Recommendations - AWS Audit Manager

Recommendations

For an optimal experience in Audit Manager, we recommend that you set up the following features and enable the following AWS services.

Set up recommended Audit Manager features

After you enable Audit Manager, we recommend that you enable the evidence finder feature.

Evidence finder provides a powerful way to search for evidence in Audit Manager. Instead of browsing deeply nested evidence folders to find what you're looking for, you can use evidence finder to quickly query your evidence. If you use evidence finder as a delegated administrator, you can search for evidence across all member accounts in your organization. Using a combination of filters and groupings, you can progressively narrow the scope of your search query. For example, if you want a high-level view of your system health, perform a broad search and filter by assessment, date range, and resource compliance. If your goal is to remediate a specific resource, you can perform a narrow search to target evidence for a specific control or resource ID. After you define your filters, you can group and then preview the matching search results before creating an assessment report.

To use evidence finder, you must enable this feature from your Audit Manager settings. For instructions, see Evidence finder settings.

Set up recommended integrations with other AWS services

For an optimal experience in Audit Manager, we strongly recommend that you enable the following AWS services:

  • AWS Organizations – You can use Organizations to run Audit Manager assessments over multiple accounts and consolidate evidence into a delegated administrator account.

  • AWS Security Hub and AWS Config – When you enable these AWS services, they can be used as a data source type for the controls in your Audit Manager assessments. Audit Manager can then report the results of compliance checks directly from these services.

Enable and set up AWS Config (optional)

Many controls in Audit Manager use AWS Config as a data source type. To support these controls, you must enable AWS Config on all accounts in each AWS Region where Audit Manager is enabled. If Audit Manager tries to collect evidence for controls that use AWS Config as a data source type, and the related AWS Config rules aren’t enabled, no evidence is collected for those controls.

Audit Manager doesn’t manage AWS Config for you. You can follow these steps to enable AWS Config and configure its settings.

Tasks to integrate AWS Config with Audit Manager

Step 1: Enable AWS Config

You can enable AWS Config using the AWS Config console or API. For instructions, see Getting started with AWS Config in the AWS Config Developer Guide.

Step 2: Configure your AWS Config settings for use with Audit Manager

Important

Enabling AWS Config is an optional recommendation. However, if you do enable AWS Config, the following settings are required.

After you enable AWS Config, make sure that you also enable AWS Config rules or deploy a conformance pack for the compliance standard that's related to your audit. This step ensures that Audit Manager can import findings for the AWS Config rules that you enabled.

After you enable an AWS Config rule, we recommend that you review the parameters of that rule. You should then validate those parameters against the requirements of your chosen compliance framework. If needed, you can update a rule’s parameters in AWS Config to ensure that it aligns with framework requirements. This will help to ensure that your assessments collect the correct compliance check evidence for a given framework.

For example, suppose that you’re creating an assessment for CIS v1.2.0. This framework has a control named 1.4 – Ensure access keys are rotated every 90 days or less. In AWS Config, the access-keys-rotated rule has a maxAccessKeyAge parameter with a default value of 90 days. As a result, the rule aligns with the control requirements. If you aren’t using the default value, ensure that the value you’re using is equal to or greater than the 90 day requirement from CIS v1.2.0.

You can find the default parameter details for each managed rule in the AWS Config documentation. For instructions on how to configure a rule, see Working with AWS Config Managed Rules.

Enable and set up AWS Security Hub (optional)

Many controls in Audit Manager use Security Hub as a data source type. To support these controls, you must enable Security Hub on all accounts in each Region where Audit Manager is enabled. If Audit Manager tries to collect evidence for controls that use Security Hub as a data source type, and the related Security Hub standards aren’t enabled, no evidence is collected for those controls.

Audit Manager doesn’t manage Security Hub for you. You can follow these steps to enable Security Hub and configure its settings.

Tasks to integrate AWS Security Hub with Audit Manager

Step 1: Enable AWS Security Hub

You can enable Security Hub using either the console or the API. For instructions, see Setting up AWS Security Hub in the AWS Security Hub User Guide.

Step 2: Configure your Security Hub settings for use with Audit Manager

Important

Enabling Security Hub is an optional recommendation. However, if you do enable Security Hub, the following settings are required.

