Enable AWS Audit Manager - AWS Audit Manager

Enable AWS Audit Manager

You can enable Audit Manager using the AWS Management Console, the Audit Manager API, or the AWS Command Line Interface (AWS CLI).

Audit Manager console
To enable Audit Manager using the console

  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. Use the credentials of your IAM identity to sign in.

  3. Choose Set up AWS Audit Manager.

    Screenshot of the setup call to action.

  4. Under Permissions, no action is required. This is because Audit Manager uses a service-linked role to connect to data sources on your behalf. You can review the service-linked role by choosing View IAM service-linked role permission.

    Screenshot of the permissions section of the Audit Manager setup options.

  5. Under Data encryption, the default option is for Audit Manager to create and manage an AWS KMS key for securely storing your data.

    Screenshot of the default encryptions setting for Audit Manager setup.

    If you want to use your own customer managed key to encrypt data in Audit Manager, select the check box next to Customize encryption settings (advanced). You can then choose an existing KMS key or create a new one.

    Screenshot of the custom encryptions setting for Audit Manager setup.

  6. (Optional) Under Delegated administrator - optional, you can specify a delegated administrator account if you want Audit Manager to run assessments for multiple accounts. For more information and recommendations, see Enable and set up AWS Organizations for use with Audit Manager.

    Screenshot of the delegated administrator section of the Audit Manager setup options.

  7. (Optional) Under AWS Config – optional, we recommend that you enable AWS Config for an optimal experience. This enables Audit Manager to generate evidence using AWS Config rules. For instructions and recommended settings, see Enable and set up AWS Config for use with Audit Manager.

    Screenshot of the AWS Config section of the Audit Manager setup options.

  8. (Optional) Under Security Hub – optional, we recommend that you enable Security Hub for an optimal experience. This enables Audit Manager to generate evidence using Security Hub checks. For instructions and recommended settings, see Enable and set up AWS Security Hub for use with Audit Manager.

    Screenshot of the Security Hub section of the Audit Manager setup options.

  9. Choose Complete setup to finish the setup process.

    Screenshot that shows how to complete Audit Manager setup in the console.
AWS CLI
To enable Audit Manager using the AWS CLI

In the command line, run the register-account command using the following setup parameters:

  • --kms-key (optional) – Use this parameter to encrypt your Audit Manager data using your own customer managed key. If you don't specify an option here, Audit Manager creates and manages an AWS KMS key on your behalf for the secure storage of your data.

  • --delegated-admin-account (optional) – Use this parameter to designate your organization’s delegated administrator account for Audit Manager. If you don't specify an option here, no delegated administrator is registered.

Input example (replace the placeholder text with your own information):

aws auditmanager register-account \ 
--kms-key arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab \
--delegated-admin-account 111122224444

Output example:

{
    "status": "ACTIVE"
}

For more information about the AWS CLI and for instructions on installing the AWS CLI tools, see the following in the AWS Command Line Interface User Guide.

Audit Manager API
To enable Audit Manager using the Audit Manager API

Use the RegisterAccount operation with the following setup parameters:

  • kmsKey (optional) – Use this parameter to encrypt your Audit Manager data using your own customer managed key. If you don't specify an option here, Audit Manager creates and manages an AWS KMS key on your behalf for the secure storage of your data.

  • delegatedAdminAccount (optional) – Use this parameter to specify your organization’s delegated administrator account for Audit Manager. If you don't specify one, no delegated administrator is registered.

Input example (replace the placeholder text with your own information):

{
    "kmsKey":"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
    "delegatedAdminAccount":"111122224444"
}

Output example:

{
  "status": "ACTIVE"
}