A service that will help you audit your AWS usage on a regular basis in order to simplify risk management and compliance with regulations and industry standards.
Automates evidence collection for policies, procedures, and activities, as well as the creation of audit reports.
Features
Centrally manage and upload evidence from on-premises or multi-cloud environments.
View analytics data for active assessments on the Audit Manager dashboard and quickly identify non-compliant evidence that needs to be remedied.
Creation of frameworks with standard or custom controls based on your specific internal audit requirements.
Custom frameworks can also be shared with another AWS account or replicated into another AWS Region under your own account.
Supports control set delegation to team members to assist you in reviewing related evidence, adding comments, and updating the status of each control.
Concepts
Assessments
An assessment is based on a framework, which is a collection of controls.
When you create an assessment, continuous collection of evidence begins.
For audit, you or a delegate can review this evidence and add it to an assessment report.
An assessment has two states:
Active – currently collecting evidence.
Inactive – stops collecting evidence.
Assessment reports
Summarizes the evidence that was gathered from an assessment.
It also includes links to evidence PDF files.
Assessment reports are placed in an S3 bucket.
Delegations
Allows you to delegate a control set to a subject matter expert for review and validation of evidence.
In different AWS Regions, an account can be:
Audit owner
Delegate
Delegates are asked by audit owners to review the evidence associated with a control set.
Framework library
Defines the controls and data source mappings for a given compliance standard or regulation
Standard Frameworks – prebuilt AWS frameworks
Custom Frameworks – frameworks that you own.
By creating a share request, a recipient can use your custom framework to create assessments.
Control library
Standard Controls
AWS predefined controls.
Editing or deleting standard controls is not allowed.
You can customize any standard control to meet your specific requirements.
Custom Controls
Customized controls that you own.
Allows you to define which data sources you want to collect evidence from.
The data source types for automated evidence:
AWS API calls
AWS Config
AWS Security Hub
AWS CloudTrail
Monitoring
You can capture snapshots of your resource security posture by reporting:
Results of security checks directly from AWS Security Hub.
Findings to AWS Config.
Collects log data from AWS CloudTrail and converts processed logs into evidence of user activity.
Audit Manager includes a License Manager framework to help you prepare for audits.
You can use the following services to help you prepare for your audit:
AWS License Manager framework
AWS Control Tower Guardrails framework
Using Amazon SNS, you can send a notification to a user when one of the following events occurs:
The audit owner delegates a control set for review.
The audit owner has finished reviewing a control set.
The delegate submits a control set that has been reviewed to the audit owner.
Security
Uses AWS IAM service-linked roles to connect to data sources.
Data is encrypted using the AWS KMS key.
Pricing
You are charged based on the number of resource assessments performed.
You are charged for assessment reports stored in Amazon S3.
References:
https://aws.amazon.com/audit-manager/
https://docs.aws.amazon.com/audit-manager/latest/userguide/what-is.html