Tutorial for Audit Owners: Creating an assessment - AWS Audit Manager

Tutorial for Audit Owners: Creating an assessment

This tutorial provides an introduction to AWS Audit Manager. In this tutorial, you create an assessment using the AWS Audit Manager Sample Framework. By creating an assessment, you start the ongoing process of automated evidence collection for the controls in that framework.

Before you start this tutorial, make sure that you first meet the following conditions:

AWS Audit Manager assists in collecting evidence that's relevant for verifying compliance with specific compliance frameworks and regulations. However, it doesn't assess your compliance itself. The evidence that's collected through AWS Audit Manager therefore might not include all the information about your AWS usage that's needed for audits. AWS Audit Manager isn't a substitute for legal counsel or compliance experts.

Step 1: Specify assessment details

For the first step, select a framework and provide basic information for your assessment.

To specify assessment details
  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. Choose Launch AWS Audit Manager.

  3. In the navigation pane, choose Getting Started, and then choose Start with a framework.

  4. Choose the framework that you want, and then choose Create assessment from framework. This example uses the AWS Audit Manager Sample Framework.

  5. Under Assessment name, enter a name for your assessment.

  6. (Optional) Under Assessment description, enter a description for your assessment.

  7. Under Assessment reports destination, choose the Amazon S3 bucket where you want to save your assessment reports.

  8. Under Frameworks, confirm that AWS Audit Manager Sample Framework (or the framework of your choice) is selected.

  9. Under Tags, choose Add new tag to associate a tag with your assessment. You can specify a key and a value for each tag. The tag key is mandatory and can be used as a search criteria when you search for this assessment. For more information about tags in AWS Audit Manager, see Tagging AWS Audit Manager resources.

  10. Choose Next.

Step 2: Specify AWS accounts in scope

Next, specify the AWS accounts that you want to include in the scope of your assessment.

AWS Audit Manager integrates with AWS Organizations, so you can run an Audit Manager assessment across multiple accounts and consolidate evidence into a delegated administrator account. To enable Organizations in Audit Manager (if you didn't do so already), see Enable AWS Organizations (optional) on the Setting up page of this guide.


Audit Manager can support up to approximately 150 accounts in the scope of an assessment. If you try to include over 150 accounts, the assessment creation might fail.

To specify accounts in scope
  1. Under AWS accounts, select the AWS accounts that you want to include in the scope of your assessment.

    • If you enabled Organizations in AWS Audit Manager, multiple accounts are listed.

    • If you did not enable Organizations in Audit Manager, only your current account is listed.

  2. Choose Next.

Step 3: Specify AWS services in scope

The framework that you selected earlier defines the AWS services that Audit Manager monitors and collects evidence for.

When you use the Audit Manager console to create an assessment from a standard framework, the list of services in scope is preselected and can’t be edited. This is because Audit Manager automatically maps and selects the data sources and services for you. This selection is made according to the requirements of the standard framework. If a listed AWS service isn't selected, Audit Manager doesn't collect evidence from resources related to that service. This is also the case if it's selected but you haven't subscribed to it in your environment.

In this step of the tutorial, you can review which AWS services are in the scope of the assessment based on the framework definition. To learn more about frameworks and how to access and review them, see the Framework library section of this guide.

To specify AWS services in scope
  1. Under AWS services, review the list of services that are in scope for this assessment.

  2. Choose Next.


If you need to edit the list of services in scope, you can do so by using the by using the CreateAssessment API that's provided by Audit Manager.

Alternatively, you can customize a standard framework and then create an assessment from the custom framework.

Step 4: Specify audit owners

In this step, you specify the audit owners for your assessment. Audit owners are the individuals in your workplace—usually from GRC, SecOps, or DevOps teams—who are responsible for managing the Audit Manager assessment. We recommend that they use the AWSAuditManagerAdministratorAccess policy.

To specify audit owners
  1. Under Audit owners, choose the audit owners for your assessment. To find additional audit owners, use the search bar to search by name or AWS account.

  2. Choose Next.

Step 5: Review and create

Review the information for your assessment. To change the information for a step, choose Edit. When you're finished, choose Create assessment to launch your first assessment and start the ongoing collection of evidence.

After you create an assessment, evidence collection continues until you change the assessment status to inactive. Alternatively, you can stop evidence collection for a specific control by changing the control status to inactive.


Automated evidence is available 24 hours after you create the assessment. AWS Audit Manager automatically collects evidence from multiple data sources, and the frequency of that evidence collection is based on the evidence type. For more information, see Evidence collection frequency in this guide.

Where do I go from here?

We recommend that you continue to learn more about the concepts and tools that are introduced in this tutorial. You can do so by reviewing the following resources: