Troubleshooting framework sharing issues - AWS Audit Manager

Troubleshooting framework sharing issues

You can use the information on this page to resolve common framework sharing issues in Audit Manager.

My sent share request status displays as Failed

If you try to share a custom framework and the operation fails, we recommend that you check the following:

  1. Make sure that Audit Manager is enabled in the recipient's AWS account and in the specified Region. For a list of supported AWS Audit Manager Regions, see AWS Audit Manager endpoints and quotas in the Amazon Web Services General Reference.

  2. Make sure that you entered the correct AWS account ID when you specified the recipient account.

  3. Make sure that you didn't specify an AWS Organizations management account as the recipient. You can share a custom framework with a delegated administrator, but if you try to share a custom framework with a management account, the operation fails.

  4. If you use a customer managed key to encrypt your Audit Manager data, make sure that your KMS key is enabled. If your KMS key is disabled and you try to share a custom framework, the operation fails. For instructions on how to enable a disabled KMS key, see Enabling and disabling keys in the AWS Key Management Service Developer Guide.

My share request has a blue dot next to it. What does this mean?

A blue dot notification indicates that a share request needs your attention.

A blue notification dot appears next to sent share requests with a status of Expiring. Audit Manager displays the blue dot notification so that you can remind the recipient to take action on the share request before it expires.

For the blue notification dot to disappear, the recipient must accept or decline the request. The blue dot also disappears if you revoke the share request.

You can use the following procedure to check for any expiring share requests, and send an optional reminder to the recipient to take action.

To view notifications for sent requests

  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. If you have a share request notification, Audit Manager displays a red dot next to the navigation menu icon.

    
                                    Screenshot of the minimized navigation menu icon, with a
                                        red dot that indicates an Audit Manager notification.
  3. Expand the navigation pane and look next to Share requests. A notification badge indicates the number of share requests that need attention.

    
                                    Screenshot of the expanded navigation menu, with Shared
                                        framework requests highlighted and a notification badge
                                        showing 1 notification.
  4. Choose Share requests, and then choose the Sent requests tab.

  5. Look for the blue dot to identify share requests that expire within the next 30 days. Alternatively, you can also view expiring share requests by selecting Expiring from the All statuses filter dropdown.

    
                                    Screenshot of a received share request with a blue dot
                                        next to the framework name.
  6. (Optional) Remind the recipient that they need to take action on the share request before it expires. This step is optional, as Audit Manager sends a notification in the console to inform the recipient when a share request is active or expiring. However, you can also send your own reminder to the recipient using your preferred communication channel.

A blue notification dot appears next to received share requests with a status of Active or Expiring. Audit Manager displays the blue dot notification to remind you to take action on the share request before it expires. For the blue notification dot to disappear, you must accept or decline the request. The blue dot also disappears if the sender revokes the share request.

You can use the following procedure to check for active and expiring share requests.

To view notifications for received requests

  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. If you have a share request notification, Audit Manager displays a red dot next to the navigation menu icon.

    
                                    Screenshot of the minimized navigation menu icon, with a
                                        red dot that indicates an Audit Manager notification.
  3. Expand the navigation pane and look next to Share requests. A notification badge indicates the number of share requests that need your attention.

    
                                    Screenshot of the expanded navigation menu, with Share
                                        requests highlighted and a notification badge showing one
                                        notification.
  4. Choose Share requests. By default, this page opens on the Received requests tab.

  5. Identify the share requests that need your action by looking for items with a blue dot.

    
                                    Screenshot of a received share request with a blue dot
                                        next to the framework name.
  6. (Optional) To view only requests that expire in the next 30 days, find the All statuses dropdown list and select Expiring.

My shared framework has controls that use custom AWS Config rules as a data source. Can the recipient collect evidence for these controls?

Yes, your recipient can collect evidence for these controls, but a few steps are needed to achieve this.

For Audit Manager to collect evidence using an AWS Config rule as a data source mapping, the following must be true. These criteria apply to both managed rules and custom rules.

  • The rule must exist in the recipient’s AWS environment.

  • The rule must be enabled in the recipient’s AWS environment.

Remember that the AWS Config rules in your account likely don’t exist already in the recipient’s AWS environment. Moreover, when the recipient accepts the share request, Audit Manager doesn’t recreate any of your custom rules in their account. For the recipient to collect evidence using your custom rules as a data source mapping, they must create the same custom rules in their instance of AWS Config. After the recipient creates and then enables the rules in AWS Config, Audit Manager can collect evidence from that data source.

We recommend that you communicate with the recipient to let them know if any custom AWS Config rules should be created in their instance of AWS Config.

I updated a custom rule that's used in a shared framework. Do I need to take any action?

For rule updates within your AWS environment

When you update a custom rule within your AWS environment, no action is needed in Audit Manager. Audit Manager detects and handles rule updates in the way that's described in the following table. Audit Manager doesn't notify you when a rule update is detected.

Scenario What Audit Manager does What you need to do

A custom rule is updated in your instance of AWS Config.

Audit Manager continues to report findings for that rule using the updated rule definition. No action is needed.

A custom rule is deleted in your instance of AWS Config.

Audit Manager stops reporting findings for the deleted rule.

No action is needed.

If you want to, you can edit the custom controls that used the deleted rule as a data source mapping. You can then remove the deleted rule to clean up your control's data source settings. Otherwise, the deleted rule name remains as an unused data source mapping.

For rule updates outside your AWS environment

In the recipient’s AWS environment, Audit Manager doesn’t detect the rule update. This is because senders and recipients each work in separate AWS environments. The following table provides recommended actions for this scenario.

Your role Scenario Recommended action

Sender

  • You shared a framework that uses custom rules as a data source mapping.

  • After you shared the framework, you updated or deleted one of those rules in AWS Config.

Contact the recipient to let them know about the update. That way, they can make the same update and stay in sync with the latest rule definition.
Recipient
  • You accepted a shared framework that uses custom rules as a data source mapping.

  • After you recreated the custom rules in your instance of AWS Config, the sender updated or deleted one of those rules.

Make the corresponding rule update in your own instance of AWS Config.