AWS managed policies for AWS Audit Manager - AWS Audit Manager

AWS managed policies for AWS Audit Manager

To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see AWS managed policies in the IAM User Guide.

AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.

Additionally, AWS supports managed policies for job functions that span multiple services. For example, the ViewOnlyAccess AWS managed policy provides read-only access to many AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see AWS managed policies for job functions in the IAM User Guide.

AWS managed policy: AWSAuditManagerAdministratorAccess

You can attach the AWSAuditManagerAdministratorAccess policy to your IAM identities.

This policy grants administrative permissions that allow full administration access to AWS Audit Manager. This access includes the ability to enable and disable AWS Audit Manager, change settings in AWS Audit Manager, and manage all Audit Manager resources such as assessments, frameworks, controls, and assessment reports.

AWS Audit Manager requires broad permissions across multiple AWS services. This is because AWS Audit Manager integrates with multiple AWS services to collect evidence automatically from the AWS account and services in scope of an assessment.

Permissions details

This policy includes the following permissions:

  • Audit Manager – Allows principals full permissions on AWS Audit Manager resources.

  • Organizations – Allows principals to list accounts and organizational units, and to register or deregister a delegated administrator. This is required so that you can enable multi-account support and allow AWS Audit Manager to run assessments over multiple accounts and consolidate evidence into a delegated administrator account.

  • iam – Allows principals to get and list users in IAM and create a service-linked role. This is required so that you can designate audit owners and delegates for an assessment. This policy also allows principals to delete the service-linked role and retrieve the deletion status. This is required so that AWS Audit Manager can clean up resources and delete the service-linked role for you when you choose to disable the service in the AWS Management Console.

  • s3 – Allows principals to list available Amazon Simple Storage Service (Amazon S3) buckets. This capability is required so that you can designate the S3 bucket in which you want to store evidence reports or upload manual evidence.

  • kms – Allows principals to list and describe keys, list aliases, and create grants. This is required so that you can choose customer managed keys for data encryption.

  • sns – Allows principals to list subscription topics in Amazon SNS. This is required so that you can specify which SNS topic you want AWS Audit Manager to send notifications to.

  • events – Allows principals to list and manage checks from AWS Security Hub. This is required so that AWS Audit Manager can automatically collect AWS Security Hub findings for the AWS services that are monitored by AWS Security Hub. It can then convert this data into evidence to be included in your AWS Audit Manager assessments.

  • tag – Allows principals to retrieve tagged resources. This is required so that you can use tags as a search filter when browsing frameworks, controls, and assessments in AWS Audit Manager.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AuditManagerAccess", "Effect": "Allow", "Action": [ "auditmanager:*" ], "Resource": "*" }, { "Sid": "OrganizationsAccess", "Effect": "Allow", "Action": [ "organizations:ListAccountsForParent", "organizations:ListAccounts", "organizations:DescribeOrganization", "organizations:DescribeOrganizationalUnit", "organizations:DescribeAccount", "organizations:ListParents", "organizations:ListChildren" ], "Resource": "*" }, { "Sid": "AllowOnlyAuditManagerIntegration", "Effect": "Allow", "Action": [ "organizations:RegisterDelegatedAdministrator", "organizations:DeregisterDelegatedAdministrator", "organizations:EnableAWSServiceAccess" ], "Resource": "*", "Condition": { "StringLikeIfExists": { "organizations:ServicePrincipal": [ "auditmanager.amazonaws.com" ] } } }, { "Sid": "IAMAccess", "Effect": "Allow", "Action": [ "iam:GetUser", "iam:ListUsers", "iam:ListRoles" ], "Resource": "*" }, { "Sid": "IAMAccessCreateSLR", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/auditmanager.amazonaws.com/AWSServiceRoleForAuditManager*", "Condition": { "StringLike": { "iam:AWSServiceName": "auditmanager.amazonaws.com" } } }, { "Sid": "IAMAccessManageSLR", "Effect": "Allow", "Action": [ "iam:DeleteServiceLinkedRole", "iam:UpdateRoleDescription", "iam:GetServiceLinkedRoleDeletionStatus" ], "Resource": "arn:aws:iam::*:role/aws-service-role/auditmanager.amazonaws.com/AWSServiceRoleForAuditManager*" }, { "Sid": "S3Access", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "KmsAccess", "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:ListKeys", "kms:ListAliases" ], "Resource": "*" }, { "Sid": "KmsCreateGrantAccess", "Effect": "Allow", "Action": [ "kms:CreateGrant" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": "true" }, "StringLike": { "kms:ViaService": "auditmanager.*.amazonaws.com" } } }, { "Sid": "SNSAccess", "Effect": "Allow", "Action": [ "sns:ListTopics" ], "Resource": "*" }, { "Sid": "CreateEventsAccess", "Effect": "Allow", "Action": [ "events:PutRule" ], "Resource": "*", "Condition": { "StringEquals": { "events:source": "aws.securityhub", "events:detail-type": "Security Hub Findings - Imported" } } }, { "Sid": "EventsAccess", "Effect": "Allow", "Action": [ "events:DeleteRule", "events:DescribeRule", "events:EnableRule", "events:DisableRule", "events:ListTargetsByRule", "events:PutTargets", "events:RemoveTargets" ], "Resource": "arn:aws:events:*:*:rule/AuditManagerSecurityHubFindingsReceiver" }, { "Sid": "TagAccess", "Effect": "Allow", "Action": [ "tag:GetResources" ], "Resource": "*" } ] }