After you enable Security Hub, make sure that you also do the following:

  • Enable AWS Config and configure resource recording - Security Hub uses service-linked AWS Config rules to perform most of its security checks for controls. To support these controls, AWS Config must be enabled and configured to record resources that are required for the controls that you have enabled in each enabled standard.

  • Enable all security standards - This step ensures that Audit Manager can import findings for all supported compliance standards.

  • Turn on the consolidated control findings setting in Security Hub - This setting is turned on by default if you enable Security Hub on or after February 23, 2023.

    Note

    When you enable consolidated findings, Security Hub produces a single finding for each security check (even when the same check is used across multiple standards). Each Security Hub finding is collected as one unique resource assessment in Audit Manager. As a result, consolidated findings results in a decrease of the total unique resource assessments that Audit Manager performs for Security Hub findings. For this reason, using consolidated findings can often result in a reduction in your Audit Manager usages costs. For more information about using Security Hub as a data source type, see AWS Security Hub controls supported by AWS Audit Manager. For more information about Audit Manager pricing, see AWS Audit Manager Pricing.

If you use AWS Organizations and you want to collect Security Hub evidence from your member accounts, you must also perform the following steps in Security Hub.

To set up your organization's Security Hub settings
  1. Sign in to the AWS Management Console and open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. Using your AWS Organizations management account, designate an account as the delegated administrator for Security Hub. For more information, see Designating a Security Hub administrator account in the AWS Security Hub User Guide.

    Note

    Make sure that the delegated administrator account that you designate in Security Hub is the same one that you use in Audit Manager.

  3. Using your Organizations delegated administrator account, go to Settings, Accounts, select all accounts, and then add them as members by selecting Auto-enroll. For more information, see Enabling member accounts from your organization in the AWS Security Hub User Guide.

  4. Enable AWS Config for every member account of the organization. For more information, see Enabling member accounts from your organization in the AWS Security Hub User Guide.

  5. Enable the PCI DSS security standard for every member account of the organization. The AWS CIS Foundations Benchmark standard and the AWS Foundational Best Practices standard are already enabled by default. For more information, see Enabling a security standard in the AWS Security Hub User Guide.

Enable AWS Organizations (optional)

Audit Manager supports multiple accounts via integration with AWS Organizations. Audit Manager can run assessments over multiple accounts and consolidate evidence into a delegated administrator account. The delegated administrator has permissions to create and manage Audit Manager resources with the organization as the zone of trust. Only the management account can designate a delegated administrator.

Tasks to integrate AWS Organizations with Audit Manager

Step 1: Create or join an organization

If your AWS account isn't part of an organization, you can create or join an organization. For instructions, see Creating and managing an organization in the AWS Organizations User Guide.

Step 2: Enable all features in your organization

Next, you must enable all features in your organization. For instructions, see Enabling all features in your organization in the AWS Organizations User Guide.

Step 3: Specify a delegated administrator for Audit Manager

We recommend that you enable Audit Manager using an Organizations management account, and then specify a delegated administrator. After that, you can use the delegated administrator account to log in and run assessments. As a best practice, we recommend that you only create assessments using the delegated administrator account instead of the management account.

Warning

After you specify a delegated administrator using an Organizations management account, your management account can no longer create additional assessments in Audit Manager. Additionally, evidence collection stops for any existing assessments that were created by the management account. Instead, Audit Manager collects and attaches evidence to the delegated administrator, which is the main account for managing your organization's assessments.

To add or change a delegated administrator after you enable Audit Manager, see AWS Audit Manager settings, Delegated administrator.

Issues to consider:
  • You can't use your management account as a delegated administrator in Audit Manager.

  • If you want to enable Audit Manager in more than one AWS Region, you must designate a delegated administrator account separately in each Region. In your Audit Manager settings, you should designate the same delegated administrator account across all Regions.

  • If you provided a customer managed key when you enabled Audit Manager, make sure that the delegated administrator account has access on that KMS key. To review and change your Audit Manager encryption settings, see Data encryption.

  • For solutions to common Organizations and delegated administrator issues in Audit Manager, see Troubleshooting delegated administrator and AWS Organizations issues.