Adding manual evidence in AWS Audit Manager - AWS Audit Manager
How to add manual evidenceSupported file formats

Adding manual evidence in AWS Audit Manager

Audit Manager can automatically collect evidence for many controls. However, some controls require you to manually add your own evidence.

Consider the following examples:

  • Some controls relate to the provision of physical records (such as signatures), or events that aren’t generated in the cloud (such as observations and interviews). In these cases, you can manually upload files as evidence. For instance, if a control requires information about your organizational structure, you can upload a copy of your company’s org chart as manual evidence.

  • Some controls represent a vendor risk assessment question. A risk assessment question might require documentation as evidence (such as an org chart). Or, it might only need a simple text response (such as a list of job titles). In the case of the latter, you can respond to the question and save your response as manual evidence.

You can also use the manual upload feature to manage evidence from multiple environments. If your company uses a hybrid cloud model or multicloud model, you can upload evidence from your on-premises environment, an environment hosted in the cloud, or your SaaS applications. This enables you to organize your evidence (regardless of where it came from) by storing it within the structure of an Audit Manager assessment, where each piece of evidence is mapped to a specific control.

To learn more about the different types of evidence in Audit Manager, see Evidence in the Concepts and terminology section of this guide.

How to add manual evidence

You can use any of the following methods to add your own manual evidence to an assessment control.

Keep in mind the following:

  • You can only use one method at a time to add manual evidence.

  • The maximum supported size for a single manual evidence file is 100 MB.

  • The Supported file formats for manual evidence are listed further down this page.

  • Each AWS account can only manually upload up to 100 evidence files to a control each day. Exceeding this daily quota causes any additional manual uploads to fail for that control. If you need to upload a large amount of manual evidence to a single control, upload your evidence in batches across several days.

  • When a control is inactive, you can't add manual evidence to that control. To add manual evidence, you must first change the control status to either under review or reviewed. For instructions, see Update control status.

Follow these steps to import manual evidence from an S3 bucket.

AWS console
To import a file from S3 (console)

  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. In the left navigation pane, choose Assessments, and then choose the name of your assessment to open it.

  3. Choose the Controls tab, scroll down to Control sets, and then choose the name of a control to open it.

  4. On the Evidence folders tab, choose Add manual evidence, and then choose Import file from S3.

    • Alternatively, choose an evidence folder name in the Evidence folders tab to review the evidence folder summary, and then choose Add manual evidence, Import file from S3.

  5. On the next page, enter the S3 URI of the evidence. You can find the S3 URI by navigating to the object in the Amazon S3 console and choosing Copy S3 URI.

  6. Choose Upload.

AWS CLI

In the following procedure, replace the placeholder text with your own information.

To import a file from S3 (CLI)

  1. Run the list-assessments command to see a list of your assessments. 

    aws auditmanager list-assessments

    In the response, find the assessment that you want to upload evidence to and take note of the assessment ID.

  2. Run the get-assessment command and specify the assessment ID from step one.

    aws auditmanager get-assessment --assessment-id 1a2b3c4d-5e6f-7g8h-9i0j-0k1l2m3n4o5p

    In the response, find the control set and the control that you want to upload evidence to, and take note of their IDs.

  3. Run the batch-import-evidence-to-assessment-control command with the following parameters:

    • --assessment-id – Use the assessment ID from step one.

    • --control-set-id – Use the control set ID from step two.

    • --control-id – Use the control ID from step two.

    • --manual-evidence – Use s3ResourcePath as the manual evidence type and specify the S3 URI of the evidence. You can find the S3 URI by navigating to the object in the Amazon S3 console and choosing Copy S3 URI.

    aws auditmanager batch-import-evidence-to-assessment-control --assessment-id 1a2b3c4d-5e6f-7g8h-9i0j-0k1l2m3n4o5p --control-set-id ControlSet --control-id a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6 --manual-evidence s3ResourcePath=s3://example-bucket/example-file.extension
Audit Manager API
To import a file from S3 (API)

  1. Call the ListAssessments operation to see a list of your assessments. In the response, find the assessment that you want to upload evidence to and take note of the assessment ID.

  2. Call the GetAssessment operation and specify the assessment ID from step one. In the response, find the control set and the control that you want to upload evidence to, and take note of their IDs.

  3. Call the BatchImportEvidenceToAssessmentControl operation with the following parameters:

    • assessmentId – Use the assessment ID from step one.

