Troubleshooting permission and access issues

You can use the information on this page to resolve common permission issues in Audit Manager.

I followed the Audit Manager setup procedure, but I don't have enough IAM privileges

The user, role, or group that you use to access Audit Manager must have the required permissions. Moreover, your identity-based policy shouldn't be too restrictive. Otherwise, the console won't function as intended. The Setting up procedure in this guide provides a policy that grants the minimum permissions needed to set up Audit Manager. Depending on your use case, you might need broader, less restrictive permissions. For example, we recommend that audit owners have administrator access. This is so that they can modify Audit Manager settings and manage resources such as assessments, frameworks, controls, and assessment reports. Other users, such as delegates, might only need management access or read-only access.

Make sure that you add the appropriate permissions for your user, role, or group. For audit owners, the recommended policy is AWSAuditManagerAdministratorAccess. For delegates, you can use this example that's provided on the IAM policy examples page. You can use these example policies as a starting point, and make changes as necessary to fit your requirements.

We recommend that you take time to customize your permissions to meet your specific requirements. If you need help with IAM permissions, contact your administrator or AWS Support.

I specified someone as an audit owner, but they still don’t have full access to the assessment. Why is this?

Specifying someone as an audit owner alone doesn't provide them with full access to an assessment. Audit owners must also have the necessary IAM permissions to access and manage Audit Manager resources. In other words, in addition to specifying a user as an audit owner, you must also attach the necessary IAM policies to that user. The idea behind this is that, by requiring both, Audit Manager ensures that you have full control over all of the specifics of each assessment.

Note

For audit owners, we recommend that you use the AWSAuditManagerAdministratorAccess policy. For more information, see Recommended policies for user personas in Audit Manager.

I can't perform an action in Audit Manager

If you don't have the necessary permissions to use the AWS Audit Manager console or Audit Manager API operations, you will likely encounter an AccessDeniedException error.

To resolve this issue, you must contact your administrator for assistance. Your administrator is the person that provided you with your sign-in credentials.

I want to allow people outside of my AWS account to access my Audit Manager resources

You can create a role that users in other accounts or people outside of your organization can use to access your resources. You can specify who is trusted to assume the role. For services that support resource-based policies or access control lists (ACLs), you can use those policies to grant people access to your resources.

To learn more, consult the following:

• To learn whether Audit Manager supports these features, see How AWS Audit Manager works with IAM.

• To learn how to provide access to your resources across AWS accounts that you own, see Providing access to an IAM user in another AWS account that you own in the IAM User Guide.

• To learn how to provide access to your resources to third-party AWS accounts, see Providing access to AWS accounts owned by third parties in the IAM User Guide.

• To learn how to provide access through identity federation, see Providing access to externally authenticated users (identity federation) in the IAM User Guide.

• To learn the difference between using roles and resource-based policies for cross-account access, see How IAM roles differ from resource-based policies in the IAM User Guide.

See also

The following pages contain troubleshooting guidance for other issues that can be caused by missing permissions:

• I can’t see any controls or control sets in my assessment

• The custom rule option is unavailable when I’m configuring a control data source

• I get an access denied error when I try to generate an assessment report

• I get an access denied error when I try to generate an assessment report using my delegated administrator account

• I can't enable evidence finder

• I can't disable evidence finder

• My search query fails in evidence finder

• I specified an Amazon SNS topic in Audit Manager, but I'm not receiving any notifications