Troubleshooting permission and access issues - AWS Audit Manager

Troubleshooting permission and access issues

You can use the information on this page to resolve common permission issues in Audit Manager.

I followed the Audit Manager setup procedure, but I don't have enough IAM privileges

The IAM identity (user, role, or group) that you use to access Audit Manager must have the required permissions. Moreover, your identity-based policy shouldn't be too restrictive. Otherwise, the console won't function as intended for your IAM identities. The Setting up procedure in this guide provides a policy that grants the minimum permissions needed to set up Audit Manager. Depending on your use case, you might need broader, less restrictive permissions. For example, we recommend that audit owners have administrator access. This is so that they can modify Audit Manager settings and manage resources such as assessments, frameworks, controls, and assessment reports. Other users, such as delegates, might only need management access or read-only access.

Make sure that you attach the appropriate permissions to the IAM identity. For audit owners, the recommended policy is AWSAuditManagerAdministratorAccess. For delegates, you can use this example that's provided on the IAM policy examples page. You can use these example policies as a starting point, and make changes as necessary to fit your requirements.

We recommend that you take time to customize your permissions to meet your specific requirements. If you need help with IAM permissions, contact your administrator or AWS Support. For instructions on how to attach a policy to an IAM identity, see Adding Permissions to a User and Adding and removing IAM identity permissions in the IAM User Guide.

I specified someone as an audit owner, but they still don’t have full access to the assessment. Why is this?

Specifying someone as an audit owner alone doesn't provide them with full access to an assessment. Audit owners must also have the necessary IAM permissions to access and manage Audit Manager resources. In other words, in addition to specifying a user as an audit owner, you must also attach the necessary IAM policies to that user. The idea behind this is that, by requiring both, Audit Manager ensures that you have full control over all of the specifics of each assessment.

Note

For audit owners, we recommend that you use the AWSAuditManagerAdministratorAccess policy. For more information, see Recommended policies for user personas in Audit Manager.

I can't perform an action in Audit Manager

If you don't have the necessary permissions to use the AWS Audit Manager console or Audit Manager API operations, you will likely encounter an AccessDeniedException error.

To resolve this issue, you must contact your administrator for assistance. Your administrator is the person that provided you with your user name and password.

I'm an administrator and want to allow others to access Audit Manager

To allow others to access AWS Audit Manager, you must create an IAM entity (user or role) for the person or application that needs access. They will use the credentials for that entity to access AWS. You must then attach a policy to the entity that grants them the correct permissions in AWS Audit Manager.

To get started right away, see Creating your first IAM delegated user and group in the IAM User Guide.

I want to allow people outside of my AWS account to access my Audit Manager resources

To grant people who are outside of your AWS account access to your Audit Manager resources, create an IAM role for them. You can do this both for users that are in other accounts and for people who are outside your organization. Using this role, they can access your resources. When you create the role, make sure that you specify who's trusted to assume the role.

To learn more, see the following topics in the IAM User Guide: