Creating a custom control from scratch - AWS Audit Manager

Creating a custom control from scratch

You can use the control library in AWS Audit Manager to create a new custom control from scratch by performing the following steps.

Step 1: Specify control details

First, you must specify the details for your custom control.

To specify control details

  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. In the left navigation pane, choose Control library, and choose Create custom control.

  3. Under Control details, enter a name and description for your control.

  4. Under Testing information, enter the recommended testing information. This should include the steps that you would follow to determine if the control has been satisfied.

  5. Under Tags, choose Add new tag to associate a tag with your control. You can specify a key for each tag that best describes the compliance framework that this control will support.

    The tag key is mandatory and can be used as a search criteria when you search for this control in the control library. For more information about tags in AWS Audit Manager, see Tagging AWS Audit Manager resources.

  6. Choose Next.

Step 2: Configure data sources for this control

You can specify a data source to determine from where you want AWS Audit Manager to collect evidence for this control. You can add up to 10 data sources to a new custom control in Audit Manager.

To configure data sources for this control

  1. In the data source box under Select evidence collection method, select one of the following options.

    • Automated evidence – Select this option for system evidence that you want Audit Manager to automatically collect for you.

    • Manual evidence – Select this option for evidence that Audit Manager can't collect automatically.

      For example: if the control is a procedural control that covers team organization, you can choose Manual evidence. When this control is active in an assessment, you can then upload a copy of your organization chart manually as evidence to support the control.

  2. (For automated evidence) Under Select an evidence type by mapping to a data source, select one of the following data sources for your custom control.

    Data source Description Evidence collection frequency To use this data source... When this control is active in an assessment...

    User activity logs from AWS CloudTrail

    Tracks a particular user activity that is needed in your audit.

    Continuous

    Choose from the dropdown list of keywords to search for in CloudTrail logs.

    Audit Manager assesses your CloudTrail logs, filters the relevant logs based on your keyword, and then converts processed logs to User activity evidence.

    Compliance checks for security findings from AWS Security Hub

    Captures snapshots of your resource security posture in addition to configuration changes checked by Security Hub.

    Based on the schedule of the Security Hub check

    Choose from the dropdown list of Security Hub checks supported by Audit Manager. Custom checks aren't currently supported.

    Audit Manager assesses the Security Hub findings that are associated with this Security Hub check, and then converts the processed data to Compliance check evidence.

    Compliance checks for resource configurations from AWS Config

    Captures snapshots of your resource security posture in addition to configuration changes evaluated by AWS Config.

    Based on the triggers defined in the AWS Config rule Choose from the dropdown list of AWS Config rules supported by Audit Manager. Custom rules aren't currently supported. Audit Manager assesses the CloudTrail logs that are associated with this AWS Config rule evaluation, and then converts the processed data to Compliance check evidence.
    Configuration snapshots from AWS API calls

    Takes a snapshot of your resource configuration directly via an API call to the specified AWS service.

    Daily, weekly, or monthly Choose from the dropdown list of APIs supported by Audit Manager, and specify your preferred frequency. Audit Manager makes the API call based on the defined frequency, assesses the results from the API call, and then converts the results to Configuration data evidence.
  3. (Optional) Under Troubleshooting description, enter the suggested actions to take if no evidence is collected from the control data source.

  4. To add another data source to the control, choose Add data source at the bottom of the page and repeat steps 1-3.

  5. To remove an unwanted data source from the control, choose Remove at the top of the data source box.

  6. When you are finished, choose Next.

Tip

If you aren't sure how to configure the control and you want to ask a subject matter expert for help, we suggest that you choose Manual evidence for now. You can save the control and add it to a framework at this time, and then then edit the control at a later date. To learn more about how to edit a control, see Editing a custom control.

Step 3 (Optional): Define an action plan

Specify the actions to take if this control is not fulfilled.

To define an action plan

  1. Under Title, enter a descriptive title for the action plan.

  2. Under Action plan instructions, enter detailed instructions for your action plan.

  3. Choose Next.

Step 4: Review and create the control

Review the information for your control. To change the information for a step, choose Edit.

When you are finished, choose Create custom control.

What can I do next?

After you create your new custom control, you can add it to a custom framework. To learn more, see Creating a custom framework or Editing a custom framework.

After you've added your custom control to a custom framework, you can create an assessment from that custom framework and begin collecting evidence. To learn more, see Creating an assessment.