Evidence finder settings - AWS Audit Manager

Evidence finder settings

Use this tab to review and update your evidence finder settings.

Evidence finder (optional)

We strongly recommend that you enable evidence finder. Enabling this feature is necessary if you want to run search queries on your evidence.

Follow these steps to enable, disable, or check the status of evidence finder.

You must enable evidence finder in each AWS Region where you want to search for evidence. If you're a delegated administrator for Audit Manager, enable evidence finder to search for evidence for all member accounts in your organization.

Required permissions to enable evidence finder

To enable evidence finder, you need permissions to create and manage an event data store in CloudTrail Lake. To use the feature, you need permissions to perform CloudTrail Lake queries. For an example permission policy that you can use, see Allow full administrator access.

If you need help with permissions, contact your AWS administrator. If you’re an AWS administrator, you can copy the required permission statement and attach it to an IAM policy.

Requesting to enable evidence finder

You can complete this task using the Audit Manager console, the AWS Command Line Interface (AWS CLI), or the Audit Manager API.

Audit Manager console
To request to enable evidence finder (console)
  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. From the Evidence finder settings tab, go to the Evidence finder section.

  3. Choose Required permission policy, then View CloudTrail Lake permissions to view the required evidence finder permissions. If you don't already have these permissions, you can copy this policy statement and attach it to an IAM policy.

  4. Choose Enable.

  5. In the pop-up window, choose Request to enable.

AWS CLI
To request to enable evidence finder (AWS CLI)

Run the update-settings command with the --evidence-finder-enabled parameter.

aws auditmanager update-settings --evidence-finder-enabled
Audit Manager API
To request to enable evidence finder (API)

Call the UpdateSettings operation and use the evidenceFinderEnabled parameter.

For more information, choose the previous links to read more in the Audit Manager API Reference. This includes information about how to use this operation and parameter in one of the language-specific AWS SDKs.

After you submit your request, it takes up to 10 minutes to enable evidence finder and to create an event data store. As soon as the event data store is created, all new evidence is ingested into the event data store moving forward.

When evidence finder is enabled and the event data store is created, we backfill the newly created event data store with up to two years’ worth of your past evidence. This process happens automatically and takes up to seven days to complete.

You can check the current status of evidence finder using the Audit Manager console, the AWS CLI, or the Audit Manager API.

Audit Manager console
To see the current status of evidence finder (console)
  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. In the left navigation pane, choose Settings.

  3. Under Enable evidence finder – optional, review the current status.

    Each status is defined as follows:

    • Evidence finder isn't enabled – You haven't successfully enabled evidence finder yet.

    • You have requested to enable evidence finder – Your request is pending the event data store being created.

    • Evidence finder is enabled – The event data store was created. You can now use evidence finder.

      Depending how much evidence you have, it takes up to seven days to backfill the new event data store with your past evidence data. A blue information panel indicates that the data backfill is in progress. Feel free to start exploring evidence finder in the meantime. However, keep in mind that not all data is available until the backfill is complete.

    • You have requested to disable evidence finder – Your request is pending the event data store being deleted.

    • Evidence finder has been disabled – Evidence finder has been permanently disabled and the event data store is deleted.

AWS CLI
To see the current status of evidence finder (AWS CLI)

Run the get-settings command with the --attribute parameter set to EVIDENCE_FINDER_ENABLEMENT.

aws auditmanager get-settings --attribute EVIDENCE_FINDER_ENABLEMENT

This returns the following information:

enablementStatus

This attribute shows the current status of evidence finder.

  • ENABLE_IN_PROGRESS – You requested to enable evidence finder. An event data store is currently being created to support evidence finder queries.

  • ENABLED – An event data store was created and evidence finder is enabled. We recommend waiting seven days until the event data store is backfilled with your past evidence data. You can use evidence finder in the meantime, but not all data is available until the backfill is complete.

  • DISABLE_IN_PROGRESS – You requested to disable evidence finder, and your request is pending the event data store being deleted.

  • DISABLED – You permanently disabled evidence finder and the event data store is deleted. You can't re-enable evidence finder after this point.

backfillStatus

This attribute shows the current status of the evidence data backfill.

  • NOT_STARTED – The backfill hasn’t started yet.

  • IN_PROGRESS – The backfill is in progress. This takes up to seven days to complete, depending on the amount of evidence data.

  • COMPLETED – The backfill is complete. All of your past evidence is now queryable.

Audit Manager API
To see the current status of evidence finder (API)

Call the GetSettings operation with the attribute parameter set to EVIDENCE_FINDER_ENABLEMENT. This returns the following information:

enablementStatus

This attribute shows the current status of evidence finder.

  • ENABLE_IN_PROGRESS - You requested to enable evidence finder. An event data store is currently being created to support evidence finder queries.

  • ENABLED - An event data store was created and evidence finder is enabled. We recommend waiting seven days until the event data store is backfilled with your past evidence data. You can use evidence finder in the meantime, but not all data is available until the backfill is complete.

  • DISABLE_IN_PROGRESS - You requested to disable evidence finder, and your request is pending the deletion of the event data store.

  • DISABLED - You permanently disabled evidence finder and the event data store is deleted. You can't re-enable evidence finder after this point.

backfillStatus

This attribute shows the current status of the evidence data backfill.

  • NOT_STARTED means that the backfill hasn’t started yet.

  • IN_PROGRESS means that the backfill is in progress. This takes up to seven days to complete, depending on the amount of evidence data.

  • COMPLETED means that the backfill is complete. All of your past evidence is now queryable.

For more information, see evidenceFinderEnablement in the Audit Manager API Reference.

