Tutorial for Delegates: Reviewing a control set

This tutorial describes how to review a control set that was shared with you by an audit owner in AWS Audit Manager.

Audit owners use Audit Manager to create assessments and collect evidence for the controls listed in that assessment. Sometimes audit owners might have questions or need assistance when validating the evidence for a control set. In this situation, an audit owner can delegate a control set to a subject matter expert for review.

As a delegate, you help audit owners to review the collected evidence for controls that fall under your area of expertise.

This tutorial shows how to do the following:

• Access notifications sent to you by an audit owner

• Review a control set and its related evidence

• Upload manual evidence to support a control

• Add a comment for a control that you're reviewing

• Update the status of a control

• Submit the reviewed control set to the audit owner when your review is complete

Before you start this tutorial, make sure that you first meet the following conditions:

• Your AWS account is set up. To complete this tutorial, you must use both your AWS account and the AWS Audit Manager console. For more information, see Setting up AWS Audit Manager.

• You're familiar with Audit Manager terminology and functionality. For a general overview of Audit Manager, see What is AWS Audit Manager? and AWS Audit Manager concepts and terminology.

Step 1: Access your notifications

Start by signing in to AWS Audit Manager, where you can access your notifications to see the control sets that have been delegated to you for review.

To access your notifications

1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

2. In the left navigation pane, choose Notifications. Or, in the blue flash bar at the top of the page, choose View notification to open the notifications page.

3. On the Notifications page, you review the list of control sets that have been delegated to you. The notifications table includes the following information:

   • Date – The date when the control set was delegated.

   • Assessment – The name of the assessment that's associated with the control set. You can choose an assessment name to open the assessment detail page.

   • Control set – The name of the control set that was delegated to you for review.

   • Source – The user or role that delegated the control set to you.

   • Description – The review instructions that were provided by the audit owner.

Tip

You can also subscribe to an SNS topic to receive email alerts when a control set is assigned to you for review. For more information, see Notifications in AWS Audit Manager.

Step 2: Review the control set and related evidence

The next step is to review the control sets that the audit owner delegated to you. By examining the controls and their evidence, you can determine if any additional action is needed for a control. Additional actions can include manually uploading additional evidence to demonstrate compliance or leaving a comment about that control.

To review a control set

1. From the Notifications page, review the list of control sets that were delegated to you. Then identify which one you want to review and choose the name of the related assessment.

2. Under the Controls tab of the assessment detail page, scroll down to the Control sets table.

3. Under the Controls grouped by control set column, expand the name of a control set to show its controls. Then, choose the name of a control to open the control detail page.

4. (Optional) Choose Update control status to change the status of the control. While your review is in progress, you can mark the status as Under Review.

5. Review information about the control in the Evidence folders, Data sources, Comments, and Changelog tabs. For more information about each of these tabs and how to interpret the data that they contain, see Review the controls in an assessment.

To review the evidence for a control

1. From the control detail page, choose the Evidence folders tab.

2. Navigate to the Evidence folders table, where a list of folders that contains evidence for that control is displayed. These folders are organized and named based on the date when the evidence within that folder was collected.

3. Choose the name of an evidence folder to open it. From here, you can review a summary of all the evidence that was gathered on that date. This summary also includes the total number of compliance check issues that were reported directly from AWS Security Hub, AWS Config, or both. For instructions on how to interpret the data on this page, see Reviewing evidence folders.

4. From the evidence folder summary page, navigate to the Evidence table. Under the Time column, choose a line item to open and review details of the evidence that was collected at that time. For instructions on how to interpret the data on an evidence detail page, see Reviewing individual evidence.

Step 3. Upload manual evidence (optional)

Although AWS Audit Manager automatically collects evidence for many controls, in some cases you might need to provide additional evidence. In these cases, you can manually upload evidence that helps you to demonstrate compliance with that control.

Before you can upload manual evidence to your assessment, you must first place the evidence in an S3 bucket. For instructions, see Creating a bucket and Uploading objects in the Amazon Simple Storage Service User Guide.

Important

Each AWS account can only manually upload up to 100 evidence files to a control each day. Exceeding this daily quota causes any additional manual uploads to fail for that control. If you need to upload a large amount of manual evidence to a single control, upload your evidence in batches across several days.

To upload manual evidence to a control

1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

2. From the Notifications page, you can see the list of control sets that were delegated to you. Identify which control set you want to add evidence for, and choose the name of the related assessment to open the assessment detail page.

3. Choose the Controls tab, scroll down to Control sets, and then select the name of a control to open it.

4. Choose the Evidence folders tab, and then choose Upload manual evidence.

5. On the next page, enter the S3 URI of the evidence. You can find the S3 URI by navigating to the object in the Amazon S3 console and choosing Copy S3 URI.

6. Choose Upload to upload the manual evidence.

Note

When a control is in inactive status, you can't upload manual evidence for that control. To upload manual evidence, you must first change the control status to either under review or reviewed. For instructions on how to change a control status, see Step 5: Mark a control as reviewed (optional).

Step 4. Add a comment for a control (optional)

You can add comments for any controls that you review. These comments are visible to the audit owner. For example, you can leave a comment to provide a status update and confirm that you remediated any issues with that control.

To add a comment to a control

1. From the Notifications page, review the list of control sets that were delegated to you. Find the control set that you want to leave a comment for, and choose the name of the related assessment.

2. Choose the Controls tab, scroll down to the Control sets table, and then select the name of a control to open it.

3. Choose the Comments tab.

4. Under Send comments, enter your comment in the text box.

5. Choose Submit comment to add your comment. Your comment now appears under the Previous comments section of the page, along with any other comments regarding this control.

Step 5: Mark a control as reviewed (optional)

Changing the status of a control is optional. However, we recommend that you change the status of each control to Reviewed as you complete your review for that control. Regardless of the status of each individual control, you can still submit the controls to the audit owner.

To mark a control as reviewed

1. From the Notifications page, review the list of control sets that were delegated to you. Find the control set that contains the control that you want to mark as reviewed. Then, choose the name of the related assessment to open the assessment detail page.

2. Under the Controls tab of the assessment detail page, scroll down to the Control sets table.

3. Under the Controls grouped by control set column, expand the name of a control set to show its controls. Choose the name of a control to open the control detail page.

4. Choose Update control status and change the status to Reviewed.

5. In the pop-up window that appears, choose Update control status to confirm that you finished reviewing the control.

Step 6. Submit the reviewed control set back to the audit owner

When you're done reviewing all controls, submit the control set back to the audit owner to let them know you finished your review.

To submit a reviewed control set back to the owner

1. In the Notifications page, review the list of control sets that were assigned to you. Find the control set that you want to submit to the audit owner, and choose the name of the related assessment.

2. Scroll down to the Control sets table, select the control set that you want to submit back to the audit owner, and then choose Submit for review.

3. In the pop-up window that appears, you can add any high-level comments about that control set before choosing Submit for review.

After you submit the control to the audit owner, the audit owner can view any comments that you left for them.

Where do I go from here?

You can continue to learn more about the concepts that are introduced in this tutorial. The following are some recommended resources:

• Reviewing an assessment - Introduces you to the assessment page, where you can explore the different components of an assessment in AWS Audit Manager.

• Review the controls in an assessment and Review the evidence in an assessment - Provides data definitions to help you interpret the controls and evidence for each assessment.

• AWS Audit Manager concepts and terminology - Provides definitions for the concepts and terminology that are used in Audit Manager.