Uploading manual evidence in AWS Audit Manager - AWS Audit Manager

Uploading manual evidence in AWS Audit Manager

Although AWS Audit Manager can automatically collect evidence for many of the controls in a framework, some controls require that you upload manual evidence to demonstrate compliance. For example, certain controls relate to the provision of physical records (such as signatures), or events that aren’t generated in the cloud (such as observations and interviews). In these cases, you can manually upload files as evidence. For example, if a control in a framework is a procedural control that covers your team's organization, you can upload a copy of your company’s organizational chart as evidence to support the control.

You can also use the manual upload feature to manage evidence from multiple environments. If your company uses a hybrid cloud model or multicloud model, you can upload evidence from your on-premises environment, an environment hosted in the cloud, or your SaaS applications. This enables you to organize your evidence (regardless of where it came from) by storing it within the structure of an Audit Manager assessment, where each piece of evidence is mapped to a specific control.

You can upload manual evidence from any Amazon Simple Storage Service (Amazon S3) bucket by specifying the S3 URI of the evidence. Your manual evidence must be uploaded to your S3 bucket before you can upload it to your assessment. For more information, see Creating a bucket and Uploading objects in the Amazon Simple Storage Service User Guide.

Important

Each AWS account can only manually upload up to 100 evidence files to a control each day. Exceeding this daily quota causes any additional manual uploads to fail for that control. If you need to upload a large amount of manual evidence to a single control, upload your evidence in batches across several days.

To upload manual evidence to a control

  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. In the left navigation pane, choose Assessments, and then choose the name of your assessment to open it.

  3. Choose the Controls tab, scroll down to Control sets, and then choose the name of a control to open it.

  4. Choose the Evidence folders tab, and then choose Upload manual evidence. Or, you can choose an evidence folder name in the Evidence folders tab to review the evidence folder summary page, and then choose Upload manual evidence.

  5. On the next page, enter the S3 URI of the evidence. You can find the S3 URI by navigating to the object in the Amazon S3 console and choosing Copy S3 URI.

  6. Choose Upload to upload the manual evidence.

Note

When a control is in inactive status, you can't upload manual evidence for that control. To upload manual evidence, you must first change the control status to either under review or reviewed. For more information, see Update control status.

To learn more about the different types of evidence in AWS Audit Manager and the difference between automated and manual evidence, see Evidence in the Concepts and terminology section of this guide.