Reviewing the controls in an assessment - AWS Audit Manager
Control detailControl statusEvidence folders tabData source tabComments tabChangelog tab

Reviewing the controls in an assessment

Controls in Audit Manager help you meet both common and unique compliance standards and regulations in your audits. You can open and review the controls in your Audit Manager assessment at any time.

To open a control summary page

  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. In the navigation pane, choose Assessments, and choose the name of an assessment to open it.

  3. From the assessment page, choose the Controls tab, scroll down to the Control sets table, and then choose the name of a control to open it.

When you open a control, you see a summary page that contains several sections. The sections of this page and their contents are described in the following sections.

Control details

The Control details section provides an overview of the control.

It includes the following information:

  1. Control name – The name that's given to this control.

  2. Control description – The description that's provided for this control.

  3. Testing information – The recommended testing procedures for this control.

  4. Action plan – The recommended actions to carry out if the control isn't fulfilled.

Update control status

In the Update control status section of the page, you can review and update the status of the controls in the assessment.

The following statuses are available for a control:

  • Under review – Indicates that this control isn't already reviewed. Evidence is still being collected for this control, and you can upload manual evidence. This is the default status.

  • Reviewed – Indicates that the evidence for this control is reviewed. Evidence is still being collected, and you can upload manual evidence.

  • Inactive – Indicates that automated evidence collection is stopped for this control. You can no longer upload manual evidence.

Note

Changing a control status to reviewed is final. After you set the status of a control to reviewed, you can no longer change the status of that control or revert to a previous status.

Evidence folders tab

Screenshot of the available tabs on a control details page, with the evidence folders tab selected.

The Evidence folders tab lists the evidence that's automatically collected for this control. It's organized into folders on a daily basis. From here, you can also select a folder and choose Upload manual evidence to add more evidence manually.

Under the Evidence folders table, a list of folders is displayed with the following data columns:

  • Evidence folder – The name of the evidence folder. The name is based on the date when the evidence was collected.

  • Compliance check – The number of issues that are found in the evidence folder. This number represents the total number of security issues that were reported directly from AWS Security Hub, AWS Config, or both. You can find more information about the relevant evidence and the nature of the issue by opening the evidence folder.

    Not applicable indicates that you either don't have AWS Security Hub or AWS Config enabled, or the evidence comes from a different data source type.

  • Total evidence – The total number of evidence items inside the folder.

  • Assessment report selection – The number of evidence items within the folder that are included in the assessment report.

From the Evidence folders tab, choose an evidence folder to open it. From the evidence folder summary page, you can then choose the individual evidence that you want to review.

From the Evidence folders tab, you can also choose to add or remove evidence to an assessment report. For more information, see Generating an assessment report.

Data source tab

Screenshot of the available tabs on a control details page, with the data sources tab selected.

The Data source tab displays the data sources for the control.

Under the Data source table, a list of data sources is displayed with the following data columns.

  • Data source name – The name that's given to the data source. This applies to custom controls only. It refers to the descriptive name that you gave each data source. You can use this name to distinguish between multiple data sources that fall under the same data source type

  • Data source type – This specifies where the evidence data comes from. If Audit Manager collects the evidence, the data source can be one of four types: AWS Security Hub, AWS Config, AWS CloudTrail, or AWS API calls. If you upload your own evidence, the data source type is Manual.

  • Mapping – This is the mapping attribute that's used to identify and retrieve data from the data source.

    • If the data source type is AWS Config, the mapping is the name of a specific AWS Config rule (for example, EC2_INSTANCE_MANAGED_BY_SSM). Audit Manager uses this mapping to report the result of that rule check directly from AWS Config.

    • If the data source type is AWS Security Hub, the mapping is the name of a specific Security Hub control (for example, 1.1 – Avoid the use of the "root" account). Audit Manager uses this mapping to report the result of that security check directly from Security Hub.

    • If the data source type is AWS API calls, the mapping is the name of a specific API call (for example, ec2_DescribeSecurityGroups). Audit Manager uses this mapping to collect the API response.

    • If the data source type is AWS CloudTrail, the mapping is the name of a specific CloudTrail event (for example, CreateAccessKey). Audit Manager uses this mapping to collect the related user activity from your CloudTrail logs.

  • Frequency – The frequency of evidence collection from this data source. The frequency varies depending on the data source. For more information, choose the value in the column or see Evidence collection frequency.

Comments tab

Screenshot of the available tabs on a control details page, with the comments tab selected.

In the Comments tab, you can add a comment regarding the control and its evidence. It also displays a list of previous comments.

Under Send comments, you can add comments for a control by entering text and then choosing Submit comments.

Under Previous comments, you can view a list of previous comments along with the date the comment was made and the associated user ID.

Changelog tab

Screenshot of the available tabs on a control details page, with the changelog tab selected.

The Changelog tab displays a list of user activity related to the control. The same information is available as audit trail logs in AWS CloudTrail. With the user activity that's captured directly in Audit Manager, you can easily review an audit trail of activity for a given control.

Under Changelog, a table displays the following data columns:

  • Date – The date and time of the activity, represented in Coordinated Universal Time (UTC).

  • User – The user or role that performed the activity.

  • Action – A description of the activity.

  • Type – The associated attribute that further describes the activity.

  • Resource – The related resource, if applicable.

Audit Manager tracks the following user activity in changelogs:

  • Creating an assessment

  • Editing an assessment

  • Completing an assessment

  • Deleting an assessment

  • Delegating a control set for review

  • Submitting a reviewed control set back to the audit owner

  • Uploading manual evidence

  • Updating a control status

  • Generating assessment reports