General settings - AWS Audit Manager

General settings

The General settings tab is the default view of the settings page in the Audit Manager console. Use this tab to review and update your general Audit Manager settings.

Permissions

AWS Audit Manager uses a service-linked role to connect to data sources on your behalf. For more information, see Using service-linked roles for AWS Audit Manager.

To review the details of the service-linked role that Audit Manager uses, choose View IAM service-linked role permission.

For more information about service-linked roles, see Using service-linked roles in the IAM User Guide.

Data encryption

Audit Manager automatically creates a unique AWS managed key for the secure storage of your data. By default, your Audit Manager data is encrypted with this KMS key. Alternatively, if you want to customize your data encryption settings, you can specify your own symmetric encryption customer managed key. Using your own KMS key gives you more flexibility, including the ability to create, rotate, and disable keys.

Important

To generate assessment reports and export evidence finder search results successfully, your customer managed key (if you provide one) must be in the same AWS Region as your assessment. For a list of Audit Manager Regions, see AWS Audit Manager endpoints and quotas in the Amazon Web Services General Reference.

You can update your data encryption settings using the Audit Manager console, the AWS Command Line Interface (AWS CLI), or the Audit Manager API.

Audit Manager console
To update your data encryption settings (console)
  1. From the General settings tab, go to the Data encryption section.

  2. To use the default KMS key that's provided by Audit Manager, clear the Customize encryption settings (advanced) check box.

  3. To use a customer managed key, select the Customize encryption settings (advanced) check box. You can then choose an existing KMS key, or create a new one.

AWS CLI
To update your data encryption settings (AWS CLI)

Run the update-settings command and use the --kms-key parameter to specify your own customer managed key.

In the following example, replace the placeholder text with your own information.

aws auditmanager update-settings --kms-key arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
Audit Manager API
To update your data encryption settings (API)

Call the UpdateSettings operation and use the kmsKey parameter to specify your own customer managed key.

For more information, choose the previous links to read more in the Audit Manager API Reference. This includes information about how to use this operation and parameter in one of the language-specific AWS SDKs.

Note

When you change your Audit Manager data encryption settings, these changes apply to any new assessments that you create. This includes any assessment reports and evidence finder exports that you create from your new assessments.

The changes don't apply to existing assessments that you created before you changed your encryption settings. This includes new assessment reports and CSV exports that you create from existing assessments, in addition to existing assessment reports and CSV exports. Existing assessments—and all their assessment reports and CSV exports—continue to use the old KMS key.

If the IAM identity that generates the assessment report can't use the old KMS key, grant permissions at the key policy level. For instructions, see Allowing users in other accounts to use a KMS key in the AWS Key Management Service Developer Guide.

For instructions on how to create keys, see Creating keys in the AWS Key Management Service User Guide.

Delegated administrator (optional)

If you use AWS Organizations and want to enable multi-account support for Audit Manager, you can designate a member account in your organization as the delegated administrator for Audit Manager.

Prerequisites

Important considerations for delegated administrators in Audit Manager

Take note of the following factors that define how the delegated administrator operates in Audit Manager:

Management account usage

You can't use your AWS Organizations management account as a delegated administrator in Audit Manager.

Using delegated administrators across multiple AWS Regions

If you want to enable Audit Manager in more than one AWS Region, you must designate a delegated administrator account separately in each Region. In your Audit Manager settings, you should use the same delegated administrator account across all Regions.

Evidence finder cleanup task

Before you use your management account to remove or change a delegated administrator, make sure that the current delegated administrator account signs in to Audit Manager and disables evidence finder. Disabling evidence finder automatically deletes the event data store that was created in the account when evidence finder was enabled.

If this task isn’t completed, the event data store remains in their account. In this case, we recommend that the original delegated administrator uses CloudTrail Lake to manually delete the event data store.

This cleanup task is necessary to ensure that you don't end up with multiple event data stores. Audit Manager ignores an unused event data store after you remove or change a delegated administrator account. However, if you don't delete the unused event data store, the event data store continues to incur storage costs from CloudTrail Lake.