    • controlSetId – Use the control set ID from step two.

    • controlId – Use the control ID from step two.

    • manualEvidence – Use s3ResourcePath as the manual evidence type and specify the S3 URI of the evidence. You can find the S3 URI by navigating to the object in the Amazon S3 console and choosing Copy S3 URI.

For more information, choose any of the previous links to read more in the AWS Audit Manager API Reference. This includes information about how to use these operations and parameters in one of the language-specific AWS SDKs.

Follow these steps to upload manual evidence from your browser.

AWS console
To upload a file from your browser (console)

  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. In the left navigation pane, choose Assessments, and then choose the name of your assessment to open it.

  3. On the Controls tab, scroll down to Control sets, and then choose the name of a control to open it.

    From here, there are three ways to upload a file:

    • (Option 1) In the blue notification banner, choose Upload manual evidence.

    • (Option 2) On the Evidence folders tab, choose Add manual evidence, and then choose Upload file from browser.

    • (Option 3) Choose an evidence folder name to review a summary of that folder, choose Add manual evidence, and then choose Upload file from browser.

  4. Choose the file that you want to upload.

  5. Choose Upload.

AWS CLI

In the following procedure, replace the placeholder text with your own information.

To upload a file from your browser (CLI)

  1. Run the list-assessments command to see a list of your assessments. 

    aws auditmanager list-assessments

    In the response, find the assessment that you want to upload evidence to and take note of the assessment ID.

  2. Run the get-assessment command and specify the assessment ID from step one. 

    aws auditmanager get-assessment --assessment-id 1a2b3c4d-5e6f-7g8h-9i0j-0k1l2m3n4o5p

    In the response, find the control set and the control that you want to upload evidence to, and take note of their IDs.

  3. Run the get-evidence-file-upload-url command and specify the file that you want to upload. 

    aws auditmanager get-evidence-file-upload-url --file-name fileName.extension

    In the response, take note of the presigned URL and the evidenceFileName.

  4. Use the presigned URL from step three to upload the file from your browser. This action uploads your file to Amazon S3, where it's saved as an object that can be attached to an assessment control. In the following step, you'll reference the newly-created object by using the evidenceFileName parameter.

    Note

    When you upload a file using a presigned URL, Audit Manager protects and stores your data by using server side encryption with AWS Key Management Service. To support this, you must use the x-amz-server-side-encryption header in your request when you use the presigned URL to upload your file.

    If you're using a customer managed AWS KMS key in your Audit Manager Data encryption settings, make sure that you also include the x-amz-server-side-encryption-aws-kms-key-id header in your request. If the x-amz-server-side-encryption-aws-kms-key-id header isn't present in the request, Amazon S3 assumes that you want to use the AWS managed key.

    For more information, see Protecting data using server-side encryption with AWS Key Management Service keys (SSE-KMS) in the Amazon Simple Storage Service User Guide.

  5. Run the batch-import-evidence-to-assessment-control command with the following parameters:

    • --assessment-id – Use the assessment ID from step one.

    • --control-set-id – Use the control set ID from step two.

    • --control-id – Use the control ID from step two.

    • --manual-evidence – Use evidenceFileName as the manual evidence type and specify the evidence file name from step three.

    aws auditmanager batch-import-evidence-to-assessment-control --assessment-id 1a2b3c4d-5e6f-7g8h-9i0j-0k1l2m3n4o5p --control-set-id ControlSet --control-id a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6 --manual-evidence evidenceFileName=fileName.extension
Audit Manager API
To upload a file from your browser (API)

  1. Call the ListAssessments operation. In the response, find the assessment that you want to upload evidence to and take note of the assessment ID.

  2. Call the GetAssessment operation and specify the assessmentId from step one. In the response, find the control set and the control that you want to upload evidence to, and take note of their IDs.

  3. Call the GetEvidenceFileUploadUrl operation and specify the fileName that you want to upload. In the response, take note of the presigned URL and the evidenceFileName.

  4. Use the presigned URL from step three to upload the file from your browser. This action uploads your file to Amazon S3, where it's saved as an object that can be attached to an assessment control. In the following step, you'll reference the newly-created object by using the evidenceFileName parameter.

    Note

    When you upload a file using a presigned URL, Audit Manager protects and stores your data by using server side encryption with AWS Key Management Service. To support this, you must use the x-amz-server-side-encryption header in your request when you use the presigned URL to upload your file.

