Generating an assessment report - AWS Audit Manager

Generating an assessment report

An assessment report summarizes your assessment and provides links to an organized set of folders that contain related evidence. For more information, see Assessment reports.

You can choose which evidence you want to include in your assessment report before generating the assessment report.

Adding evidence to an assessment report

Before you generate an assessment report, review the evidence for each control in your assessment and specify whether you want to include it in the assessment report. By default, newly collected evidence is excluded from the assessment report.

To review and include evidence in an assessment report

  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. In the navigation pane, choose Assessments, and then choose the name of the assessment to open it.

  3. Scroll down to the Controls table, and choose the name of the control to open the control details page.

  4. Scroll down to the Evidence folders table, select the evidence folder that you want to add to the assessment report, and then choose Add to assessment report. In the pop-up window that appears, choose Add to assessment report to confirm the addition.

    1. If you want to remove an evidence folder that was previously added to an evidence report, select the folder and choose Remove from assessment report.

  5. To add a single evidence item to an assessment report, choose the name of the evidence folder to open the evidence folder summary page. Select the evidence, and then choose Add to assessment report. In the pop-up window that appears, choose Add to assessment report to confirm the addition.

    1. If you want to remove a single evidence item that was previously added to an assessment report, choose the name of the evidence folder to open the evidence folder summary page. Select the evidence, and then choose Remove from assessment report.

  6. After you review the evidence and added it to an assessment report, a green success banner appears. Choose View assessment report selection to go back to the assessment page, where you can now generate an assessment report.

Generating an assessment report

After you select the evidence to include in your assessment report, you can generate the final assessment report to share with your auditors.

When you generate an assessment report, it's placed into the S3 bucket that you chose as your assessment report destination.

Tip

We recommend that you verify the following configurations before you generate your assessment report:

  1. The AWS Region of your customer managed key (if you provided one) must match the Region of your assessment.

  2. If your assessment report destination has a bucket policy that requires server-side encryption (SSE) using SSE-KMS, then the KMS key used in that bucket policy must match the KMS key that you configured in your AWS Audit Manager data encryption settings. If you didn't configure a KMS key in your Audit Manager settings, and your assessment report destination bucket policy requires SSE, ensure that the bucket policy allows SSE-S3.

For more information about how to configure the assessment report destination and the KMS key used for data encryption, see AWS Audit Manager settings. For a list of Audit Manager Regions, see AWS Audit Manager endpoints and quotas in the Amazon Web Services General Reference.

To generate an assessment report

  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. In the left navigation pane, choose Assessments.

  3. Choose the name of the assessment that you want to generate an assessment report for.

  4. Choose the Assessment report selection tab, and then choose Generate assessment report.

  5. In the pop-up window, provide a name and description for the assessment report, and review the Assessment report details section. This includes the assessment name, the evidence in the assessment report, and the assessment report destination. The assessment report destination is the S3 bucket that you specified when creating the assessment.

  6. Choose Generate assessment report.

You can now go to the S3 bucket that you use as your assessment report destination, and download the assessment report. The assessment report has a file checksum to ensure the integrity of the assessment report. You can validate this with the ValidateAssessmentReportIntegrity API operation that's provided by AWS Audit Manager.

Deleting an assessment report

You can delete assessment reports that are no longer wanted or needed.

When you delete an assessment report, Audit Manager attempts to delete the following data:

  1. The assessment report that’s stored in your S3 bucket

  2. The associated metadata that’s stored in Audit Manager

If Audit Manager can’t access the assessment report in your S3 bucket, the report isn’t deleted. In this event, the delete operation doesn’t fail. Instead, Audit Manager proceeds to delete the associated metadata only. You must then delete the assessment report from the S3 bucket yourself.

This scenario happens when Audit Manager receives a 403 (Forbidden) or 404 (Not Found) error from Amazon S3. To avoid this, make sure that your S3 bucket is available, and that you configured the correct permissions for Audit Manager to delete resources in your S3 bucket. For an example permissions policy that you can use, see Assessment report destination permissions. For information about the issues that could cause a 403 (Forbidden) or 404 (Not Found) error from Amazon S3, see List of Error Codes in the Amazon S3 API Reference.

To delete an assessment report

  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. In the left navigation pane, choose Assessment reports.

  3. Select the assessment report that you want to delete, and choose Delete.