Data deletion

When you remove a delegated administrator account for Audit Manager, the data for that account isn’t deleted. If you want to delete resource data for a delegated administrator account, you must perform that task separately before you remove the account. Either, you can do this in the Audit Manager console. Or, you can use one of the delete API operations that are provided by Audit Manager. For a list of available delete operations, see Deletion of Audit Manager data.

At this time, Audit Manager doesn't provide an option to delete evidence for a specific delegated administrator. Instead, when your management account deregisters Audit Manager, we perform a cleanup for the current delegated administrator account at the time of deregistration.

For solutions to common Organizations and delegated administrator issues in Audit Manager, see Troubleshooting delegated administrator and AWS Organizations issues.

Managing your delegated administrator account for Audit Manager

You can review and change your delegated administrator account settings as follows.

You can add a delegated administrator using the Audit Manager console, the AWS Command Line Interface (AWS CLI), or the Audit Manager API.

Note

After you add a delegated administrator in your Audit Manager settings, your management account can no longer create additional assessments in Audit Manager. Additionally, evidence collection stops for any existing assessments created by the management account. Audit Manager collects and attaches evidence to the delegated administrator account, which is the main account for managing your organization's assessments.

Audit Manager console
To add a delegated administrator (console)
  1. From the General settings tab, go to the Delegated administrator section.

  2. Under Delegated administrator account ID, enter the account ID of the delegated administrator.

  3. Choose Delegate.

AWS CLI
To add a delegated administrator (AWS CLI)

Run the register-organization-admin-account command and use the --admin-account-id parameter to specify the account ID of the delegated administrator.

In the following example, replace the placeholder text with your own information.

aws auditmanager register-organization-admin-account --admin-account-id 111122223333
Audit Manager API
To add a current delegated administrator (API)

Call the RegisterOrganizationAdminAccount operation and use the adminAccountId parameter to specify the account ID of the delegated administrator.

For more information, choose the previous links to read more in the Audit Manager API Reference. This includes information about how to use this operation and parameter in one of the language-specific AWS SDKs.

You can change a delegated administrator using the Audit Manager console, the AWS Command Line Interface (AWS CLI), or the Audit Manager API.

Warning

When you change a delegated administrator, you continue to have access to the evidence that you previously collected under the old delegated administrator account. However, Audit Manager stops collecting and attaching evidence to the old delegated administrator account.

Audit Manager console
To change the current delegated administrator (console)
  1. (Optional) If the current delegated administrator (account A) enabled evidence finder, perform the following cleanup task:

    1. Before assigning account B as the new delegated administrator, make sure that account A signs in to Audit Manager and disables evidence finder.

      Disabling evidence finder automatically deletes the event data store that was created when account A enabled evidence finder. If you don't complete this step, then account A must go to CloudTrail Lake and manually delete the event data store. Otherwise, the event data store remains in account A and continues to incur CloudTrail Lake storage charges.

  2. From the General settings tab, go to the Delegated administrator section and choose Remove.

  3. In the pop-up window that appears, choose Remove to confirm.

  4. Under Delegated administrator account ID, enter the ID of the new delegated administrator account.

  5. Choose Delegate.

AWS CLI
Before you start

If the current delegated administrator (account A) enabled evidence finder, perform the following cleanup task:

Before assigning account B as the new delegated administrator, make sure that account A signs in to Audit Manager and disables evidence finder.

Disabling evidence finder automatically deletes the event data store that was created when account A enabled evidence finder. If you don't complete this step, then account A must go to CloudTrail Lake and manually delete the event data store. Otherwise, the event data store remains in account A and continues to incur CloudTrail Lake storage charges.

To change the current delegated administrator (AWS CLI)

First, run the deregister-organization-admin-account command using the --admin-account-id parameter to specify the account ID of the current delegated administrator.

