source... When this control is active in an assessment...
Audit Manager makes the API call based on the frequency that you specify, and assesses the results from the API call. The results are converted into Configuration data evidence.
3. (Optional) Under Troubleshooting description, make any necessary changes to the suggested actions.
4. To add another data source, choose Add data source at the bottom of the page.
5. To remove an unwanted data source, choose Remove at the top of the data source box.
6. Choose Next.
Step 3: (Optional) Edit an action plan
Next, review and edit the optional action plan.
To edit an action plan
1. Under Title, edit the title as needed.
2. Under Action plan instructions, edit the instructions as needed.
3. Choose Next.
Step 4: Review and update the control
Review the information for the control. To change the information for a step, choose Edit.
When you're finished, choose Save changes.
Note
After you edit a control, the changes take effect as follows in all active assessments that include the control:
• For controls with Configuration data from AWS API calls as the data source, changes take effect at 00:00 UTC the following day.
• For all other controls, changes take effect immediately.
Deleting a custom control
Deleting a custom control
You can use the control library to delete an unwanted custom control. After you delete a control, it no longer appears in the control library. The control is also removed from any associated frameworks or assessments.
To delete a custom control
1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.
2. In the navigation pane, choose Control library and then choose the Custom controls tab.
3. Select the control that you want to delete, and then choose Delete.
4. In the pop-up window that appears, choose Delete to confirm deletion.
Changing the evidence collection frequency for a control
AWS Audit Manager collects evidence from multiple data sources at varying frequencies. The supported evidence collection frequency depends on the type of evidence that is collected for the control.
• For Configuration snapshots from API calls, Audit Manager collects evidence using a describe API call to another AWS service. You can specify the evidence collection frequency directly in Audit Manager (for custom controls only).
• For Compliance checks for resource configurations from AWS Config, Audit Manager reports the result of a compliance check directly from AWS Config. The frequency follows the triggers that are defined in the AWS Config rule.
• For Compliance checks for security findings from AWS Security Hub, Audit Manager reports the result of a compliance check directly from Security Hub. The frequency follows the schedule of the Security Hub check.
• For User activity logs from AWS CloudTrail, Audit Manager collects evidence continuously from CloudTrail. You can’t change the frequency for this evidence type.
The following sections provide more information about the evidence collection frequency for each control data source, and how to change it (if applicable).
Topics
• Configuration snapshots from AWS API calls (p. 154)
• Compliance checks for resource configurations from AWS Config (p. 155)
• Compliance checks for security findings from Security Hub (p. 155)
• User activity logs from AWS CloudTrail (p. 156)
Configuration snapshots from AWS API calls
NoteThe following applies only to custom controls. You can't change the evidence collection frequency for a standard control that uses API calls as a data source.
If a custom control uses API calls as a data source, you can change the evidence collection frequency in AWS Audit Manager by following these steps.
Compliance checks from AWS Config
To change the evidence collection frequency for a custom control with an API call data source
1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.
2. In the navigation pane, choose Control library, and then choose the Custom controls tab.
3. Choose the custom control that you want to edit, and then choose Edit.
4. On the Edit control details page, choose Next.
5. Find the data source box that you want to edit. In the data source box, ensure that you selected Automated evidence and Configuration snapshots from AWS API calls, and verify that the name of the API call is the one that you want to change the frequency for.
6. Under Custom control frequency, choose how often you want to collect evidence for the custom control.
7. Repeat steps 5-6 as needed for any additional API call data sources that you want to edit.
8. Choose Next.
9. On the Edit an action plan page, choose Next.
10. On the Review and update the control page, review the information for the custom control. To change the information for a step, choose Edit.
11. When you're finished, choose Save changes.
After you edit a control with Configuration data from AWS API calls as the data source, the changes take effect at 00:00 UTC the following day in all active assessments that include the control.
Compliance checks for resource configurations from AWS Config
NoteThe following applies to both standard controls and custom controls that use AWS Config Rules as a data source.
If a control uses AWS Config as a data source, you can’t change the evidence collection frequency directly in AWS Audit Manager. This is because the frequency follows the triggers that are defined in the AWS Config rule.
There are two types of triggers for AWS Config Rules:
1.Configuration changes - AWS Config runs evaluations for the rule when certain types of resources are created, changed, or deleted.
2.Periodic - AWS Config runs evaluations for the rule at a frequency that you choose (for example, every 24 hours).
To learn more about the triggers for AWS Config Rules, see Trigger types in the AWS Config Developer Guide.
For instructions on how to manage AWS Config Rules, see Managing your AWS Config rules.
Compliance checks for security findings from Security Hub
NoteThe following applies to both standard controls and custom controls that use Security Hub checks as a data source.
User activity logs from AWS CloudTrail
If a control uses Security Hub as a data source, you can’t change the evidence collection frequency directly in AWS Audit Manager. This is because the frequency follows the schedule of the Security Hub checks.
• Periodic checks run automatically within 12 hours after the most recent run. You cannot change the periodicity.
• Change-triggered checks run when the associated resource changes state. Even if the resource doesn't change state, the updated at time for change-triggered checks is refreshed every 18 hours. This helps to indicate that the control is still enabled. In general, Security Hub uses change-triggered rules whenever possible.
To learn more, see Schedule for running security checks in the AWS Security Hub User Guide.
User activity logs from AWS CloudTrail
NoteThe following applies to both standard controls and custom controls that use AWS CloudTrail user activity logs as a data source.
You can’t change the evidence collection frequency for controls that use activity logs from CloudTrail as a data source. AWS Audit Manager collects this evidence type from CloudTrail in a continuous manner.
The frequency is continuous because user activity can happen at any time of the day.
Supported control data sources for automated evidence
When you configure a custom control in AWS Audit Manager, you can choose to collect automated evidence for that control. You can select one of the following four types of control data sources for automated evidence:
• User activity logs from AWS CloudTrail
• Compliance checks for security findings from AWS Security Hub
• Compliance checks for findings from AWS Config
• Configuration data from AWS API calls
The following topics list the AWS Security Hub controls, AWS Config rules, and AWS API calls that are supported by AWS Audit Manager.
Topics
• AWS Config Rules supported by AWS Audit Manager (p. 156)
• AWS Security Hub controls supported by AWS Audit Manager (p. 161)
• API calls supported by AWS Audit Manager (p. 162)
• AWS CloudTrail event names supported by AWS Audit Manager (p. 163)
AWS Config Rules supported by AWS Audit Manager
Audit Manager enables you to report the results of compliance checks directly from AWS Config. To do this, you specify a AWS Config rule when you configure a custom control in Audit Manager.
AWS Config
The following AWS Config Rules are supported by AWS Audit Manager. Custom AWS Config rules are not yet supported. For more information about any of the rules listed below, choose an item from the list or see AWS Config Managed Rules in the AWS Config User Guide.
Supported AWS Config Rules
• IAM_INLINE_POLICY_BLOCKED_KMS_ACTIONS
• IAM_CUSTOMER_POLICY_BLOCKED_KMS_ACTIONS
• ACCESS_KEYS_ROTATED
• ACCOUNT_PART_OF_ORGANIZATIONS
• ACM_CERTIFICATE_EXPIRATION_CHECK
• ALB_HTTP_DROP_INVALID_HEADER_ENABLED
• ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK
• ALB_WAF_ENABLED
• API_GW_CACHE_ENABLED_AND_ENCRYPTED
• API_GW_ENDPOINT_TYPE_CHECK
• API_GW_EXECUTION_LOGGING_ENABLED
• APPROVED_AMIS_BY_ID
• APPROVED_AMIS_BY_TAG
• AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED
• CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK
• CLOUDFORMATION_STACK_NOTIFICATION_CHECK
• CLOUDFRONT_DEFAULT_ROOT_OBJECT_CONFIGURED
• CLOUDFRONT_ORIGIN_ACCESS_IDENTITY_ENABLED
• CLOUDFRONT_ORIGIN_FAILOVER_ENABLED
• CLOUDFRONT_SNI_ENABLED
• CLOUDFRONT_VIEWER_POLICY_HTTPS
• CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED
• CLOUD_TRAIL_ENABLED
• CLOUD_TRAIL_ENCRYPTION_ENABLED
• CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED
• CLOUDTRAIL_S3_DATAEVENTS_ENABLED
• CLOUDTRAIL_SECURITY_TRAIL_ENABLED
• CLOUDWATCH_ALARM_ACTION_CHECK
• CLOUDWATCH_ALARM_RESOURCE_CHECK
• CLOUDWATCH_ALARM_SETTINGS_CHECK
• CLOUDWATCH_LOG_GROUP_ENCRYPTED
• CMK_BACKING_KEY_ROTATION_ENABLED
• CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK
• CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK
• CODEPIPELINE_DEPLOYMENT_COUNT_CHECK
• CODEPIPELINE_REGION_FANOUT_CHECK
• CW_LOGGROUP_RETENTION_PERIOD_CHECK
AWS Config
• DAX_ENCRYPTION_ENABLED
• DB_INSTANCE_BACKUP_ENABLED
• DESIRED_INSTANCE_TENANCY
• DESIRED_INSTANCE_TYPE
• DMS_REPLICATION_NOT_PUBLIC
• DYNAMODB_AUTOSCALING_ENABLED
• DYNAMODB_IN_BACKUP_PLAN
• DYNAMODB_PITR_ENABLED
• DYNAMODB_TABLE_ENCRYPTED_KMS
• DYNAMODB_TABLE_ENCRYPTION_ENABLED
• DYNAMODB_THROUGHPUT_LIMIT_CHECK
• EBS_IN_BACKUP_PLAN
• EFS_IN_BACKUP_PLAN
• EC2_EBS_ENCRYPTION_BY_DEFAULT
• EBS_OPTIMIZED_INSTANCE
• EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK
• EC2_INSTANCE_DETAILED_MONITORING_ENABLED
• EC2_INSTANCE_MANAGED_BY_SSM
• EC2_INSTANCE_NO_PUBLIC_IP
• INSTANCES_IN_VPC
• EC2_MANAGEDINSTANCE_APPLICATIONS_BLACKLISTED
• EC2_MANAGEDINSTANCE_APPLICATIONS_REQUIRED
• EC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK
• EC2_MANAGEDINSTANCE_INVENTORY_BLACKLISTED
• EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK
• EC2_MANAGEDINSTANCE_PLATFORM_CHECK
• EC2_SECURITY_GROUP_ATTACHED_TO_ENI
• EC2_STOPPED_INSTANCE
• EC2_VOLUME_INUSE_CHECK
• EFS_ENCRYPTED_CHECK
• EIP_ATTACHED
• ELASTICSEARCH_ENCRYPTED_AT_REST
• ELASTICSEARCH_IN_VPC_ONLY
• ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK
• EC2_IMDSV2_CHECK
• EKS_ENDPOINT_NO_PUBLIC_ACCESS
• EKS_SECRETS_ENCRYPTED
• ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK
• ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED
• ELB_TLS_HTTPS_LISTENERS_ONLY
• ELB_ACM_CERTIFICATE_REQUIRED
• ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK
AWS Config
• ELB_DELETION_PROTECTION_ENABLED
• ELB_LOGGING_ENABLED
• ELB_PREDEFINED_SECURITY_POLICY_SSL_CHECK
• EMR_KERBEROS_ENABLED
• EMR_MASTER_NO_PUBLIC_IP
• ENCRYPTED_VOLUMES
• FMS_SECURITY_GROUP_AUDIT_POLICY_CHECK
• FMS_SECURITY_GROUP_CONTENT_CHECK
• FMS_SECURITY_GROUP_RESOURCE_ASSOCIATION_CHECK
• FMS_SHIELD_RESOURCE_POLICY_CHECK
• FMS_WEBACL_RESOURCE_POLICY_CHECK
• FMS_WEBACL_RULEGROUP_ASSOCIATION_CHECK
• GUARDDUTY_ENABLED_CENTRALIZED
• GUARDDUTY_NON_ARCHIVED_FINDINGS
• IAM_NO_INLINE_POLICY_CHECK
• IAM_GROUP_HAS_USERS_CHECK
• IAM_PASSWORD_POLICY
• IAM_POLICY_BLACKLISTED_CHECK
• IAM_POLICY_IN_USE
• IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS
• IAM_ROLE_MANAGED_POLICY_CHECK
• IAM_ROOT_ACCESS_KEY_CHECK
• IAM_USER_GROUP_MEMBERSHIP_CHECK
• IAM_USER_MFA_ENABLED
• IAM_USER_NO_POLICIES_CHECK
• IAM_USER_UNUSED_CREDENTIALS_CHECK
• INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY
• KMS_CMK_NOT_SCHEDULED_FOR_DELETION
• LAMBDA_CONCURRENCY_CHECK
• LAMBDA_DLQ_CHECK
• LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED
• LAMBDA_FUNCTION_SETTINGS_CHECK
• LAMBDA_INSIDE_VPC
• MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS
• MULTI_REGION_CLOUD_TRAIL_ENABLED
• RDS_CLUSTER_DELETION_PROTECTION_ENABLED
• RDS_INSTANCE_DELETION_PROTECTION_ENABLED
• RDS_INSTANCE_IAM_AUTHENTICATION_ENABLED
• RDS_LOGGING_ENABLED
• REDSHIFT_BACKUP_ENABLED
• RDS_IN_BACKUP_PLAN
• RDS_SNAPSHOT_ENCRYPTED
AWS Config
• REDSHIFT_REQUIRE_TLS_SSL
• RDS_ENHANCED_MONITORING_ENABLED
• RDS_INSTANCE_PUBLIC_ACCESS_CHECK
• RDS_MULTI_AZ_SUPPORT
• RDS_SNAPSHOTS_PUBLIC_PROHIBITED
• RDS_STORAGE_ENCRYPTED
• REDSHIFT_CLUSTER_CONFIGURATION_CHECK
• REDSHIFT_CLUSTER_MAINTENANCESETTINGS_CHECK
• REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK
• REQUIRED_TAGS
• RESTRICTED_INCOMING_TRAFFIC
• INCOMING_SSH_DISABLED
• ROOT_ACCOUNT_HARDWARE_MFA_ENABLED
• ROOT_ACCOUNT_MFA_ENABLED
• S3_BUCKET_DEFAULT_LOCK_ENABLED
• S3_DEFAULT_ENCRYPTION_KMS
• SECURITYHUB_ENABLED
• SNS_ENCRYPTED_KMS
• S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS
• S3_BUCKET_BLACKLISTED_ACTIONS_PROHIBITED
• S3_BUCKET_POLICY_NOT_MORE_PERMISSIVE
• S3_BUCKET_LOGGING_ENABLED
• S3_BUCKET_POLICY_GRANTEE_CHECK
• S3_BUCKET_PUBLIC_READ_PROHIBITED
• S3_BUCKET_PUBLIC_WRITE_PROHIBITED
• S3_BUCKET_REPLICATION_ENABLED
• S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
• S3_BUCKET_SSL_REQUESTS_ONLY
• S3_BUCKET_VERSIONING_ENABLED
• SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED
• SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED
• SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS
• SECRETSMANAGER_ROTATION_ENABLED_CHECK
• SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK
• SERVICE_VPC_ENDPOINT_ENABLED
• SHIELD_ADVANCED_ENABLED_AUTORENEW
• SHIELD_DRT_ACCESS
• VPC_DEFAULT_SECURITY_GROUP_CLOSED
• VPC_FLOW_LOGS_ENABLED
• VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS
• VPC_VPN_2_TUNNELS_UP
• WAF_CLASSIC_LOGGING_ENABLED
AWS Security Hub
• WAFV2_LOGGING_ENABLED
AWS Security Hub controls supported by AWS Audit Manager
Audit Manager enables you to report the results of compliance checks directly from Security Hub. To do this, you specify a Security Hub control when you configure a custom control in Audit Manager.
The following Security Hub controls are supported by Audit Manager.
For more information about any of the following Security Hub controls, choose an item in the table or see Security standards and controls in AWS Security Hub in the AWS Security Hub User Guide.
CIS Foundation
Benchmark PCI DSS AWS Foundational Security Best Practices
• 1.1
AWS API calls
CIS Foundation
Benchmark PCI DSS AWS Foundational Security Best Practices
• 3.6
API calls supported by AWS Audit Manager
AWS Audit Manager makes API calls to AWS services to collect a snapshot of the configuration details for your AWS resources. You can specify these API calls when you configure a control in Audit Manager.
For every resource that's in the scope of an API call, AWS Audit Manager captures a configuration snapshot and converts it into evidence. This results in one piece of evidence per resource, as opposed to one piece of evidence per API call.
For example, if you run an ec2_DescribeRouteTables API call that captures configuration snapshots from five route tables, then you'll get five pieces of evidence in total for the API call. Each piece of evidence is a snapshot of the configuration of an individual route table.
The following list of API calls are supported in Audit Manager.
Supported API calls to AWS services
• iam_GenerateCredentialReport
AWS CloudTrail
• ec2_DescribeInstances
• ec2_DescribeFlowLogs
• ec2_DescribeVpcs
• ec2_DescribeSecurityGroups
• ec2_DescribeNetworkAcls
• ec2_DescribeRouteTables
• ec2_DescribeVpcEndpoints
• cloudtrail_DescribeTrails
• config_DescribeDeliveryChannels
• config_DescribeConfigRules
• kms_ListKeys
• cloudwatch_DescribeAlarms
• elasticfilesystem_DescribeFileSystems
AWS License Manager APIs
In the AWS License Manager standard framework, Audit Manager uses a custom activity called GetLicenseManagerSummary to collect evidence. This activity calls the following three License Manager APIs:
• ListLicenseConfigurations
• ListAssociationsForLicenseConfiguration
• ListUsageForLicenseConfiguration
The data that’s returned is then converted into evidence and attached to the relevant controls in your assessment.
For example: Let's say that you use two licensed products (SQL Service 2017 and Oracle Database Enterprise Edition). First, the GetLicenseManagerSummary activity calls the ListLicenseConfigurations API, which provides details of license configurations in your account. Next, it adds additional
contextual data for each license configuration by calling ListUsageForLicenseConfiguration and
ListAssociationsForLicenseConfiguration. Finally, it converts the license configuration data into evidence and attaches it to the respective controls in the framework (4.5 - Customer managed license for SQL Server 2017 and 3.0.4 - Customer managed license for Oracle Database Enterprise Edition).
If you’re using a licensed product that isn’t covered by any of the controls in the framework, that license configuration data is attached as evidence to the following control: 5.0 - Customer managed license for other licenses.
AWS CloudTrail event names supported by AWS Audit Manager
You can capture AWS CloudTrail events as evidence in AWS Audit Manager by specifying a CloudTrail event name when you configure a control.
The following CloudTrail events are not supported by AWS Audit Manager:
• kms_GenerateDataKey
• kms_Decrypt
• sts_AssumeRole
AWS CloudTrail
For more information about CloudTrail events, see Viewing Events with CloudTrail Event History in the AWS CloudTrail User Guide.
Permissions
AWS Audit Manager settings
You can review and configure your AWS Audit Manager settings at any time.
To access settings
1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.
2. In the left navigation pane, choose Settings.
3. Review and update your settings as needed, and then choose Save.
The following settings are available:
• Permissions (p. 165)
• Data encryption (p. 165)
• Default audit owners (optional) (p. 166)
• Assessment report destination (optional) (p. 166)
• Notifications (optional) (p. 167)
• Delegated administrator (optional) (p. 167)
• AWS Config (optional) (p. 168)
• Security Hub (optional) (p. 169)
• Disable AWS Audit Manager (p. 169)
Permissions
AWS Audit Manager uses a service-linked role to connect to data sources on your behalf. For more details, see Using service-linked roles for AWS Audit Manager (p. 220).
To review the details of the service-linked role that Audit Manager uses, choose View IAM service-linked role permission.
For more information about service-linked roles, see Using service-linked roles in the IAM User Guide.
Data encryption
AWS Audit Manager automatically creates a unique AWS managed customer managed key. By default, your data is encrypted with this KMS key. Alternatively, you can specify a symmetric customer managed customer managed key that you created as the default key for Audit Manager encryption. Using your own KMS key gives you more flexibility, including the ability to create, rotate, and disable keys. By default, your data is encrypted with a KMS key that AWS owns and manages on your behalf. You can choose a different KMS key if you want to customize your encryption settings.
You can review and change your encryption settings as follows.
Default audit owners (optional)
• To use the default KMS key that's provided by AWS Audit Manager, clear Customize encryption settings (advanced).
• To use a customer managed key, select Customize encryption settings (advanced). You can then choose an existing KMS key, or create one.
Important
To generate assessment reports successfully, your customer managed key (if you provide one) must be in the same AWS Region as your assessment. For a list of AWS Audit Manager Regions, see AWS Audit Manager endpoints and quotas in the Amazon Web Services General Reference.
NoteWhen you change your Audit Manager data encryption settings, these changes apply to the new assessments that you create moving forward. This includes any assessment reports that you create from your new assessments.
The changes don't apply to existing assessments that you created before you changed your encryption settings. This includes new assessment reports that you create from existing assessments, in addition to existing assessment reports. Existing assessments—and all their assessment reports—continue to use the old KMS key.
If the IAM identity that’s generating the assessment report doesn’t have permissions to use the old KMS key, you can grant permissions at the key policy level. For instructions, see Allowing users in other accounts to use a KMS key in the AWS Key Management Service Service Developer Guide.
For instructions on how to create keys, see Creating keys in the AWS Key Management Service User Guide.
Default audit owners (optional)
You can specify the default audit owners who have primary access your assessments in AWS Audit
You can specify the default audit owners who have primary access your assessments in AWS Audit