Examples of AWS Audit Manager controls - AWS Audit Manager

Examples of AWS Audit Manager controls

You can review the examples on this page to learn more about how controls work in AWS Audit Manager. These examples describe what a control looks like, how Audit Manager generates evidence for that control, and the next steps that you can take to demonstrate compliance.

Tip

We recommend that you enable AWS Config and AWS Security Hub for an optimal experience in Audit Manager. When you enable these services, they can be used as a data source for the controls in your Audit Manager assessments. In other words, Audit Manager can use Security Hub findings and AWS Config Rules to generate automated evidence.

Examples are available for each of the following types of controls:

Automated controls that use AWS Security Hub as a data source

This example shows a control that uses AWS Security Hub as its data source. This is a standard control taken from the AWS Foundational Security Best Practices (FSBP) framework. Audit Manager uses this control to generate evidence that can help to bring your AWS environment in line with FSBP requirements.

Example control details

  • Control nameIAM policies should not allow full "*" administrative privileges

  • Control set – This control belongs to the IAM control set. This is a grouping of controls that relate to identity and access management.

  • Data source – AWS Security Hub

  • Evidence type – Compliance check

In the following example, this control is within an Audit Manager assessment that was created from the FSBP framework.


          Screenshot that shows where the automated Security Hub control appears within an Audit Manager
            assessment, with the control name highlighted.

The assessment shows the control status, how much evidence was collected for this control so far, and how much of that evidence is included in your assessment report. From here, you can delegate the control set for review or complete the review yourself. Choosing the control name opens a detail page with more information, including the evidence for that control.

What this control does

Audit Manager can use this control to check whether your IAM policies are too broad to meet FSBP requirements. More specifically, it can check whether your customer managed IAM policies have administrator access that includes the following wildcard statement: "Effect": "Allow" with "Action": "*" over "Resource": "*".

How Audit Manager collects evidence for this control

Audit Manager takes the following steps to collect evidence for this control:

  1. For each control, Audit Manager assesses your in-scope resources. It does this using the data source that’s specified in the control settings. In this example, your IAM policies are the resource, and Security Hub and AWS Config are the data source. Audit Manager looks for the result of a specific Security Hub check ([IAM.1]), which in turn uses an AWS Config rule to evaluate your IAM policies (iam-policy-no-statements-with-admin-access).

  2. The result of the resource assessment is saved and converted into auditor-friendly evidence. Audit Manager generates compliance check evidence for controls that use Security Hub as a data source. This evidence contains the result of the compliance check reported directly from Security Hub.

  3. Audit Manager attaches the saved evidence to the control in your assessment that’s named IAM policies should not allow full "*" administrative privileges.

How you can use Audit Manager to demonstrate compliance with this control

After the evidence is attached to the control, you—or a delegate of your choice—can review the evidence to see if any remediation is necessary.

In this example, Audit Manager might display a Fail ruling from Security Hub. This can happen if your IAM policies contain wildcards (*) and are too broad to meet the control. In this case, you can update your IAM policies so that they don’t allow full administrative privileges. To achieve this, you can determine what tasks users need to do, and then craft policies that let the users perform only those tasks. This corrective action helps to bring your AWS environment in line with FSBP requirements.

When your IAM policies are in line with the control, mark the control as Reviewed and add the evidence to your assessment report. You can then share this report with auditors to demonstrate that the control is working as intended.

Automated controls that use AWS Config as a data source

This example shows a control that uses AWS Config as its data source. This is a standard control taken from the AWS Control Tower Guardrails framework. Audit Manager uses this control to generate evidence that helps bring your AWS environment in line with AWS Control Tower Guardrails.

Example control details

  • Control name4.1.2 - Disallow public write access to S3 buckets

  • Control set – This control belongs to the Disallow public access control set. This is a grouping of controls that relate to access management.

  • Data source – AWS Config

  • Evidence type – Compliance check

In the following example, this control is within an Audit Manager assessment that was created from the AWS Control Tower Guardrails framework.


          Screenshot that shows where the automated AWS Config control appears within an Audit Manager assessment, with the control name highlighted.

The assessment shows the control status, how much evidence was collected for this control so far, and how much of that evidence is included in your assessment report. From here, you can delegate the control set for review or complete the review yourself. Choosing the control name opens a detail page with more information, including the evidence for that control.

What this control does

Audit Manager can use this control to check if the access levels of your S3 bucket policies are too lenient to meet AWS Control Tower requirements. More specifically, it can check the Block Public Access settings, the bucket policies, and the bucket access control lists (ACL) to confirm that your buckets don’t allow public write access.

