Sending a share request for a custom framework - AWS Audit Manager

Sending a share request for a custom framework

This tutorial describes how to share your custom frameworks across AWS accounts and AWS Regions.

When you share a custom framework, Audit Manager creates a snapshot of your framework and sends a share request to the recipient. The recipient has 120 days to accept the shared framework. When they accept, Audit Manager replicates the shared custom framework to their framework library in the specified AWS Region. If you want to replicate a custom framework to another Region under your own account, use the following tutorial and enter your own AWS account ID as the recipient account ID.

This tutorial covers the following steps:

  1. Select a framework to share – Browse the framework library to find the custom framework that you want to share.

  2. Send a share request – Specify a recipient and send them a share request for the custom framework.

  3. View sent requests – View your share request history and check the status of your sent requests.

  4. (Optional) Revoke the share request – Revoke the share request before it's due to expire.

Prerequisites

Before you start this tutorial, make sure that you first meet the following conditions:

  • You're familiar with Audit Manager framework sharing concepts and terminology.

  • The custom framework that you want to share is eligible for sharing and exists in the framework library of your AWS Audit Manager environment.

  • The recipient already enabled AWS Audit Manager in the AWS Region where you want to share the custom framework.

  • The recipient is not an AWS Organizations management account.

Tip

Before you start, make a note of the AWS account ID that you want to share your custom framework with. This can be your own account ID, if your goal is to replicate the framework to another AWS Region under your account. You need this information for step 2 of the tutorial.

Important

Don’t share custom frameworks that contain sensitive data. This includes data found within the framework itself, its control sets, and any of the custom controls that comprise the custom framework. For more information, see Framework eligibility.

Step 1: Identify the custom framework that you want to share

Start by identifying the custom framework that you want to share. You can find a list of all available custom frameworks on the Framework library page in Audit Manager.

To view your available custom frameworks

  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. In the navigation pane, choose Framework library.

  3. Choose the Custom frameworks tab. This displays a list of your available custom frameworks. You can choose any framework name to view the details of that custom framework.

Step 2: Send a share request

Next, specify a recipient and send them a share request for the custom framework. The recipient has 120 days to respond to the share request before it expires.

To send a share request

  1. From the Custom frameworks tab of the framework library, select the framework that you want to share, choose Actions, and then choose Share custom framework.

    • Alternatively, you can choose the name of the framework to open the framework detail page. From here, choose Actions and then choose Share custom framework.

  2. Review the notice that displays in the dialog box. If you're unsure whether you can share your custom framework, review Framework eligibility for further guidance. Otherwise, choose Proceed.

  3. On the next screen, follow these steps:

    • Under AWS account, enter the recipient’s account ID. This can be your own account ID.

    • Under AWS Region, select the recipient's Region from the dropdown list.

    • (Optional) Under Message to recipient, enter an optional comment about the custom framework that you're sharing.

    • Under Custom framework details, review the details to confirm that you want to share this framework.

  4. Choose Share.

Note

Keep in mind the following points:

  • When you share a custom framework with another AWS account, the framework is replicated only to the specified AWS Region. After accepting the share request, the recipient can then replicate the framework across Regions as needed.

  • When sharing custom frameworks across AWS Regions, it can take up to 10 minutes to process share request actions. After sending a cross-Region share request, we recommend that you check back later to confirm that your share request was sent successfully.

  • When you send a share request, Audit Manager takes a snapshot of the custom framework at the time of the share request creation. If you update the custom framework after sending a share request, the request isn't automatically updated. To share the latest version of an updated framework, you can resend the share request. The expiration date of this new snapshot is 120 days from the re-share date.

Step 3: View your sent requests

You can select the Sent requests tab to see a list of all the share requests that you sent. You can filter this list as needed. For example, you can apply filters to display only requests that expire within the next 30 days.

To view and filter your sent requests

  1. From the navigation pane, choose Share requests.

  2. Choose the Sent requests tab.

  3. (Optional) Apply filters to fine-tune which sent requests are visible. You can do this by finding the All statuses dropdown list, and changing the filter to one of the following.

    • Active – This filter displays share requests that are awaiting a response from the recipient.

    • Shared – This filter displays share requests that were accepted by the recipient. The shared custom framework now exists in the recipient's framework library.

    • Inactive – This filter displays share requests that were declined, revoked, or expired before the recipient took action. Choose the word Inactive to view more details.

    • Expiring – This filter displays share requests that expire in the next 30 days.

    • Failed – This filter displays the share requests that weren't successfully sent to the recipient. Choose the word Failed to view more details.

