Reviewing the controls in an assessment - AWS Audit Manager

Reviewing the controls in an assessment

Controls in Audit Manager help you meet both common and unique compliance standards and regulations in your audits. You can open and review the controls in your Audit Manager assessment at any time.

To open a control summary page
  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. In the navigation pane, choose Assessments, and choose the name of an assessment to open it.

  3. From the assessment page, choose the Controls tab, scroll down to the Control sets table, and then choose the name of a control to open it.

When you open a control, you see a summary page that contains several sections. The sections of this page and their contents are described in the following sections.

Control details

The Control details section provides an overview of the control.

It includes the following information:

  1. Control name – The name that's given to this control.

  2. Control description – The description that's provided for this control.

  3. Testing information – The recommended testing procedures for this control.

  4. Action plan – The recommended actions to carry out if the control isn't fulfilled.

Update control status

In the Update control status section of the page, you can review and update the status of the assessment control.

The following statuses are available:

  • Under review – Indicates that this control hasn't been reviewed yet. Evidence is still being collected for this control, and you can upload manual evidence. This is the default status.

  • Reviewed – Indicates that the evidence for this control is reviewed. Evidence is still being collected, and you can upload manual evidence.

  • Inactive – Indicates that automated evidence collection is stopped for this control. You can no longer upload manual evidence.

Note

Changing a control status to Reviewed is final. After you set the status of a control to Reviewed, you can no longer change the status of that control or revert to a previous status.

Evidence folders tab

The Evidence folders tab lists the evidence that's automatically collected for this control. It's organized into folders on a daily basis.

The Evidence folders table shows a list of folders with the following data:

  • Evidence folder – The name of the evidence folder. The name is based on the date when the evidence was collected or manually added.

  • Compliance check – The number of issues that are found in the evidence folder. This number represents the total number of security issues that were reported directly from AWS Security Hub, AWS Config, or both. If you see Not applicable, this indicates that you either don't have AWS Security Hub or AWS Config enabled, or the evidence comes from a different data source type.

  • Total evidence – The total number of evidence items inside the folder.

  • Assessment report selection – The number of evidence items within the folder that are included in the assessment report.

From the Evidence folders tab, you can take the following actions:

Data source tab

This tab displays information about the data sources for the control. It includes the following information:

  • Data source name – This applies to custom controls only. It refers to the descriptive name that you gave each data source. You can use this name to distinguish between multiple data sources that fall under the same data source type

  • Data source type – This specifies where the evidence data comes from.

    • If Audit Manager collects the evidence, the data source can be one of four types: AWS Security Hub, AWS Config, AWS CloudTrail, or AWS API calls.

    • If you upload your own evidence, the data source type is Manual. A description indicates if the required manual evidence is a File upload or a Text response.

  • Mapping – This is the mapping attribute that's used to identify and retrieve data from an automated data source.

    • If the data source type is AWS Config, the mapping is the name of a specific AWS Config rule (for example, EC2_INSTANCE_MANAGED_BY_SSM). Audit Manager uses this mapping to report the result of that rule check directly from AWS Config.

    • If the data source type is AWS Security Hub, the mapping is the name of a specific Security Hub control (for example, 1.1 – Avoid the use of the "root" account). Audit Manager uses this mapping to report the result of that security check directly from Security Hub.

    • If the data source type is AWS API calls, the mapping is the name of a specific API call (for example, ec2_DescribeSecurityGroups). Audit Manager uses this mapping to collect the API response.

    • If the data source type is AWS CloudTrail, the mapping is the name of a specific CloudTrail event (for example, CreateAccessKey). Audit Manager uses this mapping to collect the related user activity from your CloudTrail logs.

  • Frequency – The frequency of evidence collection from this data source. The frequency varies depending on the data source. For more information, choose the value in the column or see Evidence collection frequency.

Comments tab

In the Comments tab, you can add a comment regarding the control and its evidence. It also displays a list of previous comments.

Under Send comments, you can add comments for a control by entering text and then choosing Submit comments.

Under Previous comments, you can view a list of previous comments along with the date the comment was made and the associated user ID.

Changelog tab

The Changelog tab displays a list of user activity related to the control. The same information is available as audit trail logs in AWS CloudTrail. With the user activity that's captured directly in Audit Manager, you can easily review an audit trail of activity for a given control.

Under Changelog, a table displays the following data columns:

  • Date – The date and time of the activity, represented in Coordinated Universal Time (UTC).

  • User – The user or role that performed the activity.

  • Action – A description of the activity.

  • Type – The associated attribute that further describes the activity.

  • Resource – The related resource, if applicable.

Audit Manager tracks the following user activity in changelogs:

  • Creating an assessment

  • Editing an assessment

  • Completing an assessment

  • Deleting an assessment

  • Delegating a control set for review

  • Submitting a reviewed control set back to the audit owner

  • Uploading manual evidence

  • Updating a control status

  • Generating assessment reports