleshooting controls and control set issues.
-
-
(Optional) Under Additional details, enter the following information.
-
A data source description
-
A troubleshooting description with the suggested actions to take if no evidence is collected from the data source
-
-
(Optional) To add another data source, choose Add data source and repeat steps 1-4.
-
(Optional) To remove an unwanted data source, choose Remove at the top of the data source configuration box.
-
When you're finished, choose Next.
Automated data sources
The following table provides an overview of each automated data source type.
Data source type | Description | Evidence collection frequency | To use this data source type... | When this control is active in an assessment... |
---|---|---|---|---|
Tracks a specific user activity that's needed in your audit. |
Continuous. |
Choose from the dropdown list of event name keywords. |
Audit Manager filters your CloudTrail logs based on the keyword that you choose. The processed logs are imported as User activity evidence. |
|
Captures a snapshot of your resource security posture by reporting findings from AWS Config. |
Based on the triggers that are defined in the AWS Config rule. |
Select a rule type, and then choose a rule identifier keyword. If you choose Managed rule, you can choose from the dropdown list of supported AWS Config rule keywords. If you choose Custom rule, you can choose from a list of your available custom rules. |
Audit Manager retrieves the findings for this rule directly from AWS Config. The result is imported as Compliance check evidence. | |
Captures a snapshot of your resource security posture by reporting the result of a security check from Security Hub. |
Based on the schedule of the Security Hub check. |
Choose from the dropdown list of supported Security Hub controls. |
Audit Manager retrieves the result of the security check directly from Security Hub. The result is imported as Compliance check evidence. |
|
AWS API calls |
Takes a snapshot of your resource configuration directly through an API call to the specified AWS service. |
Daily, weekly, or monthly. | Choose from the dropdown list of supported API calls, and select your preferred frequency. | Audit Manager makes the API call based on the frequency that you specify. The response is imported as Configuration data evidence. |
Step 3 (Optional): Define an action plan
Next, specify the actions to take if this control needs to be remediated.
To define an action plan
-
Under Title, enter a descriptive title for the action plan.
-
Under Action plan instructions, enter detailed instructions for the action plan.
-
Choose Next.
Step 4: Review and create the control
Review the information for the control. To change the information for a step, choose Edit.
When you're finished, choose Create custom control.
What can I do next?
After you create a new custom control, you can add it to a custom framework. To learn more, see Creating a custom framework or Editing a custom framework.
After you add the custom control to a custom framework, you can create an assessment from that custom framework and start collecting evidence. To learn more, see Creating an assessment.
For troubleshooting tips, see Troubleshooting control and control set issues.