Note

It can take up to 15 minutes to process a share request. As a result, if an error occurred when sending your share request to the recipient, the Failed status might not display immediately. We recommend that you check back later to confirm that your share request was sent successfully.

For information about how to proceed if you encounter an error, see Troubleshooting share requests.

Step 4 (Optional): Revoke the share request

If you need to cancel an active share request before it’s due to expire, you can revoke the request at any time. This step is optional. If you take no action, the recipient loses the ability to accept the share request after the expiration date.

To revoke a share request

  1. From the navigation pane, choose Share requests.

  2. Choose the Sent requests tab.

  3. Select the framework that you want to revoke and choose Revoke request.

  4. In the pop-up window that appears, choose Revoke.

Note

You can only revoke access to share requests that have a status of Active or Expiring. After a recipient accepts a share request, you can no longer revoke their access to that custom framework. This is because a copy of the custom framework now exists in the recipient’s framework library.

When sharing frameworks across AWS Regions, it can take up to 10 minutes to process share request actions. After revoking a cross-Region share request, we recommend that you check back later to confirm that the share request was revoked successfully.

Resending a share request for an updated framework

You might send a share request for a custom framework and then update the same framework afterwards. If you do this, the share request isn't automatically updated to reflect the latest version of the framework. However, if its status is active, shared, or expiring, you can update an existing share request. To do this, you resend a new share request with the same set of details as the existing request. In the new share request, include the same custom framework ID, recipient account ID, and recipient AWS Region. You can also provide a new comment with the new share request.

Keep in mind the following when you resend a share request:

  • For the update to be successful, the new request must be for the same custom framework ID. It must also specify the same recipient account ID and Region as the existing request.

  • If the name of the custom framework has changed, the updated share request displays the latest name.

  • If you provide a new comment, the updated share request displays the latest comment.

  • When you resend a share request, the expiration date is extended by six months.

To resend a share request for an updated framework

  1. From the Custom frameworks tab of the framework library, select the updated framework that you want to resend the request for. Choose Actions, and then choose Share custom framework.

    • Alternatively, you can choose the name of the updated framework to open the framework detail page. From here, choose Actions and then choose Share custom framework.

  2. Review the notice that displays in the dialog box and choose Proceed.

  3. On the next screen, follow these steps:

    • Under AWS account, enter the same account ID that you specified in the existing share request.

    • Under AWS Region, select the same Region that you specified in the existing share request.

    • (Optional) Under Message to recipient, enter an optional comment about the updated custom framework.

    • Under Custom framework details, review the details to confirm that you want to resend the share request.

  4. Choose Share to resend and update the share request.

Troubleshooting share requests

Use the information here to help you troubleshoot and fix the issues that you encounter when sharing a custom framework in AWS Audit Manager.

My share request status displays as Failed

If you try to share a custom framework and the operation fails, we recommend that you check the following:

  1. Make sure that Audit Manager is enabled in the recipient's AWS account and in the specified Region. For a list of supported AWS Audit Manager Regions, see AWS Regions and Endpoints in the Amazon Web Services General Reference.

  2. Make sure that you entered the correct AWS account ID when you specified the recipient account.

  3. Make sure that you didn't specify an AWS Organizations management account as the recipient. You can share a custom framework with a delegated administrator, but if you try to share a custom framework with a management account, the operation fails.

My share request has a blue dot next to it. What does this mean?

A blue notification dot appears next to sent requests with a status of Expiring. Audit Manager displays the blue dot notification so that you can remind the recipient to take action on the share request before it expires. For the blue notification dot to disappear, the recipient must accept or decline the request. If you revoke the share request, the blue dot also disappears.

You can use the following procedure to check for any expiring share requests, and send an optional reminder to the recipient to take action.

To view notifications for sent requests

  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. If you have a share request notification, Audit Manager displays a red dot next to the navigation menu icon.

    
                  Screenshot of the minimized navigation menu icon, with a red dot that indicates an Audit Manager notification.
  3. Expand the navigation pane and look next to Share requests. A notification badge indicates the number of share requests that need attention.

    
                  Screenshot of the expanded navigation menu, with Share requests
                    highlighted and a notification badge showing 1 notification.
  4. Choose Share requests, and then choose the Sent requests tab.

  5. Look for the blue dot to identify share requests that expire sometime within the next 30 days. Alternatively, you can also view expiring share requests by selecting Expiring from the All statuses filter dropdown.

    
                  Screenshot of a received request with a blue dot next to the framework
                    name.
  6. (Optional) Remind the recipient that they need to take action on the share request before it expires. This step is optional, as Audit Manager sends a notification in the console to inform the recipient when a share request is active or expiring. However, you can also send your own reminder to the recipient using your preferred communication channel.