If you no longer want to use evidence finder, you can disable this feature at any time.

Warning

Disabling evidence finder deletes the CloudTrail Lake event data store that Audit Manager created. As a result, you can’t re-enable the feature. To re-use evidence finder after you disable it, you must disable AWS Audit Manager, and then re-enable the service completely.

Required permissions to disable evidence finder

To disable evidence finder, you need permissions to delete an event data store in CloudTrail Lake. For an example policy that you can use, see Permissions to disable evidence finder.

If you need help with permissions, contact your AWS administrator. If you’re an AWS administrator, you can attach the required permission statement to an IAM policy.

Disabling evidence finder

You can complete this task using the Audit Manager console, the AWS Command Line Interface (AWS CLI), or the Audit Manager API.

Audit Manager console
To disable evidence finder (console)
  1. In the Evidence finder section of the Audit Manager settings page, choose Disable.

  2. In the pop-up window that appears, enter Yes to confirm your decision.

  3. Choose Request to disable.

AWS CLI
To disable evidence finder (AWS CLI)

Run the update-settings command with the --no-evidence-finder-enabled parameter.

aws auditmanager update-settings --no-evidence-finder-enabled
Audit Manager API
To disable evidence finder (API)

Call the UpdateSettings operation and use the evidenceFinderEnabled parameter.

For more information, choose the previous links to read more in the Audit Manager API Reference. This includes information about how to use this operation and parameter in one of the language-specific AWS SDKs.

Export destination (optional)

When you run queries in evidence finder, your can export your search results into a comma-separated values (CSV) file. Use this setting to choose the default S3 bucket where Audit Manager saves your exported files.

You can update this setting using the Audit Manager console, the AWS Command Line Interface (AWS CLI), or the Audit Manager API.

Important

Your S3 bucket must have the required permissions policy to allow CloudTrail to write the export files to it. More specifically, the bucket policy must include an s3:PutObject action and the bucket ARN, and list CloudTrail as the service principal. We provide an example permission policy that you can use. For instructions on how to attach this policy to your S3 bucket, see Adding a bucket policy by using the Amazon S3 console.

For more tips, see configuration tips for your export destination on this page.

Audit Manager console
To update your export destination settings (console)
  1. From the Evidence finder settings tab, go to the Export destination section.

  2. Choose one of the following options:

    • If you want to remove the current S3 bucket, choose Remove to clear your settings.

    • If you want to save a default S3 bucket for the first time, proceed to step 3.

  3. Specify the S3 bucket that you want to store your exported files in.

    • Choose Browse S3 to choose from a list of your buckets.

    • Alternatively, you can enter the bucket URI in this format: s3://bucketname/prefix

    Tip

    To keep your destination bucket organized, you can create an optional folder for your CSV exports. To do so, append a slash (/) and a prefix to the value in the Resource URI box (for example, /evidenceFinderCSVExports). Audit Manager then includes this prefix when it adds the CSV file to the bucket, and Amazon S3 generates the path specified by the prefix. For more information about prefixes in Amazon S3, see Organizing objects in the Amazon S3 console in the Amazon Simple Storage Service User Guide.

  4. When you’re done, choose Save.

For instructions on how to create an S3 bucket, see Creating a bucket in the Amazon S3 User Guide.

AWS CLI
To update your export destination settings (AWS CLI)

Run the update-settings command and use the --default-export-destination parameter to specify an S3 bucket.

In the following example, replace the placeholder text with your own information:

aws auditmanager update-settings --default-export-destination destinationType=S3,destination=s3://doc-example-destination-bucket

For instructions on how to create an S3 bucket, see create-bucket in the AWS CLI Command Reference.

Audit Manager API
To update your export destination settings (API)

Call the UpdateSettings operation and use the defaultExportDestination parameter to specify an S3 bucket.

For instructions on how to create an S3 bucket, see CreateBucket in the Amazon S3 API Reference.

Configuration tips for your export destination

To ensure a successful file export, we recommend that you verify the following configurations for your export destination.

AWS Region

The AWS Region of your customer managed key (if you provided one) must match the Region of your assessment. For instructions on how to change your KMS key, see Audit Manager data encryption settings.

Cross-account S3 buckets

Using a cross-account S3 bucket as your export destination isn’t supported in the Audit Manager console. It’s possible to specify a cross-account bucket using the AWS CLI or one of the AWS SDKs, but for simplicity, we recommend that you not do this. If you do choose to use a cross-account S3 bucket as your export destination, consider the following points.

  • By default, S3 objects—such as CSV exports—are owned by the AWS account that uploads the object. You can use the S3 Object Ownership setting to change this default behavior, so that any new objects that are written by accounts with the bucket-owner-full-control canned access control list (ACL) automatically become owned by the bucket owner.

    Although it’s not a requirement, we recommend that you make the following changes to your cross-account bucket settings. Making these changes ensures that the bucket owner has full control of the exported files that you publish to their bucket.

  • To allow Audit Manager to export files to a cross-account S3 bucket, you must add the following S3 bucket policy to your export destination bucket. Replace the placeholder text with your own information. The Principal element in this policy is the user or role that owns the assessment and exports the file. The Resource specifies the cross-account S3 bucket where the file is exported to.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "Allow cross account file exports", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::AssessmentOwnerAccountId:user/AssessmentOwnerUserName" }, "Action": [ "s3:ListBucket", "s3:PutObject", "s3:GetObject", "s3:GetBucketLocation", "s3:PutObjectAcl", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::CROSS-ACCOUNT-BUCKET", "arn:aws:s3:::CROSS-ACCOUNT-BUCKET/*" ] } ] }