AWS Audit Manager Cheat Sheet

• AWS Audit Manager is a fully managed service that helps you continuously audit your AWS usage to simplify risk management and compliance with regulations and industry standards. It automates the collection of evidence to prove that your controls (policies, procedures, and activities) are operating effectively.

• Automated Evidence Collection: continually collects data from AWS services (like CloudTrail, Config, and Security Hub) to validate compliance.

• Audit-Ready Reports: Generates “assessment reports” (PDF/ZIP) that summarize evidence for auditors.

• Framework Library: Provides prebuilt standard frameworks (PCI DSS, HIPAA, SOC 2, NIST, and Generative AI Best Practices) or allows you to build custom ones.

• Data Integrity: All evidence is stored in an immutable, verifiably secure format (hashing/encryption) to ensure it hasn’t been tampered with.

Features

1. Evidence Finder

A search engine within Audit Manager that allows you to quickly query and filter evidence across multiple assessments.

• Use Case: “Show me all failed compliance checks regarding S3 Buckets across all assessments in the last 90 days.”

2. Delegation Workflow

Audit Owners can delegate specific control sets to subject matter experts (SMEs).

• Example: Assign the “Network Security” control set to a Network Engineer to review and validate the evidence.

3. GRC Integration & Exports

• Export to GRC: Automatically send evidence to third-party Governance, Risk, and Compliance (GRC) tools like MetricStream.

• Download Center: A centralized location to download completed assessment reports and evidence finder results.

4. Automated Data Sources

• Audit Manager automatically pulls evidence from:
  • AWS CloudTrail: For user activity logs (e.g., “User A created an IAM user”).
  • AWS Config: For resource configuration snapshots (e.g., “S3 bucket encryption is ON”).
  • AWS Security Hub: For security findings and compliance checks.
  • AWS License Manager: For license usage audits.

Concepts

• Understanding the relationship between these four components is essential for the exam:

  1. Framework: The blueprint for your audit. It groups related controls together (e.g., “PCI DSS v4.0 Framework”).

  2. Control: A specific rule or requirement (e.g., “MFA must be enabled for root”).

     • Standard Controls: Pre-defined by AWS.

     • Custom Controls: Created by you for specific internal needs.

     • Common Controls (New): A “write once, map many” feature. A single common control (e.g., “Identity Management”) can collect evidence for multiple frameworks (HIPAA, PCI, SOC 2) simultaneously, reducing duplication.

  3. Assessment: An active instance of a framework applied to a specific scope (e.g., “PCI Audit for Production Account”). When active, it continuously collects evidence.

  4. Evidence: The actual data collected.

     • Automated Evidence: Snapshots of resources, logs from CloudTrail, or findings from Security Hub.

     • Manual Evidence: Documents uploaded by users (e.g., org charts, training certificates, policy PDFs).

AWS Audit Manager Monitoring

• You can capture snapshots of your resource security posture by reporting:

  • Results of security checks directly from AWS Security Hub.

  • Findings to AWS Config.

• Collects log data from AWS CloudTrail and converts processed logs into evidence of user activity.

• Audit Manager includes a License Manager framework to help you prepare for audits. 

• You can use the following services to help you prepare for your audit:

  • AWS License Manager framework

  • AWS Control Tower Guardrails framework

• Using Amazon SNS, you can send a notification to a user when one of the following events occurs:

  • The audit owner delegates a control set for review.

  • The audit owner has finished reviewing a control set.

  • The delegate submits a control set that has been reviewed to the audit owner.

AWS Audit Manager Security

• Uses AWS IAM service-linked roles to connect to data sources.

• Data is encrypted using the AWS KMS key.

Use Cases

• Audit Prep: Reducing the time it takes to gather evidence for a SOC 2 or ISO 27001 audit from weeks to days.

• Continuous Compliance: Monitoring a production environment to ensure it doesn’t drift from HIPAA compliance after deployment.

• Vendor Due Diligence: Using the Generative AI Best Practices framework to audit your own AI workloads before releasing them to customers.

• How It Works: The Assessment Lifecycle

  1. Select Framework: Choose a prebuilt standard (e.g., SOC 2) or custom framework.

  2. Define Scope: Select the AWS Accounts and Services to audit.

  3. Active Assessment: Audit Manager begins collecting evidence automatically (daily/weekly).

  4. Review: Audit Owners or Delegates review the evidence and flag items as “Compliant” or “Non-Compliant.”

  5. Generate Report: Finalize the assessment report for external auditors.

AWS Audit Manager Pricing

• AWS Audit Manager pricing is based on usage, not a fixed monthly fee.

  • Metric: You are charged per Resource Assessment.

    • Definition: A resource assessment happens every time Audit Manager collects a piece of evidence for a resource (e.g., checking 1 S3 bucket against 1 control = 1 resource assessment).

  • Cost: Approximately $1.25 per 1,000 resource assessments.

  • Free Tier: First-time customers get 35,000 resource assessments per month free for the first 2 months.

  • Storage Costs: You also pay standard S3 rates for storing the assessment reports.

  Exam Tip: If you enable a complex framework like NIST 800-53 on an account with thousands of resources, costs can scale quickly because every resource is checked against every relevant control daily.

AWS Audit Manager Cheat Sheet References:

https://aws.amazon.com/audit-manager/
https://docs.aws.amazon.com/audit-manager/latest/userguide/what-is.html