How AWS Audit Manager collects evidence - AWS Audit Manager

How AWS Audit Manager collects evidence

Each active assessment in AWS Audit Manager automatically collects evidence from a range of data sources. Every assessment has a defined scope that specifies the AWS services and accounts where Audit Manager collects data from. Each of these defined services and accounts in scope contain multiple resources, and each resource is a system asset inventory that you own. Evidence collection in Audit Manager involves the assessment of each in-scope resource. This is referred to as a resource assessment.

The following steps describe how Audit Manager collects evidence for each resource assessment:

1. Assessing a resource from the data source

To start evidence collection, Audit Manager assesses an in-scope resource from a data source. It does this by capturing a configuration snapshot, a related compliance check result, and any user activities. It then runs an analysis to determine which control this data supports. The result of the resource assessment is then saved and converted into evidence. For more information about different evidence types, see Evidence in the AWS Audit Manager concepts and terminology section of this guide.

2. Converting assessment results to evidence

The result of the resource assessment contains both the original data that's captured from that resource, and the metadata that indicates which control the data supports. AWS Audit Manager converts the original data into an auditor-friendly format. The converted data and metadata are then saved as Audit Manager evidence before being attached to a control.

3. Attaching evidence to the related control

Audit Manager reads the evidence metadata. Then, it attaches the saved evidence to a related control within the assessment. The attached evidence becomes visible in Audit Manager. This completes the cycle of a resource assessment.

Note

Depending on the control configurations, the same evidence can, in some cases, be attached to multiple controls from multiple Audit Manager assessments. When the same evidence is attached to multiple controls, Audit Manager meters the resource assessment exactly once. This is because the same evidence is collected exactly only once. However, one control in an Audit Manager assessment can have multiple pieces of evidence from multiple data sources.

Evidence collection frequency

Evidence collection is an ongoing process that starts when you create your assessment. AWS Audit Manager collects evidence from multiple data sources at varying frequencies. As a result, there’s no one-size-fits-all answer for how often evidence is collected. The frequency of evidence collection is based on the evidence type and its data source, as described below.

  • Compliance checks — Audit Manager collects this evidence type from AWS Security Hub and AWS Config.

    • For AWS Security Hub, the frequency of evidence collection follows the schedule of your AWS Security Hub checks. For more information about the schedule of Security Hub checks, see Schedule for running security checks in the AWS Security Hub User Guide. For more information about the Security Hub checks supported by Audit Manager, see AWS Security Hub controls supported by AWS Audit Manager.

    • For AWS Config, the frequency of evidence collection follows the triggers that are defined in your AWS Config rules. For more information about the triggers for AWS Config rules, see Trigger types in the AWS Config User Guide. For more information about the AWS Config Rules that are supported by Audit Manager, see AWS Config Rules supported by AWS Audit Manager.

  • User activity — Audit Manager collects this evidence type from AWS CloudTrail in a continual manner. This frequency is continual because user activity can happen at any time of the day. For more information, see AWS CloudTrail event names supported by AWS Audit Manager.

  • Configuration data — Audit Manager collects this evidence type using a describe API call to another AWS service such as Amazon EC2, Amazon S3, or IAM. You can choose which API actions to call. You also set the frequency as daily, weekly, or monthly in Audit Manager. You can specify this frequency when you create or edit a control in the control library. For instructions on how to edit or create a control, see Control library. For more information about how Audit Manager uses API calls to create evidence, see API calls supported by AWS Audit Manager.

Regardless of the evidence collection frequency for the data source, new evidence is collected automatically for as long as the control and the assessment are active.