AWS Audit Manager Cheat Sheet

• AWS Audit Manager is a fully managed service that helps you continuously audit your AWS usage to simplify risk management and compliance with regulations and industry standards. It automates the collection of evidence to prove that your controls (policies, procedures, and activities) are operating effectively.
• Automated Evidence Collection: continually collects data from AWS services (like CloudTrail, Config, and Security Hub) to validate compliance.
• Audit-Ready Reports: Generates “assessment reports” (PDF/ZIP) that summarize evidence for auditors.
• Framework Library: Provides prebuilt standard frameworks (PCI DSS, HIPAA, SOC 2, NIST, and Generative AI Best Practices) or allows you to build custom ones.
• Data Integrity: All evidence is stored in an immutable, verifiably secure format (hashing/encryption) to ensure it hasn’t been tampered with.

Features

Evidence Finder

• Search engine to quickly query and filter evidence across multiple assessments.

• Enhancements: CSV export for evidence search results.
• Use Case: “Show me all failed compliance checks regarding S3 Buckets across all assessments in the last 90 days.”

Delegation Workflow

• Audit Owners can delegate specific control sets to subject matter experts (SMEs).
• Example: Assign the “Network Security” control set to a Network Engineer to review and validate the evidence.
• Enhancements: Supports risk assessment questions in custom controls. Manual evidence can be uploaded as files or text for each control.

GRC Integration & Exports

• Export evidence automatically to third-party Governance, Risk, and Compliance (GRC) tools like MetricStream.
• Download Center: Centralized location to download completed assessment reports and evidence finder results.
• Enhancements: Supports consolidated AWS Security Hub CSPM findings.

Automated Data Sources

• Audit Manager automatically pulls evidence from:
  • AWS CloudTrail: User activity logs (e.g., “User A created an IAM user”).
  • AWS Config: Resource configuration snapshots (e.g., “S3 bucket encryption is ON”).
  • AWS Security Hub: Security findings and compliance checks.
  • AWS License Manager: License usage audits.
• Enhancements: Additional AWS API calls supported for custom control data sources. Supports paginated API calls.

Framework Library Updates

• Prebuilt standard frameworks updated:
  • CCCS Medium Cloud Control
  • ISO/IEC 27001:2013 Annex A
  • PCI DSS V3.2.1 & V4.0
  • SSAE-18 SOC 2
  • AWS Well-Architected Framework v10
  • FedRAMP Security Baseline Controls r4
  • NIST SP 800-171 Rev 2
  • NIST-CSF v1.1
  • NIST-SP-800-53-r5
  • ACSC Essential Eight
  • ACSC ISM
  • CIS Controls v7.1 & v8.0, IG1
  • Australian Cyber Security Centre (ACSC) Information Security Manual
  • AWS Generative AI Best Practices frameworks v1 & v2
• Enhancements: Custom frameworks now support common controls to reduce duplication of evidence collection.

Manual Evidence Enhancements

• Custom control creation workflow supports risk assessment questions.
• Manual evidence can be uploaded as files or text for each control.

Managed Policy Updates

• AWSAuditManagerServiceRolePolicy and AWSAuditManagerAdministratorAccess policies updated for better permissions and API compatibility.

Event Monitoring & Automation

• Integration with Amazon EventBridge for monitoring Audit Manager events.

Assessment Report Enhancements

• Improved report format and contents for easier navigation and review.

Concepts

• Understanding the relationship between these four components is essential for the exam:

  1. Framework: The blueprint for your audit. It groups related controls together (e.g., “PCI DSS v4.0 Framework”).
  2. Control: A specific rule or requirement (e.g., “MFA must be enabled for root”).
     • Standard Controls: Pre-defined by AWS.
     • Custom Controls: Created by you for specific internal needs.
     • Common Controls (New): A “write once, map many” feature. A single common control (e.g., “Identity Management”) can collect evidence for multiple frameworks (HIPAA, PCI, SOC 2) simultaneously, reducing duplication.
  3. Assessment: An active instance of a framework applied to a specific scope (e.g., “PCI Audit for Production Account”). When active, it continuously collects evidence.
  4. Evidence: The actual data collected.
     • Automated Evidence: Snapshots of resources, logs from CloudTrail, or findings from Security Hub.
     • Manual Evidence: Documents uploaded by users (e.g., org charts, training certificates, policy PDFs).

AWS Audit Manager Monitoring

• You can capture snapshots of your resource security posture by reporting:
  • Results of security checks directly from AWS Security Hub.
  • Findings to AWS Config.
• Collects log data from AWS CloudTrail and converts processed logs into evidence of user activity.
• Audit Manager includes a License Manager framework to help you prepare for audits. 
• You can use the following services to help you prepare for your audit:
  • AWS License Manager framework
  • AWS Control Tower Guardrails framework
• Using Amazon SNS, you can send a notification to a user when one of the following events occurs:
  • The audit owner delegates a control set for review.
  • The audit owner has finished reviewing a control set.
  • The delegate submits a control set that has been reviewed to the audit owner.

AWS Audit Manager Security

• Uses AWS IAM service-linked roles to connect to data sources.

• Data is encrypted using the AWS KMS key.

Use Cases

• Audit Prep: Reducing the time it takes to gather evidence for a SOC 2 or ISO 27001 audit from weeks to days.

• Continuous Compliance: Monitoring a production environment to ensure it doesn’t drift from HIPAA compliance after deployment.

• Vendor Due Diligence: Using the Generative AI Best Practices framework to audit your own AI workloads before releasing them to customers.

• How It Works: The Assessment Lifecycle

  1. Select Framework: Choose a prebuilt standard (e.g., SOC 2) or custom framework.

  2. Define Scope: Select the AWS Accounts and Services to audit.

  3. Active Assessment: Audit Manager begins collecting evidence automatically (daily/weekly).

  4. Review: Audit Owners or Delegates review the evidence and flag items as “Compliant” or “Non-Compliant.”

  5. Generate Report: Finalize the assessment report for external auditors.

AWS Audit Manager Pricing

• AWS Audit Manager pricing is based on usage, not a fixed monthly fee.

  • Metric: You are charged per Resource Assessment.
    • Definition: A resource assessment happens every time Audit Manager collects a piece of evidence for a resource (e.g., checking 1 S3 bucket against 1 control = 1 resource assessment).
  • Cost: Approximately $1.25 per 1,000 resource assessments.
  • Free Tier: First-time customers get 35,000 resource assessments per month free for the first 2 months.
  • Storage Costs: You also pay standard S3 rates for storing the assessment reports.

  Exam Tip: If you enable a complex framework like NIST 800-53 on an account with thousands of resources, costs can scale quickly because every resource is checked against every relevant control daily.

AWS Audit Manager Cheat Sheet References:

https://aws.amazon.com/audit-manager/
https://docs.aws.amazon.com/audit-manager/latest/userguide/what-is.html