Reviewing the evidence in an assessment - AWS Audit Manager

Reviewing the evidence in an assessment

An active assessment in AWS Audit Manager automatically collects evidence from a range of data sources. For more information, see How AWS Audit Manager collects evidence. You can open and review the evidence for the controls in your assessments at any time.

To open evidence for a control

  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. In the navigation pane, choose Assessments, and then choose the name of an assessment to open it.

  3. From the assessment page, choose the Controls tab, scroll down to the Controls table, and then choose the name of a control to open it.

  4. From the control page, choose the Evidence folders tab. Under the Evidence folders table, a list of all evidence folders for that control is displayed. These folders are organized and named based on the date when the evidence within the folder was collected.

  5. Choose the name of an evidence folder to open it.

From here, you can now review the evidence folders for that control, and drill down further to review individual pieces of evidence as needed.

Reviewing evidence folders

When you open an evidence folder, you see an evidence folder summary page that contains two sections: a Summary section and an Evidence table. These sections and their contents are described as follows.

Evidence folder summary

The Summary section of the page provides a high-level overview of the evidence in the evidence folder.


      Screenshot of the evidence folder summary, annotated with numbered labels that relate
       to the following definitions.

It includes the following information:

  1. Date – The time and date when the evidence folder was created.

  2. Control name – The name of the control that's associated with the evidence folder.

  3. Added to assessment report – The number of evidence items that were manually selected for inclusion in the assessment report.

  4. Total evidence – The total number of evidence items in the evidence folder.

  5. Resources – The total number of AWS resources that were assessed when generating the evidence in this folder.

  6. User activity – The number of evidence items that fall under the user activity category. This evidence is collected from AWS CloudTrail logs.

  7. Configuration data – The number of evidence items that fall under the configuration data category. This evidence is collected from configuration snapshots of other AWS services such as Amazon EC2, Amazon S3, or IAM.

  8. Manual – The number of evidence items that fall under the manual category. This evidence is uploaded manually.

  9. Compliance check – The number of evidence items that fall under the compliance check category. This evidence is collected from AWS Config or AWS Security Hub.

  10. Compliance check status – The total number of issues that were reported directly from AWS Security Hub, AWS Config, or both.

Tip

For more information about different evidence types (user activity, configuration data, compliance check, and manual), see Evidence.

Evidence table

The Evidence table lists the individual pieces of evidence that are contained within the evidence folder.

It includes the following information:

  1. Time – Specifies when the evidence was collected, and also serves as the name of the evidence. Choosing a time from this column opens an evidence detail page. This page is described in the following section.

  2. Evidence by type – The category of the evidence.

    • Compliance check evidence is collected from AWS Config or AWS Security Hub.

    • User activity evidence is collected from AWS CloudTrail logs.

    • Configuration data evidence is collected from snapshots of other services such as Amazon EC2, Amazon S3, or IAM.

    • Manual evidence is evidence that you upload manually.

  3. Compliance check – The evaluation status for evidence that falls under the compliance check category.

    • For evidence that is collected from AWS Security Hub, a Pass or Fail result is reported directly from AWS Security Hub.

    • For evidence that is collected from AWS Config, a Compliant or Noncompliant result is reported directly from AWS Config.

    • If Not applicable is shown, this indicates that you either don't have AWS Security Hub or AWS Config enabled, or the evidence comes from a different data source.

  4. Data source – The AWS service from which the evidence is collected.

  5. Event name – The name of the event included in the evidence.

  6. Resources – The number of resources assessed to generate the evidence.

  7. Assessment report selection – Indicates whether that evidence was manually selected for inclusion in the assessment report.

    • To include evidence, select the evidence and choose Add to assessment report.

    • To exclude evidence, select the evidence and choose Remove from assessment report.

To upload manual evidence to the evidence folder, choose Upload manual evidence, enter the S3 URI of the evidence, and then choose Upload. For more information, see Uploading manual evidence in AWS Audit Manager.

To see details for any individual piece of evidence, choose the hyperlinked evidence name under the Time column. This opens an evidence detail page, which is described in the following section.

Reviewing individual evidence

When you open an individual piece of evidence, you see an evidence detail page that contains three sections: the Evidence detail section, the Attributes table, and the Resources included table. These sections and their contents are described as follows.

Evidence detail

The Evidence detail section of the page displays an overview of the evidence.


      Screenshot of the evidence details overview, annotated with numbered labels that
       relate to the following definitions.

It includes the following information:

  1. Date and time – The date and time the evidence was collected.

  2. Evidence folder name – The name of the evidence folder that contains the evidence.

  3. Control name – The name of the control that's associated with the evidence.

  4. Event source – The name of the resource that created the evidence event.

  5. Event name – The name of the evidence event.

  6. Data source – The AWS service where the evidence was collected from.

  7. Evidence by type – The type of evidence.

    • Compliance check evidence is collected from AWS Config or AWS Security Hub.

    • User activity evidence is collected from AWS CloudTrail logs.

    • Configuration data evidence is collected from snapshots of other AWS services such as Amazon EC2, Amazon S3, or IAM.

    • Manual evidence is evidence that you upload manually.

  8. Compliance check – The evaluation status for evidence that falls under the compliance check category.

    • For evidence that's collected from AWS Security Hub, a Pass or Fail result is reported directly from AWS Security Hub.

    • For evidence that's collected from AWS Config, a Compliant or Noncompliant result is reported directly from AWS Config.

    • If Not applicable is shown, this indicates that you either don't have AWS Security Hub or AWS Config enabled, or the evidence comes from a different data source.

  9. Resources included – The number of resources that are assessed to generate the evidence.

  10. Attributes – The total number of attributes that are used by the event in the evidence.

  11. AWS account – The AWS account where the evidence was collected from.

  12. IAM ID – The relevant IAM user or role ID, if applicable.

  13. Added to assessment report – Indicates whether you chose to include the evidence in the assessment report.

Attributes

The Attributes table displays the names and values that are used by the event in this evidence. It includes the following information:

  • Attribute name – The requirement for the evidence, such as allowUsersToChangePassword.

  • Value – The value of the attribute, such as true or false.

Resources included

The Resources included table displays the list of resources assessed to generate this evidence. It includes one or more of the following fields:

  • ARN – The Amazon Resource Name (ARN) of the resource. An ARN might not be available for all evidence types.

  • Value – The value of that resource, if applicable.

  • JSON – The link to view the JSON file for that resource.