Reviewing the evidence in an assessment - AWS Audit Manager

Reviewing the evidence in an assessment

An active assessment in AWS Audit Manager automatically collects evidence from a range of data sources. For more information, see How AWS Audit Manager collects evidence. You can open and review the evidence for the controls in your assessments at any time.

To open evidence for a control

  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. In the navigation pane, choose Assessments, and then choose the name of an assessment to open it.

  3. From the assessment page, choose the Controls tab, scroll down to the Controls table, and then choose the name of a control to open it.

  4. From the control page, choose the Evidence folders tab, and then choose the name of an evidence folder to open it.

  5. From the evidence folder summary page, choose the name of an evidence item to open it.

When you open an evidence folder, you see a summary page that contains two sections. These sections and their contents are described in the following sections.

Evidence folder summary page

The evidence folder summary page consists of two sections: a Summary dashboard and the Evidence table.

Summary dashboard

The Summary dashboard provides an overview of the evidence in the evidence folder.


      Screenshot of the evidence folder summary, annotated with numbered labels that relate to the following definitions.

It includes the following information:

  1. Date – The time and date when the evidence folder was created.

  2. Control name – The name of the control that is associated with the evidence folder.

  3. Added to assessment report – The number of evidence items that you chose to include in the assessment report.

  4. Total evidence – The total number of evidence items in the evidence folder.

  5. Resources – The total number of AWS resources that were assessed when generating the evidence in this folder.

  6. User activity – The number of evidence items that fall under the user activity category. This evidence is collected from AWS CloudTrail logs.

  7. Configuration data – The number of evidence items that fall under the configuration data category. This evidence is collected from configuration snapshots of other AWS services such as Amazon EC2, Amazon S3, or IAM.

  8. Manual – The number of evidence items that fall under the manual category. This evidence is uploaded manually.

  9. Compliance check – The number of evidence items that fall under the compliance check category. This evidence is collected from AWS Config or AWS Security Hub.

  10. Compliance check status – The total number of issues that were reported directly from AWS Security Hub, AWS Config, or both.

Tip

For definitions and more information about different evidence types (user activity, configuration data, compliance check, and manual), see AWS Audit Manager concepts and terminology.

Evidence table

The Evidence table lists the evidence collected under the evidence folder.

It includes the following information:

  1. Time – When the evidence was collected.

  2. Evidence by type – The category of the evidence.

    • Compliance check evidence is collected from AWS Config or AWS Security Hub.

    • User activity evidence is collected from AWS CloudTrail logs.

    • Configuration data evidence is collected from snapshots of other services such as Amazon EC2, Amazon S3, or IAM.

    • Manual evidence is evidence that you upload manually.

  3. Compliance check – The evaluation status for evidence that falls under the compliance check category.

    • For evidence that is collected from AWS Security Hub, a Pass or Fail result is reported directly from AWS Security Hub.

    • For evidence that is collected from AWS Config, a Compliant or Noncompliant result is reported directly from AWS Config.

    • If Not applicable is shown, this indicates that you either don't have AWS Security Hub or AWS Config enabled, or the evidence comes from a different data source.

  4. Data source – The AWS service from which the evidence is collected.

  5. Event name – The name of the event included in the evidence.

  6. Resources – The number of resources assessed to generate the evidence.

  7. Assessment report selection – Indicates whether you chose to include the evidence in the assessment report.

    • To include evidence, select the evidence and choose Add to assessment report.

    • To exclude evidence, select the evidence and choose Remove from assessment report.

To upload manual evidence to the evidence folder, choose Upload manual evidence, enter the S3 URI of the evidence, and then choose Upload.

Tip

You can find the S3 URI by navigating to the object in the Amazon S3 console and choosing Copy S3 URI. Your manual evidence must be in an S3 bucket before you can upload it to your assessment. For more information, see Creating a bucket and Uploading objects in the Amazon Simple Storage Service User Guide.

To see evidence details, select the name of the evidence to open an evidence details page, which is described in the following section.

Evidence detail page

When you open a piece of evidence, you see an evidence detail page that contains three sections: the Evidence detail dashboard, the Attributes table, and the Resources included table. These sections and their contents are described as follows.

Evidence detail dashboard

The Evidence detail dashboard displays an overview of the evidence.


      Screenshot of the evidence details dashboard, annotated with numbered labels that relate to the following definitions.

It includes the following information:

  1. Date and time – The date and time the evidence was collected.

  2. Evidence folder name – The name of the evidence folder that contains the evidence.

  3. Control name – The name of the control associated with the evidence.

  4. Event source – The name of the resource that created the evidence event.

  5. Event name – The name of the evidence event.

  6. Data source – The AWS service from which the evidence was collected.

  7. Evidence by type – The type of evidence.

    • Compliance check evidence is collected from AWS Config or AWS Security Hub.

    • User activity evidence is collected from AWS CloudTrail logs.

    • Configuration data evidence is collected from snapshots of other AWS services such as Amazon EC2, Amazon S3, or IAM.

    • Manual evidence is evidence that you upload manually.

  8. Compliance check – The evaluation status for evidence that falls under the compliance check category.

    • For evidence that is collected from AWS Security Hub, a Pass or Fail result is reported directly from AWS Security Hub.

    • For evidence that is collected from AWS Config, a Compliant or Noncompliant result is reported directly from AWS Config.

    • If Not applicable is shown, this indicates that you either don't have AWS Security Hub or AWS Config enabled, or the evidence comes from a different data source.

  9. Resources included – The number of resources assessed to generate the evidence.

  10. Attributes – The total number of attributes used by the event in the evidence.

  11. AWS account – The AWS account from which the evidence was collected.

  12. IAM ID – The relevant IAM user or role ID, if applicable.

  13. Added to assessment report – Indicates whether you've chosen to include the evidence in the assessment report.

Attributes

The Attributes table displays the names and values used by the event in this evidence. It includes the following information:

  • Attribute name – The requirement for the evidence, such as allowUsersToChangePassword.

  • Value – The value of the attribute, such as true or false.

Resources included

The Resources included table displays the list of resources assessed to generate this evidence. It includes one or more of the following fields:

  • ARN – The Amazon Resource Name (ARN) of the resource. An ARN may not be available for all evidence types.

  • Value – The value of that resource, if applicable.

  • JSON – The link to view the JSON file for that resource.