In the following example, replace the placeholder text with your own information.

aws auditmanager deregister-organization-admin-account --admin-account-id 111122223333

Then, run the register-organization-admin-account command using the --admin-account-id parameter to specify the account ID of the new delegated administrator.

In the following example, replace the placeholder text with your own information.

aws auditmanager register-organization-admin-account --admin-account-id 444455556666
Audit Manager API
Before you start

If the current delegated administrator (account A) enabled evidence finder, perform the following cleanup task:

Before assigning account B as the new delegated administrator, make sure that account A signs in to Audit Manager and disables evidence finder.

Disabling evidence finder automatically deletes the event data store that was created when account A enabled evidence finder. If you don't complete this step, then account A must go to CloudTrail Lake and manually delete the event data store. Otherwise, the event data store remains in account A and continues to incur CloudTrail Lake storage charges.

To change the current delegated administrator (API)

First, call the DeregisterOrganizationAdminAccount operation and use the adminAccountId parameter to specify the account ID of the current delegated administrator.

Then, call the RegisterOrganizationAdminAccount operation and use the adminAccountId parameter to specify the account ID of the new delegated administrator.

For more information, choose the previous links to read more in the Audit Manager API Reference. This includes information about how to use this operation and parameter in one of the language-specific AWS SDKs.

You can remove a delegated administrator using the Audit Manager console, the AWS Command Line Interface (AWS CLI), or the Audit Manager API.

Warning

When you remove a delegated administrator, you continue to have access to the evidence that you previously collected under that delegated administrator account. However, Audit Manager stops collecting and attaching evidence to the old delegated administrator account.

Audit Manager console
To remove the current delegated administrator (console)
  1. (Optional) If the current delegated administrator enabled evidence finder, perform the following cleanup task:

    1. Make sure that the current delegated administrator account signs in to Audit Manager and disables evidence finder.

      Disabling evidence finder automatically deletes the event data store that was created in their account when they enabled evidence finder. If this step isn't completed, the delegated administrator account must use CloudTrail Lake to manually delete the event data store. Otherwise, the event data store remains in their account and continues to incur CloudTrail Lake storage charges.

  2. From the General settings tab, go to the Delegated administrator section and choose Remove.

  3. In the pop-up window that appears, choose Remove to confirm.

AWS CLI
Before you start

If the current delegated administrator enabled evidence finder, perform the following cleanup task:

Make sure that the current delegated administrator account signs in to Audit Manager and disables evidence finder.

Disabling evidence finder automatically deletes the event data store that was created in their account when they enabled evidence finder. If this step isn't completed, the delegated administrator account must use CloudTrail Lake to manually delete the event data store. Otherwise, the event data store remains in their account and continues to incur CloudTrail Lake storage charges.

To remove the current delegated administrator (AWS CLI)

Run the deregister-organization-admin-account command and use the --admin-account-id parameter to specify the account ID of the delegated administrator.

In the following example, replace the placeholder text with your own information.

aws auditmanager deregister-organization-admin-account --admin-account-id 111122223333
Audit Manager API
Before you start

If the current delegated administrator enabled evidence finder, perform the following cleanup task:

Make sure that the current delegated administrator account signs in to Audit Manager and disables evidence finder.

Disabling evidence finder automatically deletes the event data store that was created in their account when they enabled evidence finder. If this step isn't completed, the delegated administrator account must use CloudTrail Lake to manually delete the event data store. Otherwise, the event data store remains in their account and continues to incur CloudTrail Lake storage charges.

To remove the current delegated administrator (API)

Call the DeregisterOrganizationAdminAccount operation and use the adminAccountId parameter to specify the account ID of the delegated administrator.

For more information, choose the previous links to read more in the Audit Manager API Reference. This includes information about how to use this operation and parameter in one of the language-specific AWS SDKs.

AWS Config (optional)

You can allow Audit Manager to collect findings from AWS Config. When AWS Config is enabled, Audit Manager can capture snapshots of your resource security posture by reporting the results of rule checks directly from AWS Config. We recommend that you enable AWS Config for an optimal experience in Audit Manager.

