Setting up AWS Audit Manager - AWS Audit Manager

Setting up AWS Audit Manager

Before you start using AWS Audit Manager, ensure that you have completed the following setup tasks.

Step 1: Sign up for AWS

If you don't already have an AWS account, you must create one. For more information, see How to create and activate a new AWS account.

Step 2: Attach the required IAM policy to an IAM identity

The AWS Identity and Access Management (IAM) identity (user, role, or group) that you use to access AWS Audit Manager must have the required permissions. Admin roles have these permissions by default.

To grant the permissions required to use Audit Manager, attach the following policy to an IAM identity. For more information about how to attach a policy to an IAM identity, see Adding and removing IAM identity permissions in the IAM User Guide.

Note

What we provide here is a basic policy that allows you to register AWS Audit Manager. This guide also provides some examples of other permission policies that you can use in Audit Manager. The Getting Started tutorial in this guide assumes that you are a user with administrator or management permissions.

We recommend that you take time to customize your permissions so they meet your specific needs. If you need help, contact your administrator or AWS Support.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "auditmanager:*", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringLike": { "iam:AWSServiceName": "auditmanager.amazonaws.com" } } }, { "Sid": "CreateEventsAccess", "Effect": "Allow", "Action": [ "events:PutRule" ], "Resource": "*", "Condition": { "StringEquals": { "events:source": "aws.securityhub", "events:detail-type": "Security Hub Findings - Imported" } } }, { "Sid": "EventsAccess", "Effect": "Allow", "Action": [ "events:PutTargets" ], "Resource": "arn:aws:events:*:*:rule/AuditManagerSecurityHubFindingsReceiver" }, { "Effect": "Allow", "Action": "kms:ListAliases", "Resource": "*", "Condition": { "StringLike": { "iam:AWSServiceName": "auditmanager.amazonaws.com" } } } ] }

For more information about IAM and how it works with AWS Audit Manager, see Identity and access management for AWS Audit Manager in this guide.

Step 3: Enable AWS Organizations (optional)

AWS Audit Manager supports multiple accounts via integration with AWS Organizations. Audit Manager can run assessments over multiple accounts and consolidate evidence into a delegated administrator account. The delegated administrator has permissions to create and manage Audit Manager resources with the organization as the zone of trust. Only the management account can designate a delegated administrator.

If you don't need multi-account support from Audit Manager, you don't need to enable AWS Organizations and you can skip the following tasks. Instead, you can create and run assessments for a single AWS account.

Tasks to enable AWS Organizations

Create or join an organization

If your AWS account is not yet part of an organization, you can create or join an organization as described in Creating and managing an organization in the AWS Organizations User Guide.

Enable all features in your organization

In order to collect evidence from the accounts in your organization, AWS Audit Manager requires that you enable all features in your organization.

After your account is a member of an organization and you have enabled all features in your organization, you can designate a delegated administrator account for AWS Audit Manager.

Designate a delegated administrator for AWS Audit Manager

If you already use AWS Organizations and want to enable multi-account support from AWS Audit Manager, you can designate a delegated administrator account for Audit Manager.

We recommend that you enable AWS Audit Manager using an AWS Organizations management account, and then designate a delegated administrator. After that, you can use the delegated administrator account to log in and run assessments. As a best practice, we recommend that you only create assessments using the delegated administrator account instead of the management account.

Warning

After you designate a delegated administrator using an AWS Organizations management account, your management account can no longer create additional assessments in AWS Audit Manager. Additionally, evidence collection stops for any existing assessments created by the management account. Instead, Audit Manager collects and attaches evidence to the delegated administrator, which is the main account for managing your organization's assessments.

To designate a delegated administrator

Issues to consider

  • You can't use your AWS Organizations management account as a delegated administrator in Audit Manager.

  • If you want to enable Audit Manager in more than one AWS Region, you must designate a delegated administrator account separately in each Region. In your Audit Manager settings, you should designate the same delegated administrator account across all Regions.

  • When you designate a delegated administrator, make sure that the delegated administrator account has access on the CMK that you provide when setting up Audit Manager. To review and change your encryption settings, see Data encryption.

Configure your organization's AWS Security Hub settings

In order for AWS Audit Manager to collect AWS Security Hub evidence from your member accounts, you must perform the following steps in Security Hub.

Note

You must make sure that the delegated administrator account that you designate in Security Hub is the same one that you designate in Audit Manager.

To configure your organization's Security Hub settings

  1. Sign in to the AWS Management Console and open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. Using your AWS Organizations management account, designate an account as the delegated administrator for Security Hub. For more information, see Designating a Security Hub administrator account in the AWS Security Hub User Guide.

  3. Using your Organizations delegated administrator account, go to Settings, Accounts, select all accounts, and then add them as members by selecting Auto-enroll. For more information, see Enabling member accounts from your organization in the AWS Security Hub User Guide.

  4. Enable AWS Config for every member account of the organization. For more information, see Enabling member accounts from your organization in the AWS Security Hub User Guide.

  5. Enable the PCI DSS security standard for every member account of the organization. AWS CIS Foundations Benchmark standard and the AWS Foundational Best Practices standard are already enabled by default. For more information, see Enabling a security standard in the AWS Security Hub User Guide.

Step 4: Enable AWS Audit Manager

After you attach the required policy to an IAM identity, you can use that identity to enable AWS Audit Manager.

You can enable Audit Manager using the AWS Management Console, API, or AWS Command Line Interface (AWS CLI).

To enable AWS Audit Manager using the console

  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. Use the credentials of the IAM identity to sign in.

  3. Choose Set up AWS Audit Manager.

  4. Under Permissions, no action is required by default. This is because Audit Manager uses a service-linked role to connect to data sources on your behalf. If needed, you can review the service-linked role by choosing View IAM service-linked role permission.

  5. Under Data encryption, you can choose to securely encrypt your data with a default customer master key (CMK) that Audit Manager owns and manages for you. Alternatively, if you want to use your own customer managed CMK to encrypt data in Audit Manager, select Customize encryption settings (advanced). You can then choose an existing CMK or create a new one.

    For more information about how to set up customer managed CMKs, see Creating keys in the AWS Key Management Service User Guide.

  6. (Optional) Under Delegated administrator - optional, you can designate a delegated administrator account if you want Audit Manager to run assessments for multiple accounts.

    Note
    • When you designate a delegated administrator account using an AWS Organizations management account, make sure that the delegated administrator account has access on the CMK provided during step 5.

    • If you want to enable AWS Audit Manager in more than one AWS Region, you must assign a delegated administrator account separately in each Region.

    • We recommend that you enable Audit Manager using an AWS Organizations management account, and then add a delegated administrator in your AWS Audit Manager settings. After that, you can use the delegated administrator account to log in and run assessments. As a best practice, we recommend that you only create assessments using the delegated administrator account instead of the AWS Organizations management account.

  7. (Optional) Under AWS Config - optional, we recommend that you enable AWS Config for an optimal experience. This allows Audit Manager to generate evidence using AWS Config rules. For more information about how to enable AWS Config, see Setting up AWS Config in the AWS Config User Guide. You can choose to enable AWS Config at a later time from your AWS Audit Manager settings.

  8. (Optional) Under AWS Security Hub - optional, we recommend that you enable Security Hub for an optimal experience. This allows Audit Manager to generate evidence using Security Hub checks. For more information about how to enable Security Hub, see Setting up AWS Security Hub in the AWS Security Hub User Guide. You can choose to enable Security Hub at a later time from your AWS Audit Manager settings.

  9. Choose Complete setup to finish the setup process.

To enable AWS Audit Manager using the Audit Manager API

  1. Use the RegisterAccount operation.

  2. Use the following setup parameters:

    1. kmsKey (optional) - You can use this parameter to encrypt your data within Audit Manager using your KMS key.

    2. delegatedAdminAccount (optional) - You can use this parameter to designate your AWS organization’s delegatedAdminAccount for Audit Manager.

      Note
      • When you designate a delegated administrator account using an AWS Organizations management account, make sure that the delegated administrator account has access on the CMK provided during step 2a.

      • If you want to enable Audit Manager in more than one AWS Region, you must assign a delegated administrator account separately in each Region.

      • We recommend that you enable Audit Manager using an AWS Organizations management account, and then set up a delegated administrator. After that, you can use the delegated administrator account to log in and run assessments. As a best practice, we recommend that you only create assessments using the delegated administrator account instead of the AWS Organizations management account.

Input example:

{ "kmsKey":"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "delegatedAdminAccount":"111122224444" }

Output example:

{ "status": "ACTIVE" }

To enable AWS Audit Manager using the AWS CLI

  1. At the command line, run the register-account command.

  2. Use the following setup parameters:

    1. kmsKey (optional) - You can use this parameter to encrypt your data within Audit Manager using your KMS key.

    2. delegatedAdminAccount (optional) - You can use this parameter to designate your AWS organization’s delegatedAdminAccount for Audit Manager.

      Note
      • When you designate a delegated administrator account using an AWS Organizations management account, make sure that the delegated administrator account has access on the CMK provided during step 2a.

      • If you want to enable AWS Audit Manager in more than one AWS Region, you must assign a delegated administrator account separately in each Region.

      • We recommend that you enable AWS Audit Manager using an AWS Organizations management account, and then set up a delegated administrator. After that, you can use the delegated administrator account to log in and run assessments. As a best practice, we recommend that you only create assessments using the delegated administrator account instead of the AWS Organizations management account.

Input example:

aws auditmanager register-account \ --kmsKey arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab \ --delegatedAdminAccount 111122224444

Output example:

{ "status": "ACTIVE" }

Service-linked role assigned to AWS Audit Manager

When you enable AWS Audit Manager, it is assigned a service-linked role named AWSServiceRoleForAuditManager. This service-linked role includes the policy that enables Audit Manager to do the following on your behalf:

  • Collect and assess data from the following data sources to generate AWS Audit Manager evidence:

    • Management events from AWS CloudTrail

    • Compliance checks from AWS Config Rules

    • Compliance checks from AWS Security Hub

  • Describe APIs specific to the following services:

    • AWS CloudTrail

    • Amazon CloudWatch

    • Amazon Cognito user pools

    • AWS Config

    • Amazon EC2

    • Amazon EFS

    • Amazon EventBridge

    • Amazon GuardDuty

    • AWS Identity and Access Management (IAM)

    • AWS KMS

    • AWS License Manager

    • AWS Organizations

    • Amazon Route 53

    • Amazon S3

    • AWS Security Hub

    • AWS WAF

You can view the details of the service-linked role AWSServiceRoleForAuditManager in the console. Choose Getting started, choose Permissions, and then choose View IAM service-linked role permissions. For more information, see Using service-linked roles for AWS Audit Manager.

For more information about service-linked roles, see Using service-linked roles in the IAM User Guide.

What do I do next?

Now that you have set up AWS Audit Manager, you are ready to get started with using the service. You can also visit the settings page of the console to modify any of the settings you chose when setting up Audit Manager.

Get started with AWS Audit Manager

You can get started in Audit Manager by following a tutorial that walks you through how to create your first assessment. For more information, see Getting started with AWS Audit Manager.

Update your AWS Audit Manager settings

You can modify your settings at any time. For more information, see AWS Audit Manager settings.