Uploading manual evidence in AWS Audit Manager
Although Audit Manager can automatically collect evidence for many of the controls in a framework, some controls require that you upload manual evidence to demonstrate compliance. For example, certain controls relate to the provision of physical records (such as signatures), or events that aren’t generated in the cloud (such as observations and interviews). In these cases, you can manually upload files as evidence. For example, if a control in a framework is a procedural control that covers your team's organization, you can upload a copy of your company’s organizational chart as evidence to support the control.
You can also use the manual upload feature to manage evidence from multiple environments. If your company uses a hybrid cloud model or multicloud model, you can upload evidence from your on-premises environment, an environment hosted in the cloud, or your SaaS applications. This enables you to organize your evidence (regardless of where it came from) by storing it within the structure of an Audit Manager assessment, where each piece of evidence is mapped to a specific control.
To learn more about the different types of evidence in Audit Manager and the difference between automated and manual evidence, see Evidence in the Concepts and terminology section of this guide.
How to upload manual evidence
You can upload manual evidence from any Amazon Simple Storage Service (Amazon S3) bucket by specifying the S3 URI of the evidence.
To upload manual evidence to a control
Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home
. -
In the left navigation pane, choose Assessments, and then choose the name of your assessment to open it.
-
Choose the Controls tab, scroll down to Control sets, and then choose the name of a control to open it.
-
Choose the Evidence folders tab, and then choose Upload manual evidence.
-
Alternatively, choose an evidence folder name in the Evidence folders tab to review the evidence folder summary page, and then choose Upload manual evidence.
-
-
On the next page, enter the S3 URI of the evidence. You can find the S3 URI by navigating to the object in the Amazon S3 console
and choosing Copy S3 URI. -
Choose Upload to upload the manual evidence.
Keep in mind the following:
-
You must upload manual evidence to your S3 bucket before you can upload it to your assessment. For instructions, see Creating a bucket and Uploading objects in the Amazon Simple Storage Service User Guide.
-
The maximum supported size for a single manual evidence file is 100 MB.
-
The supported file formats for manual evidence are listed further down this page.
-
Each AWS account can only manually upload up to 100 evidence files to a control each day. Exceeding this daily quota causes any additional manual uploads to fail for that control. If you need to upload a large amount of manual evidence to a single control, upload your evidence in batches across several days.
-
When a control is in inactive status, you can't upload manual evidence for that control. To upload manual evidence, you must first change the control status to either under review or reviewed. For instructions, see Update control status.
Supported file formats for manual evidence
The following table lists and describes the types of file that you can upload as manual evidence. For each file type, the table also lists the supported file extensions.
| File type | Description | Supported file extensions |
|---|---|---|
|
Compression or archive |
GNU Zip compressed archives and ZIP compressed archives |
|
|
Document |
Common document files such as PDFs and Microsoft Office files |
|
|
Image |
Image and graphic files |
|
|
Text |
Other non-binary text files, such as plain-text documents and markup language files |
|