AWS managed policy: AWSAuditManagerServiceRolePolicy

You can't attach AWSAuditManagerServiceRolePolicy to your IAM entities. This policy is attached to a service-linked role, AWSServiceRoleForAuditManager, that allows AWS Audit Manager to perform actions on your behalf. For more information, see Using service-linked roles for AWS Audit Manager.

The role permissions policy, AWSAuditManagerServiceRolePolicy, allows AWS Audit Manager to do the following on your behalf:

  • Collect and assess data from the following data sources to generate AWS Audit Manager evidence:

    • Management events from AWS CloudTrail

    • Compliance checks from AWS Config Rules

    • Compliance checks from AWS Security Hub

  • Describe APIs specific to the following services:

    • AWS CloudTrail

    • Amazon CloudWatch

    • Amazon Cognito user pools

    • AWS Config

    • Amazon EC2

    • Amazon EFS

    • Amazon EventBridge

    • Amazon GuardDuty

    • AWS Identity and Access Management (IAM)

    • AWS KMS

    • AWS License Manager

    • AWS Organizations

    • Amazon Route 53

    • Amazon S3

    • AWS Security Hub

    • AWS WAF

Permissions details

AWSAuditManagerServiceRolePolicy allows AWS Audit Manager to complete the following actions on the specified resources:

