Adding manual evidence in AWS Audit Manager
Audit Manager can automatically collect evidence for many controls. However, some controls require
you to manually add your own evidence.
Consider the following examples:
-
Some controls relate to the provision of physical records (such as signatures), or events
that aren’t generated in the cloud (such as observations and interviews). In these cases, you
can manually upload files as evidence. For instance, if a control requires information about
your organizational structure, you can upload a copy of your company’s org chart as manual
evidence.
-
Some controls represent a vendor risk assessment question. A risk assessment question
might require documentation as evidence (such as an org chart). Or, it might only need a simple
text response (such as a list of job titles). In the case of the latter, you can respond to the
question and save your response as manual evidence.
You can also use the manual upload feature to manage evidence from multiple environments. If
your company uses a hybrid cloud model or multicloud model, you can upload evidence from your
on-premises environment, an environment hosted in the cloud, or your SaaS applications. This
enables you to organize your evidence (regardless of where it came from) by storing it within the
structure of an Audit Manager assessment, where each piece of evidence is mapped to a specific
control.
To learn more about the different types of evidence in Audit Manager, see Evidence in the Concepts and terminology section of this guide.
How to add manual evidence
You can use any of the following methods to add your own manual evidence to an assessment
control.
Keep in mind the following:
-
You can only use one method at a time to add manual evidence.
-
The maximum supported size for a single manual evidence file is 100 MB.
-
The Supported file formats for manual
evidence are listed further down this page.
-
Each AWS account can only manually upload up to 100 evidence files to a control each
day. Exceeding this daily quota causes any additional manual uploads to fail for that control.
If you need to upload a large amount of manual evidence to a single control, upload your
evidence in batches across several days.
-
When a control is inactive, you can't add manual
evidence to that control. To add manual evidence, you must first change the control status to
either under review or reviewed. For instructions, see Update control status.
Follow these steps to import manual evidence from an S3 bucket.
- AWS console
-
To import a file from S3 (console)
Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.
-
In the left navigation pane, choose Assessments, and then
choose the name of your assessment to open it.
-
Choose the Controls tab, scroll down to Control
sets, and then choose the name of a control to open it.
-
On the Evidence folders tab, choose Add manual
evidence, and then choose Import file from S3.
-
Alternatively, choose an evidence folder name in the Evidence
folders tab to review the evidence folder summary, and then choose
Add manual evidence, Import file from
S3.
-
On the next page, enter the S3 URI of the evidence. You can find the S3 URI by
navigating to the object in the Amazon S3 console and
choosing Copy S3 URI.
-
Choose Upload.
- AWS CLI
-
In the following procedure, replace the placeholder text
with your own information.
To import a file from S3 (CLI)
-
Run the list-assessments
command to see a list of your assessments.
aws auditmanager list-assessments
In the response, find the assessment that you want to upload evidence to and take
note of the assessment ID.
-
Run the get-assessment
command and specify the assessment ID from step
one.
aws auditmanager get-assessment --assessment-id 1a2b3c4d-5e6f-7g8h-9i0j-0k1l2m3n4o5p
In the response, find the control set and the control that you want to upload evidence
to, and take note of their IDs.
-
Run the batch-import-evidence-to-assessment-control
command with the following
parameters:
-
--assessment-id
– Use the assessment ID from step one.
-
--control-set-id
– Use the control set ID from step
two.
-
--control-id
– Use the control ID from step two.
-
--manual-evidence
– Use s3ResourcePath
as the
manual evidence type and specify the S3 URI of the evidence. You can find the S3 URI by
navigating to the object in the Amazon S3 console
and choosing Copy S3 URI.
aws auditmanager batch-import-evidence-to-assessment-control --assessment-id 1a2b3c4d-5e6f-7g8h-9i0j-0k1l2m3n4o5p
--control-set-id ControlSet
--control-id a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6
--manual-evidence s3ResourcePath=s3://example-bucket/example-file.extension
- Audit Manager API
-
To import a file from S3 (API)
-
Call the ListAssessments
operation to see a list of your assessments. In the
response, find the assessment that you want to upload evidence to and take note of the
assessment ID.
-
Call the GetAssessment
operation and specify the assessment ID from step one. In
the response, find the control set and the control that you want to upload evidence to, and
take note of their IDs.
-
Call the BatchImportEvidenceToAssessmentControl
operation with the following
parameters:
-
assessmentId
– Use the assessment ID from step one.
-
controlSetId
– Use the control set ID from step two.
-
controlId
– Use the control ID from step two.
-
manualEvidence
– Use s3ResourcePath
as the manual
evidence type and specify the S3 URI of the evidence. You can find the S3 URI by
navigating to the object in the Amazon S3 console
and choosing Copy S3 URI.
For more information, choose any of the previous links to read more in the AWS Audit Manager API Reference. This includes information about how to
use these operations and parameters in one of the language-specific AWS SDKs.
Follow these steps to upload manual evidence from your browser.
- AWS console
-
To upload a file from your browser (console)
Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.
-
In the left navigation pane, choose Assessments, and then
choose the name of your assessment to open it.
-
On the Controls tab, scroll down to Control
sets, and then choose the name of a control to open it.
From here, there are three ways to upload a file:
-
(Option 1) In the blue notification banner, choose Upload manual
evidence.
-
(Option 2) On the Evidence folders tab, choose Add
manual evidence, and then choose Upload file from
browser.
-
(Option 3) Choose an evidence folder name to review a summary of that folder,
choose Add manual evidence, and then choose Upload file
from browser.
-
Choose the file that you want to upload.
-
Choose Upload.
- AWS CLI
-
In the following procedure, replace the placeholder text
with your own information.
To upload a file from your browser (CLI)
-
Run the list-assessments
command to see a list of your assessments.
aws auditmanager list-assessments
In the response, find the assessment that you want to upload evidence to and take
note of the assessment ID.
-
Run the get-assessment
command and specify the assessment ID from step one.
aws auditmanager get-assessment --assessment-id 1a2b3c4d-5e6f-7g8h-9i0j-0k1l2m3n4o5p
In the response, find the control set and the control that you want to upload evidence
to, and take note of their IDs.
-
Run the get-evidence-file-upload-url
command and specify the file that you want
to upload.
aws auditmanager get-evidence-file-upload-url --file-name fileName.extension
In the response, take note of the presigned URL and the
evidenceFileName
.
-
Use the presigned URL from step three to upload the file from your browser. This
action uploads your file to Amazon S3, where it's saved as an object that can be attached to
an assessment control. In the following step, you'll reference the newly-created object
by using the evidenceFileName
parameter.
When you upload a file using a presigned URL, Audit Manager protects and stores your data by
using server side encryption with AWS Key Management Service. To support this, you must use the
x-amz-server-side-encryption
header in your request when you use the
presigned URL to upload your file.
If you're using a customer managed AWS KMS key in your Audit Manager Data encryption settings, make sure that you also
include the x-amz-server-side-encryption-aws-kms-key-id
header in your
request. If the x-amz-server-side-encryption-aws-kms-key-id
header isn't
present in the request, Amazon S3 assumes that you want to use the AWS managed key.
For more information, see Protecting data using
server-side encryption with AWS Key Management Service keys (SSE-KMS) in the Amazon Simple Storage Service User Guide.
-
Run the batch-import-evidence-to-assessment-control
command with the following
parameters:
-
--assessment-id
– Use the assessment ID from step one.
-
--control-set-id
– Use the control set ID from step
two.
-
--control-id
– Use the control ID from step two.
-
--manual-evidence
– Use evidenceFileName
as the
manual evidence type and specify the evidence file name from step three.
aws auditmanager batch-import-evidence-to-assessment-control --assessment-id 1a2b3c4d-5e6f-7g8h-9i0j-0k1l2m3n4o5p
--control-set-id ControlSet
--control-id a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6
--manual-evidence evidenceFileName=fileName.extension
- Audit Manager API
-
To upload a file from your browser (API)
-
Call the ListAssessments
operation. In the response, find the assessment that
you want to upload evidence to and take note of the assessment ID.
-
Call the GetAssessment
operation and specify the assessmentId
from
step one. In the response, find the control set and the control that you want to upload
evidence to, and take note of their IDs.
-
Call the GetEvidenceFileUploadUrl
operation and specify the
fileName
that you want to upload. In the response, take note of the
presigned URL and the evidenceFileName
.
-
Use the presigned URL from step three to upload the file from your browser. This
action uploads your file to Amazon S3, where it's saved as an object that can be attached to
an assessment control. In the following step, you'll reference the newly-created object
by using the evidenceFileName
parameter.
When you upload a file using a presigned URL, Audit Manager protects and stores your data by
using server side encryption with AWS Key Management Service. To support this, you must use the
x-amz-server-side-encryption
header in your request when you use the
presigned URL to upload your file.
