Tutorial for Audit Owners: Creating an assessment - AWS Audit Manager

Tutorial for Audit Owners: Creating an assessment

This tutorial provides an introduction to AWS Audit Manager. In this tutorial, you create an assessment using the AWS Audit Manager Sample Framework. By creating an assessment, you start the ongoing process of automated evidence collection for the controls in that framework.

Note

AWS Audit Manager assists in collecting evidence that's relevant for verifying compliance with specific compliance frameworks and regulations. However, it doesn't assess your compliance itself. The evidence that's collected through AWS Audit Manager therefore might not include all the information about your AWS usage that's needed for audits. AWS Audit Manager isn't a substitute for legal counsel or compliance experts.

Prerequisites

Before you start this tutorial, make sure that you meet the following conditions:

Procedure

Step 1: Specify assessment details

For the first step, select a framework and provide basic information for your assessment.

To specify assessment details
  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. Choose Launch AWS Audit Manager.

  3. In the green banner at the top of the screen, choose Start with a framework.

  4. Choose the framework that you want, and then choose Create assessment from framework. For this tutorial, use the AWS Audit Manager Sample Framework.

  5. Under Assessment name, enter a name for your assessment.

  6. (Optional) Under Assessment description, enter a description for your assessment.

  7. Under Assessment reports destination, choose the S3 bucket where you want to save your assessment reports.

  8. Under Frameworks, confirm that AWS Audit Manager Sample Framework is selected.

  9. (Optional) Under Tags, choose Add new tag to associate a tag with your assessment. You can specify a key and a value for each tag. The tag key is mandatory and can be used as a search criteria when you search for this assessment.

  10. Choose Next.

Step 2: Specify AWS accounts in scope

Next, specify the AWS accounts that you want to include in the scope of your assessment.

AWS Audit Manager integrates with AWS Organizations, so you can run an Audit Manager assessment across multiple accounts and consolidate evidence into a delegated administrator account. To enable Organizations in Audit Manager (if you didn't do so already), see Enable and set up AWS Organizations on the Setting up page of this guide.

Note

Audit Manager can support up to 200 accounts in the scope of an assessment. If you try to include over 200 accounts, the assessment creation might fail.

To specify accounts in scope
  1. Under AWS accounts, select the AWS accounts that you want to include in the scope of your assessment.

    • If you enabled Organizations in Audit Manager, multiple accounts are listed.

    • If you didn't enable Organizations in Audit Manager, only your current account is listed.

  2. Choose Next.

Step 3: Specify audit owners

In this step, you specify the audit owners for your assessment. Audit owners are the individuals in your workplace—usually from GRC, SecOps, or DevOps teams—who are responsible for managing the Audit Manager assessment. We recommend that they use the AWSAuditManagerAdministratorAccess policy.

To specify audit owners
  1. Under Audit owners, choose the audit owners for your assessment. To find additional audit owners, use the search bar to search by name or AWS account.

  2. Choose Next.

Step 4: Review and create

Review the information for your assessment. To change the information for a step, choose Edit. When you're finished, choose Create assessment to start the ongoing collection of evidence.

After you create an assessment, evidence collection continues until you change the assessment status to inactive. Alternatively, you can stop evidence collection for a specific control by changing the control status to inactive.

Note

Automated evidence is available 24 hours after you create the assessment. Audit Manager automatically collects evidence from multiple data sources, and the frequency of that evidence collection is based on the evidence type. For more information, see Evidence collection frequency in this guide.

Additional resources

We recommend that you continue to learn more about the concepts and tools that are introduced in this tutorial. You can do so by reviewing the following resources: