Step 1: Specify assessment details Step 2: Specify accounts in scope Step 3: Specify services in scope Step 4: Specify audit owners Step 5: Review and create Where do I go from here?

Tutorial for Audit Owners: Creating an assessment

This tutorial provides an introduction to AWS Audit Manager. In this tutorial, you create an assessment using the AWS Audit Manager Sample Framework. By creating an assessment, you start the ongoing process of automated evidence collection for the controls in that framework.

This tutorial shows how to do the following:

Before you start this tutorial, make sure that you first meet the following conditions:

You completed all the prerequisites that are described in Setting up AWS Audit Manager. You must use your AWS account and the AWS Audit Manager console to complete this tutorial.
Your IAM identity is granted with the appropriate permissions to create and manage an assessment in AWS Audit Manager. Two suggested policies that grant these permissions are Example 2: Allow full administrator access and Example 3: Allow management access.
You're familiar with Audit Manager terminology and functionality. For a general overview, see What is AWS Audit Manager? and AWS Audit Manager concepts and terminology.

Note

AWS Audit Manager assists in collecting evidence that's relevant for verifying compliance with specific compliance frameworks and regulations. However, it doesn't assess your compliance itself. The evidence that's collected through AWS Audit Manager therefore might not include all the information about your AWS usage that's needed for audits. AWS Audit Manager isn't a substitute for legal counsel or compliance experts.

Step 1: Specify assessment details

For the first step, select a framework and provide basic information for your assessment.

To specify assessment details

Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.
Choose Launch AWS Audit Manager.
In the navigation pane, choose Getting Started, and then choose Start with a framework.
Choose the framework that you want, and then choose Create assessment from framework. This example uses the AWS Audit Manager Sample Framework.
Under Assessment name, enter a name for your assessment.
(Optional) Under Assessment description, enter a description for your assessment.
Under Assessment reports destination, choose the Amazon S3 bucket where you want to save your assessment reports.
Under Frameworks, confirm that AWS Audit Manager Sample Framework (or the framework of your choice) is selected.
Under Tags, choose Add new tag to associate a tag with your assessment. You can specify a key and a value for each tag. The tag key is mandatory and can be used as a search criteria when you search for this assessment. For more information about tags in AWS Audit Manager, see Tagging AWS Audit Manager resources.
Choose Next.

Step 2: Specify AWS accounts in scope

Next, specify the AWS accounts that you want to include in the scope of your assessment.

AWS Audit Manager integrates with AWS Organizations, so you can run an Audit Manager assessment across multiple accounts and consolidate evidence into a delegated administrator account. To enable Organizations in Audit Manager (if you didn't do so already), see Enable AWS Organizations (optional) on the Setting up page of this guide.

Note

Audit Manager can support up to approximately 150 accounts in the scope of an assessment. If you try to include over 150 accounts, the assessment creation might fail.

To specify accounts in scope

Under AWS accounts, select the AWS accounts that you want to include in the scope of your assessment.
- If you enabled Organizations in AWS Audit Manager, multiple accounts are listed.
- If you did not enable Organizations in Audit Manager, only your current account is listed.
Choose Next.

Step 3: Specify AWS services in scope

The framework that you selected earlier defines the AWS services that Audit Manager monitors and collects evidence for.

When you use the Audit Manager console to create an assessment from a standard framework, the list of services in scope is preselected and can’t be edited. This is because Audit Manager automatically maps and selects the data sources and services for you. This selection is made according to the requirements of the standard framework. If a listed AWS service isn't selected, Audit Manager doesn't collect evidence from resources related to that service. This is also the case if it's selected but you haven't subscribed to it in your environment.

In this step of the tutorial, you can review which AWS services are in the scope of the assessment based on the framework definition. To learn more about frameworks and how to access and review them, see the Framework library section of this guide.

To specify AWS services in scope

Under AWS services, review the list of services that are in scope for this assessment.
Choose Next.

Tip

If you need to edit the list of services in scope, you can do so by using the by using the CreateAssessment API that's provided by Audit Manager.

Alternatively, you can customize a standard framework and then create an assessment from the custom framework.

Step 4: Specify audit owners

In this step, you specify the audit owners for your assessment. Audit owners are the individuals in your workplace—usually from GRC, SecOps, or DevOps teams—who are responsible for managing the Audit Manager assessment. We recommend that they use the AWSAuditManagerAdministratorAccess policy.

To specify audit owners

Under Audit owners, choose the audit owners for your assessment. To find additional audit owners, use the search bar to search by name or AWS account.
Choose Next.

Step 5: Review and create

Review the information for your assessment. To change the information for a step, choose Edit. When you're finished, choose Create assessment to launch your first assessment and start the ongoing collection of evidence.

After you create an assessment, evidence collection continues until you change the assessment status to inactive. Alternatively, you can stop evidence collection for a specific control by changing the control status to inactive.

Note

Automated evidence is available 24 hours after you create the assessment. AWS Audit Manager automatically collects evidence from multiple data sources, and the frequency of that evidence collection is based on the evidence type. For more information, see Evidence collection frequency in this guide.

Where do I go from here?

We recommend that you continue to learn more about the concepts and tools that are introduced in this tutorial. You can do so by reviewing the following resources:

Reviewing an assessment – Introduces you to the assessment page where you can explore the different components of your assessment.
Assessments in AWS Audit Manager – Builds upon this tutorial and provides in-depth information about the concepts and tasks for managing an assessment. In this document, we particularly recommend you check out these following topics:
- How to create an assessment from a different framework
- How to review the evidence in an assessment and generate an assessment report
- How to change the status of an assessment or delete an assessment
Framework library – Introduces the framework library and explains how to create a custom framework for your own specific compliance needs.
Control library – Introduces the control library and explains how to create a custom control for use in your custom framework.
AWS Audit Manager concepts and terminology – Provides definitions for the concepts and terminology used in Audit Manager.
[Video] Collect Evidence and Manage Audit Data Using AWS Audit Manager – Shows the assessment creation process that's described in this tutorial, and other tasks such as reviewing a control and generating an assessment report.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Getting started

Tutorial for Delegates: Reviewing a control set