How Audit Manager collects evidence for this control

Audit Manager takes the following steps to collect evidence for this control:

  1. For each control, Audit Manager assesses your in-scope resources using the data source that’s specified in the control settings. In this case, your S3 buckets are the resource, and AWS Config is the data source. Audit Manager looks for the result of a specific AWS Config Rule (s3-bucket-public-write-prohibited) to evaluate the settings, policy, and ACL of each of the S3 buckets that are in scope of your assessment.

  2. The result of the resource assessment is saved and converted into auditor-friendly evidence. Audit Manager generates compliance check evidence for controls that use AWS Config as a data source. This evidence contains the result of the compliance check reported directly from AWS Config.

  3. Audit Manager attaches the saved evidence to the control in your assessment that’s named 4.1.2 - Disallow public write access to S3 buckets.

How you can use Audit Manager to demonstrate compliance with this control

After the evidence is attached to the control, you—or a delegate of your choice—can review the evidence to see if any remediation is necessary.

In this example, Audit Manager might display a ruling from AWS Config stating that an S3 bucket is noncompliant. This could happen if one of your S3 buckets has a Block Public Access setting that doesn’t restrict public policies, and the policy that’s in use allows public write access. To remediate this, you can update the Block Public Access setting to restrict public policies. Or, you can use a different bucket policy that doesn’t allow public write access. This corrective action helps to bring your AWS environment in line with AWS Control Tower requirements.

When you’re satisfied that your S3 bucket access levels are in line with the control, you can mark the control as Reviewed and add the evidence to your assessment report. You can then share this report with auditors to demonstrate that the control is working as intended.

Automated controls that use AWS API calls as a data source

This example shows a control that uses AWS API calls as its data source. This is a standard control taken from the HITRUST v9.4 - Level 1 framework. Audit Manager uses this control to generate evidence that can help to bring your AWS environment in line with HITRUST requirements.

Example control details

  • Control name01.f - Password Use

  • Control set – This control belongs to the Access Control control set. This is a grouping of controls that relate to identity and access management.

  • Data source – AWS API calls

  • Evidence type – Configuration data

In the following example, this control is within an Audit Manager assessment that was created from the HITRUST v9.4 - Level 1 framework.


          Screenshot that shows where the automated API control appears within an Audit Manager assessment, with the control name highlighted.

The assessment shows the control status, how much evidence was collected for this control so far, and how much of that evidence is included in your assessment report. From here, you can delegate the control set for review or complete the review yourself. Choosing the control name opens a detail page with more information, including the evidence for that control.

What this control does

Audit Manager can use this control to help you ensure that you have sufficient access control policies in place. The control requires that you follow good security practices in the selection and use of passwords. Audit Manager can help you to validate this by retrieving a list of all password policies for the IAM principals that are in the scope of your assessment.

How Audit Manager collects evidence for this control

Audit Manager takes the following steps to collect evidence for this control:

  1. For each control, Audit Manager assesses your in-scope resources using the data source that’s specified in the control settings. In this case, your IAM principals are the resources, and an API call is the data source. Audit Manager looks for the result of a specific IAM API call (GetAccountPasswordPolicy). It then returns the password policies for the AWS accounts that are in scope of your assessment.

  2. The result of the resource assessment is saved and converted into auditor-friendly evidence. Audit Manager generates configuration data evidence for controls that use API calls as a data source. This evidence contains the original data that's captured from the API responses, and additional metadata that indicates which control the data supports.

  3. Audit Manager attaches the saved evidence to the control in your assessment that’s named 01.f - Password Use.

How you can use Audit Manager to demonstrate compliance with this control

After the evidence is attached to the control, you—or a delegate of your choice—can review the evidence to see if it’s sufficient or if any remediation is necessary.

In this example, you can review the evidence to see the responses from the API call. The GetAccountPasswordPolicy response describes the complexity requirements and mandatory rotation periods for the IAM user passwords in your account. You can use this API response as evidence to show that you have sufficient password access control policies in place for the AWS accounts that are in the scope of your assessment. If you like, you can also provide additional commentary about these policies by adding a comment to the control.

When you’re satisfied that the password policies of your IAM principals are in line with the control, you can mark the control as Reviewed and add the evidence to your assessment report. You can then share this report with auditors to demonstrate that the control is working as intended.

Automated controls that use AWS CloudTrail as a data source

This example shows a control that uses AWS CloudTrail as its data source. This is a standard control taken from the HIPAA framework. Audit Manager uses this control to generate evidence that can help to bring your AWS environment in line with HIPAA requirements.

Example control details

  • Control name164.308(a)(5)(ii)(C)

  • Control set – This control belongs to the control set called 164.308 Administrative Safeguards.

  • Data source – AWS CloudTrail

  • Evidence type – User activity

Here’s this control shown within an Audit Manager assessment that was created from the HIPAA framework:


          Screenshot that shows where the automated CloudTrail control appears within an Audit Manager assessment, with the control name highlighted.

The assessment shows the control status, how much evidence was collected for this control so far, and how much of that evidence is included in your assessment report. From here, you can delegate the control set for review or complete the review yourself. Choosing the control name opens a detail page with more information, including the evidence for that control.

What this control does

This control requires a monitoring procedure for detecting inappropriate sign-ins. An example of an inappropriate sign-in is when someone enters multiple combinations of user names or passwords to attempt to access an information system. Audit Manager helps you to validate this control by providing a list of all detected sign-in attempts for the resources that are in the scope of your assessment.

How Audit Manager collects evidence for this control

Audit Manager takes the following steps to collect evidence for this control:

  1. For each control, Audit Manager assesses your in-scope resources using the data source that’s specified in the control settings. In this case, your IAM users are the resource, and CloudTrail logs are the data source. Audit Manager looks for the result of all AWS Management Console sign-in events that are logged by CloudTrail. It then returns a log of the relevant events that are within the scope of your assessment.

  2. The result of the resource assessment is saved and converted into auditor-friendly evidence. Audit Manager generates user activity evidence for controls that use CloudTrail as a data source. This evidence contains the original data that's captured from your IAM users, and additional metadata that indicates which control the data supports.

  3. Audit Manager attaches the saved evidence to the control in your assessment that’s named 164.308(a)(5)(ii)(C).

How you can use Audit Manager to demonstrate compliance with this control

After the evidence is attached to the control, you—or a delegate of your choice—can review the evidence to see if any remediation is necessary.

In this example, you can review the evidence to see the sign-in events that were logged by CloudTrail. This log describes the console sign-in activity for your IAM users, which includes the following information:

  • Every successful sign-in

  • Every unsuccessful sign-in attempt

  • Verification of when multi-factor authentication (MFA) was enforced

  • The IP address of every sign-in event

You can use this log as evidence to show that you have sufficient monitoring procedures in place for the AWS accounts that are in the scope of your assessment. If you like, you can also provide additional commentary by adding a comment to the control. For example, if the log shows any discrepancies such as multiple unsuccessful sign-in attempts, you can add a comment that describes how you remediated the issue. Regular monitoring of console sign-ins helps you to prevent security problems that may arise from discrepancies and inappropriate sign-in attempts. In turn, this best practice helps to bring your AWS environment in line with HIPAA requirements.

When you’re satisfied that your monitoring procedure is in line with the control, you can mark the control as Reviewed and add the evidence to your assessment report. You can then share this report with auditors to demonstrate that the control is working as intended.

Manual controls

Some controls don’t support automated evidence collection. This includes controls that rely on the provision of physical records and signatures, in addition to observations, interviews, and other events that aren’t generated in the cloud. In these cases, you can manually upload evidence to demonstrate that you’re satisfying the requirements of the control.

This example shows a manual control that Audit Manager doesn't collect automated evidence for. This is a standard control taken from the NIST 800-53 (Rev. 5) framework. You can use Audit Manager to upload and store evidence that demonstrates compliance for this control.

Example control details

  • Control namePS-4(1) - Post-employment Requirements

  • Control set – This control belongs to the Personnel Termination control set. This is a grouping of controls that relate to information security in the context of employment termination procedures.

  • Data source – Manual

  • Evidence type – Manual

Here’s this control shown within an Audit Manager assessment that was created from the NIST 800-53 (Rev. 5) Low-Moderate-High framework:


           Screenshot that shows where the control appears within an Audit Manager assessment, with the control name highlighted.

The assessment shows the control status, how much evidence was collected for this control so far, and how much of that evidence is included in your assessment report. From here, you can delegate the control set for review or complete the review yourself. Choosing the control name opens a detail page with more information, including the evidence for that control.

What this control does

You can use this control to confirm that you’re protecting organizational information if an employee is terminated. Specifically, you can demonstrate that you consistently notify terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information. Moreover, you can demonstrate that all terminated individuals sign an acknowledgment of post-employment requirements as part of the termination process for your organization.

How you can manually upload evidence for this control

You can take the following steps to upload manual evidence that supports this control:

  1. Place the manual evidence that you want to upload in an Amazon Simple Storage Service (Amazon S3) bucket and note the S3 URI.

  2. In your Audit Manager assessment, open the control, go to the evidence folders tab, and upload evidence by entering the S3 URI. For instructions, see Uploading manual evidence in AWS Audit Manager.

  3. Audit Manager creates an evidence folder that’s named after the date when you upload the evidence. It then attaches the uploaded evidence to the control in your assessment that’s named PS-4(1) - Post-employment Requirements.

How you can use Audit Manager to demonstrate compliance with this control

If you have documentation that supports this control, you can upload it as manual evidence. For example, you can upload the latest copy of legally binding post-employment requirements that your Human Resources department issues to terminated employees. If any individuals were terminated during the audit period, you could also upload dated copies that were addressed to those terminated individuals.