  • license-manager:ListAssociationsForLicenseConfiguration

  • license-manager:ListUsageForLicenseConfiguration

  • iam:GenerateCredentialReport

  • iam:GetAccountSummary

  • iam:ListPolicies

  • iam:GetAccountPasswordPolicy

  • iam:ListUsers

  • iam:ListUserPolicies

  • iam:ListRoles

  • iam:ListRolePolicies

  • iam:ListGroups

  • iam:ListGroupPolicies

  • iam:ListEntitiesForPolicy

  • ec2:DescribeInstances

  • ec2:DescribeFlowLogs

  • ec2:DescribeVpcs

  • ec2:DescribeSecurityGroups

  • ec2:DescribeNetworkAcls

  • ec2:DescribeRouteTables

  • ec2:DescribeSnapshots

  • ec2:DescribeVpcEndpoints

  • cloudtrail:DescribeTrails

  • config:DescribeDeliveryChannels

  • config:ListDiscoveredResources

  • config:DescribeConfigRules

  • kms:ListKeys

  • kms:DescribeKey

  • kms:ListGrants

  • cloudwatch:DescribeAlarms

  • s3:GetLifecycleConfiguration

  • events:DescribeRule

  • route53:GetQueryLoggingConfig

  • organizations:DescribePolicy

  • cognito-idp:DescribeUserPool

  • elasticfilesystem:DescribeFileSystems

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "license-manager:ListLicenseConfigurations", "license-manager:ListAssociationsForLicenseConfiguration", "license-manager:ListUsageForLicenseConfiguration" ], "Resource": "*", "Sid": "LicenseManagerAccess" }, { "Effect": "Allow", "Action": [ "iam:GenerateCredentialReport", "iam:GetAccountSummary", "iam:ListPolicies", "iam:GetAccountPasswordPolicy", "iam:ListUsers", "iam:ListUserPolicies", "iam:ListRoles", "iam:ListRolePolicies", "iam:ListGroups", "iam:ListGroupPolicies", "iam:ListEntitiesForPolicy" ], "Resource": "*", "Sid": "IAMAccess" }, { "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeFlowLogs", "ec2:DescribeVpcs", "ec2:DescribeSecurityGroups", "ec2:DescribeNetworkAcls", "ec2:DescribeRouteTables", "ec2:DescribeSnapshots", "ec2:DescribeVpcEndpoints" ], "Resource": "*", "Sid": "EC2Access" }, { "Effect": "Allow", "Action": [ "cloudtrail:DescribeTrails" ], "Resource": "*", "Sid": "CloudtrailAccess" }, { "Effect": "Allow", "Action": [ "config:DescribeDeliveryChannels", "config:ListDiscoveredResources", "config:DescribeConfigRules" ], "Resource": "*", "Sid": "ConfigAccess" }, { "Effect": "Allow", "Action": [ "securityhub:DescribeStandards" ], "Resource": "*", "Sid": "SecurityHubAccess" }, { "Effect": "Allow", "Action": [ "kms:ListKeys", "kms:DescribeKey", "kms:ListGrants" ], "Resource": "*", "Sid": "KMSAccess" }, { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms" ], "Resource": "*", "Sid": "CloudwatchAccess" }, { "Effect": "Allow", "Action": [ "s3:GetLifecycleConfiguration" ], "Resource": "*", "Sid": "S3Access" }, { "Effect": "Allow", "Action": [ "events:DescribeRule" ], "Resource": "*", "Sid": "EventBridgeAccess" }, { "Effect": "Allow", "Action": [ "waf:ListActivatedRulesInRuleGroup" ], "Resource": "*", "Sid": "WAFAccess" }, { "Effect": "Allow", "Action": [ "guardduty:ListDetectors" ], "Resource": "*", "Sid": "GuardDutyAccess" }, { "Effect": "Allow", "Action": [ "route53:GetQueryLoggingConfig" ], "Resource": "*", "Sid": "Route53Access" }, { "Effect": "Allow", "Action": [ "organizations:DescribePolicy" ], "Resource": "*", "Sid": "OrganizationsAccess" }, { "Effect": "Allow", "Action": [ "cognito-idp:DescribeUserPool" ], "Resource": "*", "Sid": "CognitoAccess" }, { "Effect": "Allow", "Action": [ "elasticfilesystem:DescribeFileSystems" ], "Resource": "*", "Sid": "EFSAccess" }, { "Sid": "CreateEventsAccess", "Effect": "Allow", "Action": [ "events:PutRule" ], "Resource": "*", "Condition": { "StringEquals": { "events:source": "aws.securityhub", "events:detail-type": "Security Hub Findings - Imported" } } }, { "Sid": "EventsAccess", "Effect": "Allow", "Action": [ "events:DeleteRule", "events:DescribeRule", "events:EnableRule", "events:DisableRule", "events:ListTargetsByRule", "events:PutTargets", "events:RemoveTargets" ], "Resource": "arn:aws:events:*:*:rule/AuditManagerSecurityHubFindingsReceiver" } ] }

AWS Audit Manager updates to AWS managed policies

View details about updates to AWS managed policies for AWS Audit Manager since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the AWS Audit Manager Document history page.

Change Description Date

AWS Audit Manager started tracking changes

AWS Audit Manager started tracking changes for its AWS managed policies.

05/06/2021