To enable AWS Config, choose Enable AWS Config to go to that service. For instructions on how to enable AWS Config, see Setting up AWS Config in the AWS Config Developer Guide.

Security Hub (optional)

You can allow Audit Manager to import AWS Security Hub findings for supported compliance standards. When Security Hub is enabled, Audit Manager can capture snapshots of your resource security posture by the results of security checks directly from Security Hub. We recommend that you enable Security Hub for an optimal experience in Audit Manager.

To enable Security Hub, choose Enable Security Hub to go to that service. For instructions on how to enable Security Hub, see Setting up AWS Security Hub in the Security Hub User Guide.

Disable AWS Audit Manager

You can disable Audit Manager if you no longer want to use the service. When you disable Audit Manager, you also have the option to delete all of your data.

By default, your data isn’t deleted when you disable Audit Manager. Your evidence data is retained for two years from the time of its creation. Your other Audit Manager resources (including assessments, custom controls, and custom frameworks) are retained indefinitely, and will be available if you re-enable Audit Manager in the future. For more information about data retention, see Data Protection in this guide.

If you choose to delete your data, Audit Manager deletes all evidence data along with all of the Audit Manager resources that you created (including assessments, custom controls, and custom frameworks). All of your data is deleted within seven days of disabling Audit Manager.

Warning
  • When you disable Audit Manager, your access is revoked and the service no longer collects evidence for any existing assessments. You can't access anything in the service unless you re-enable Audit Manager.

  • Deleting all data is a permanent action. If you decide to re-enable Audit Manager in the future, your data won’t be recoverable.

You can disable Audit Manager using the Audit Manager console, the AWS Command Line Interface (AWS CLI), or the Audit Manager API.

Audit Manager console
To disable Audit Manager (console)
  1. From the General settings tab, go to the Disable AWS Audit Manager section.

  2. Choose Disable.

  3. In the pop-up window, review your current data retention setting.

    1. To proceed with your current selection, choose Disable Audit Manager.

    2. To change your current selection, perform the following steps:

      1. Choose Cancel to return to the settings page.

      2. To use the default data retention setting, turn off Delete all data. This selection retains evidence data for two years from the time of its creation, and retains other Audit Manager resources indefinitely.

      3. To delete your data, turn on Delete all data.

      4. Choose Disable, and then choose Disable Audit Manager to confirm your choice.

AWS CLI
Before you start

Before you disable Audit Manager, you can run the update-settings command to set your preferred data retention policy. By default, Audit Manager retains your data. If you want to request the deletion of your data, use the --deregistration-policy parameter with the deleteResources value set to ALL.

aws auditmanager update-settings --deregistration-policy deleteResources=ALL
To disable Audit Manager (AWS CLI)

When you're ready to disable Audit Manager, run the deregister-account command.

aws auditmanager deregister-account
Audit Manager API
Before you start

Before you disable Audit Manager, you can use the UpdateSettings API operation to set your preferred data retention policy. By default, Audit Manager retains your data. If you want to delete your data, you can use the DeregistrationPolicy attribute to request the deletion of your data.

To disable Audit Manager (API)

When you're ready to disable Audit Manager, call the DeregisterAccount operation.

For more information, choose the previous links to read more in the Audit Manager API Reference. This includes information about how to use these operations and parameters in one of the language-specific AWS SDKs.

To re-enable Audit Manager after you disable it

Go to the Audit Manager service homepage and follow the steps to set up Audit Manager as a new user. For more information, see Setting up AWS Audit Manager.

Tip
  • If you chose to delete your data when you disabled Audit Manager, you must wait until your data is deleted before you can re-enable the service. Depending on how much data you have, this can take up to seven days. However, feel free to try re-enabling Audit Manager before then. In many cases, data is deleted in as little as one hour.

  • If you chose not to delete your data when you disabled Audit Manager, your existing assessments moved into a dormant state and stopped collecting evidence as a result. To start collecting evidence again for a pre-existing assessment, edit the assessment and choose Save without making any changes.