Much like with automated controls, you can delegate manual controls to stakeholders who can help you to review evidence (or, in this case, supply it). For example, when you review this control, you might realize that you only partially meet its requirements. This could be the case if you don’t have an acknowledgement letter that was signed by a terminated individual. You could delegate the control to a HR stakeholder, who can then upload a copy of the signed letter. Or, if no employees were terminated during the audit period, you can leave a comment that states why no signed letters are attached to the control.

When you’re satisfied that you’re in line with the control, you can mark it as Reviewed and add the evidence to your assessment report. You can then share this report with auditors to demonstrate that the control is working as intended.

Controls with mixed data sources (automated and manual)

In many cases, a combination of automated and manual evidence is needed to satisfy a control. Although Audit Manager can provide automated evidence that’s relevant to the control, you might need to supplement this data with manual evidence that you identify and upload yourself.

This example shows a control that uses a combination of manual evidence and automated evidence that comes from AWS API calls. This is a standard control taken from the NIST 800-53 (Rev. 5) framework. Audit Manager uses this control to generate evidence that can help to bring your AWS environment in line with NIST requirements.

Example control details

  • Control nameMA-5(3) - Citizenship Requirements for Classified Systems

  • Control set – This control belongs to the Maintenance Personnel control set. This is a grouping of controls that relate to the individuals who perform hardware or software maintenance on organizational systems.

  • Data source – AWS API calls, plus supplemental manual evidence

  • Evidence type – Configuration data

Here’s this control shown within an Audit Manager assessment that was created from the NIST 800-53 (Rev. 5) framework:


          Screenshot that shows where the control appears within an Audit Manager assessment, with
            the control name highlighted.

The assessment shows the control status, how much evidence was collected for this control so far, and how much of that evidence is included in your assessment report. From here, you can delegate the control set for review or complete the review yourself. Choosing the control name opens a detail page with more information, including the evidence for that control.

What this control does

Audit Manager can use this control to help you ensure that the personnel who perform your maintenance and diagnostic activities have the required citizenship status. If your system processes, stores, or transmits classified information, you need to demonstrate that your maintenance personnel are U.S. citizens. Audit Manager helps you to validate this. It does this by returning a complete list of all the IAM policies and principals that are in the scope of your assessment. You can then verify and demonstrate that this list of users has the necessary citizenship requirements. You can do this by manually uploading supplemental evidence of their citizenship status.

How Audit Manager collects evidence for this control

Audit Manager takes the following steps to collect evidence for this control:

  1. For each control, Audit Manager assesses your in-scope resources using the data source that’s specified in the control settings. In this case, your IAM policies and principals are the resources, and a series of API calls are the data source. Audit Manager looks for the result of four specific IAM API calls (ListUsers/ListRoles/ListGroups/ListPolicies) and returns a list of the IAM policies and principals that are in scope of your assessment.

  2. The result of the resource assessment is saved and converted into auditor-friendly evidence. Audit Manager generates configuration data evidence for controls that use API calls as a data source. This evidence contains the original data that's captured from the API responses, and additional metadata that indicates which control the data supports.

  3. Audit Manager attaches the saved evidence to the control in your assessment that’s named MA-5(3) - Citizenship Requirements for Classified Systems.

How you can manually upload evidence for this control

You can take the following steps to upload manual evidence that supplements the automated evidence:

  1. Place the documentation of citizenship in an Amazon Simple Storage Service (Amazon S3) bucket and note the S3 URI.

  2. In your Audit Manager assessment, open the control, go to the evidence folders tab, and upload evidence. You do this by entering the S3 URI. For instructions, see Uploading manual evidence in AWS Audit Manager.

  3. Audit Manager attaches the uploaded evidence to the control in your assessment that’s named MA-5(3) - Citizenship Requirements for Classified Systems.

How you can use Audit Manager to demonstrate compliance with this control

After the evidence is attached to the control, you—or a delegate of your choice—can review the evidence to see if it’s sufficient or if any remediation is necessary.

In this example, you might review the evidence and see a list of 20 IAM users. If you’re not sure how to identify which users are maintenance personnel, or what the citizenship of those users is, you can delegate the control to a subject matter expert for validation. The delegate can confirm the list of maintenance personnel, and upload supplemental evidence manually as documentation of their citizenship status. Confirming the citizenship of all the relevant listed IAM users helps to bring your AWS environment in line with NIST requirements. Alternatively, if your system doesn’t process, store, or transmit classified information, you can leave a comment that states why this control isn’t applicable.

When you’re satisfied that you're in line with the control, mark the control as Reviewed and add the evidence to your assessment report. You can then share this report with auditors to demonstrate that the control is working as intended.