    If you're using a customer managed AWS KMS key in your Audit Manager Data encryption settings, make sure that you also include the x-amz-server-side-encryption-aws-kms-key-id header in your request. If the x-amz-server-side-encryption-aws-kms-key-id header isn't present in the request, Amazon S3 assumes that you want to use the AWS managed key.

    For more information, see Protecting data using server-side encryption with AWS Key Management Service keys (SSE-KMS) in the Amazon Simple Storage Service User Guide.

  5. Call the BatchImportEvidenceToAssessmentControl operation with the following parameters:

    • assessmentId – Use the assessment ID from step one.

    • controlSetId – Use the control set ID from step two.

    • controlId – Use the control ID from step two.

    • manualEvidence – Use evidenceFileName as the manual evidence type and specify the evidence file name from step three.

For more information, choose any of the previous links to read more in the AWS Audit Manager API Reference. This includes information about how to use these operations and parameters in one of the language-specific AWS SDKs.

Follow these steps to enter a response to a risk assessment question and save your response as manual evidence.

AWS console
To enter a text response (console)

  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. In the left navigation pane, choose Assessments, and then choose the name of your assessment to open it.

  3. Choose the Controls tab, scroll down to Control sets, and then choose the name of a control to open it.

    From here, there are three ways to enter a text response:

    • (Option 1) In the blue notification banner, choose Enter response.

    • (Option 2) On the Evidence folders tab, choose Add manual evidence, and then choose Enter text response.

    • (Option 3) Choose an evidence folder to review a summary of that folder, choose Add manual evidence, and then choose Enter text response.

  4. In the pop-up window that appears, enter your response in plain text format.

  5. Choose Confirm.

AWS CLI

In the following procedure, replace the placeholder text with your own information.

To enter a text response (CLI)

  1. Run the list-assessments command. 

    aws auditmanager list-assessments

    In the response, find the assessment that you want to upload evidence to and take note of the assessment ID.

  2. Run the get-assessment command and specify the assessment ID from step one. 

    aws auditmanager get-assessment --assessment-id 1a2b3c4d-5e6f-7g8h-9i0j-0k1l2m3n4o5p

    In the response, find the control set and control that you want to upload evidence to, and take note of their IDs.

  3. Run the batch-import-evidence-to-assessment-control command with the following parameters:

    • --assessment-id – Use the assessment ID from step one.

    • --control-set-id – Use the control set ID from step two.

    • --control-id – Use the control ID from step two.

    • --manual-evidence – Use textResponse as the manual evidence type and enter the text that you want to save as manual evidence.

    aws auditmanager batch-import-evidence-to-assessment-control --assessment-id 1a2b3c4d-5e6f-7g8h-9i0j-0k1l2m3n4o5p --control-set-id ControlSet --control-id a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6 --manual-evidence textResponse="enter text here"
Audit Manager API
To enter a text response (API)

  1. Call the ListAssessments operation. In the response, find the assessment that you want to upload evidence to and take note of the assessment ID.

  2. Call the GetAssessment operation and specify the assessmentId from step one. In the response, find the control set and control that you want to upload evidence to, and take note of their IDs.

  3. Call the BatchImportEvidenceToAssessmentControl operation with the following parameters:

    • assessmentId – Use the assessment ID from step one.

    • controlSetId – Use the control set ID from step two.

    • controlId – Use the control ID from step two.

    • manualEvidence – Use textResponse as the manual evidence type and enter the text that you want to save as manual evidence.

For more information, choose any of the previous links to read more in the AWS Audit Manager API Reference. This includes information about how to use these operations and parameters in one of the language-specific AWS SDKs.

Supported file formats for manual evidence

The following table lists and describes the types of file that you can upload as manual evidence. For each file type, the table also lists the supported file extensions.

File type Description Supported file extensions

Compression or archive

GNU Zip compressed archives and ZIP compressed archives

.gz, .zip

Document

Common document files such as PDFs and Microsoft Office files

.doc, .docx, .pdf, .ppt, .pptx, .xls, .xlsx

Image

Image and graphic files

.jpeg, .jpg, .png, .svg

Text

Other non-binary text files, such as plain-text documents and markup language files

.cer, .csv, .html, .jmx, .json, .md, .out, .rtf, .txt, .xml, .yaml, .yml