If you're using a customer managed AWS KMS key in your Audit Manager Data encryption settings, make sure that you also
include the x-amz-server-side-encryption-aws-kms-key-id
header in your
request. If the x-amz-server-side-encryption-aws-kms-key-id
header isn't
present in the request, Amazon S3 assumes that you want to use the AWS managed key.
For more information, see Protecting data using
server-side encryption with AWS Key Management Service keys (SSE-KMS) in the Amazon Simple Storage Service User Guide.
-
Call the BatchImportEvidenceToAssessmentControl
operation with the following
parameters:
-
assessmentId
– Use the assessment ID from step one.
-
controlSetId
– Use the control set ID from step two.
-
controlId
– Use the control ID from step two.
-
manualEvidence
– Use evidenceFileName
as the
manual evidence type and specify the evidence file name from step three.
For more information, choose any of the previous links to read more in the AWS Audit Manager API Reference. This includes information about how to
use these operations and parameters in one of the language-specific AWS SDKs.
Follow these steps to enter a response to a risk assessment question and save your
response as manual evidence.
- AWS console
-
To enter a text response (console)
Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.
-
In the left navigation pane, choose Assessments, and then
choose the name of your assessment to open it.
-
Choose the Controls tab, scroll down to Control
sets, and then choose the name of a control to open it.
From here, there are three ways to enter a text response:
-
(Option 1) In the blue notification banner, choose Enter
response.
-
(Option 2) On the Evidence folders tab, choose Add
manual evidence, and then choose Enter text
response.
-
(Option 3) Choose an evidence folder to review a summary of that folder, choose
Add manual evidence, and then choose Enter text
response.
-
In the pop-up window that appears, enter your response in plain text format.
-
Choose Confirm.
- AWS CLI
-
In the following procedure, replace the placeholder text
with your own information.
To enter a text response (CLI)
-
Run the list-assessments
command.
aws auditmanager list-assessments
In the response, find the assessment that you want to upload evidence to and take
note of the assessment ID.
-
Run the get-assessment
command and specify the assessment ID from step one.
aws auditmanager get-assessment --assessment-id 1a2b3c4d-5e6f-7g8h-9i0j-0k1l2m3n4o5p
In the response, find the control set and control that you want to upload evidence
to, and take note of their IDs.
-
Run the batch-import-evidence-to-assessment-control
command with the following
parameters:
-
--assessment-id
– Use the assessment ID from step one.
-
--control-set-id
– Use the control set ID from step
two.
-
--control-id
– Use the control ID from step two.
-
--manual-evidence
– Use textResponse
as the
manual evidence type and enter the text that you want to save as manual
evidence.
aws auditmanager batch-import-evidence-to-assessment-control --assessment-id 1a2b3c4d-5e6f-7g8h-9i0j-0k1l2m3n4o5p
--control-set-id ControlSet
--control-id a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6
--manual-evidence textResponse="enter text here"
- Audit Manager API
-
To enter a text response (API)
-
Call the ListAssessments
operation. In the response, find the assessment that
you want to upload evidence to and take note of the assessment ID.
-
Call the GetAssessment
operation and specify the assessmentId
from
step one. In the response, find the control set and control that you want to upload
evidence to, and take note of their IDs.
-
Call the BatchImportEvidenceToAssessmentControl
operation with the following
parameters:
-
assessmentId
– Use the assessment ID from step one.
-
controlSetId
– Use the control set ID from step two.
-
controlId
– Use the control ID from step two.
-
manualEvidence
– Use textResponse
as the manual
evidence type and enter the text that you want to save as manual evidence.
For more information, choose any of the previous links to read more in the AWS Audit Manager API Reference. This includes information about how to
use these operations and parameters in one of the language-specific AWS SDKs.
Supported file formats for manual
evidence
The following table lists and describes the types of file that you can upload as manual
evidence. For each file type, the table also lists the supported file extensions.
File type |
Description |
Supported file extensions |
Compression or archive
|
GNU Zip compressed archives and ZIP compressed archives
|
.gz , .zip
|
Document
|
Common document files such as PDFs and Microsoft Office files
|
.doc , .docx , .pdf , .ppt ,
.pptx , .xls , .xlsx
|
Image
|
Image and graphic files
|
.jpeg , .jpg , .png , .svg
|
Text
|
Other non-binary text files, such as plain-text documents and markup language
files
|
.cer , .csv , .html , .jmx ,
.json , .md , .out , .rtf ,
.txt , .xml , .yaml , .yml
|