Continuous Auditing with AWS Audit Manager


Continuous Auditing with AWS Audit Manager
Continuous Auditing with AWS Audit Manager

In this course, you will learn about the different roles within Audit manager and how they work together to facilitate the audit process. 

Learning Objectives

  • Understand the frameworks and controls that Audit Manager provides 
  • How to create custom controls
  • Understand the overall audit process and how to create assessment reports within Audit Manager

Intended Audience

  • Any audit leaders, internal audit members, GRC individuals, or IT/ SecOps leaders who are interested in proving the security of their AWS architecture and systems


  • You should have a decent understanding of cloud computing and cloud architectures, specifically with Amazon Web Services
  • Optionally, it would also be helpful to have a background in auditing procedures

Aws audit manager is a newer service that helps you to continuously audit your AWS usage and environments. This continuous auditing allows you to assess risk and compliance requirements from regulatory bodies or general industry standards on an ongoing basis. 

Audit manager allows you to automate the collection of evidence that your auditors and security professionals can use to create reports that might be useful for stakeholder or governmental review. 

AWS audit manager allows you to easily map your AWS usage to a series of controls. A control helps us to understand if our policies, procedures, and activities are in line with our governmental or industry requirements. 

Audit manager provides this feature through the use of pre-configured frameworks that align with many popular regulatory requirements such as GDPR and CIS. 

Without the use of an automated service such as AWS Audit manager, collection and delegation of evidence finding is a time-consuming endeavor. AWS Audit manager allows us to automate the continuous collection of evidence, giving us the power to produce audit-ready reports at the drop of a hat.

Additionally, the service helps to support collaboration between internal audit members, GRC, and your IT/ SecOps teams.

In order to start generating reports and evaluating your security using AWS Audit Manager, you will first need to create an assessment.  An assessment is the formal process of collecting evidence from your various AWS elements that are related to a specific framework.

AWS has an entire library of frameworks that you can use, that are fully managed and relate to common regulatory requirements. These frameworks are a collection of controls that can evaluate your compliance within the bounds of regulatory systems like GDPR and CIS. You can also create your own custom frameworks to help you evaluate your specific industry or corporate needs. 

When you create your assessment, you must specify which framework you are evaluating. From there, AWS Audit manager can begin the ongoing collection of evidence in regards to that framework. AWS Audit manager can only monitor and collect evidence for the AWS services that are specified in the framework.

You also have the ability to specify which accounts you would like to be involved with the assessment, (production, dev, test account)  as well as who will be the Audit Owner for the assessment. When it comes time to be involved with the audit process there are a couple roles that you can assume. The first role within the audit team is the Audit owner. They are Audit Managers who are responsible for creating and managing the assessments that will be used within the audit. 

Generally, these audit owners / managers are governance, risk management and compliance experts. However, you do not need to be an expert in those arenas to be the Audit owner. Many times someone from SecOps or Devops might work in the role of the audit owner. It all depends on your unique situation and requirements.

However, the audit owner is only one person, and will probably need the help of industry or subject matter experts to help them perform the audit. These experts are known as Delegates within Audit Manager - and the Audit Owner is in charge of assigning tasks to these delegates to assist in the audit process.

When assigning work to a delegate, the Audit Owner chooses which control sets within the assessment the delegate will need to review. When the delegate is completed with their task, the owner will be notified that the review is complete. They can then check the reviewed controls for any comments by the delegate.

An Audit Delegate is a subject matter expert. They have a particular set of skills and business experience that is valuable to your audit team. Their job is not to manage or run the audit itself, but to help the audit owner validate evidence for specific controls, within the audit, that lay within their field of knowledge.

A delegate will have limited permissions and scope within AWS Audit Manager. Their job is to review specific controls and not an entire assessment. This falls within the ideals of least privilege - which helps to keep information secure and limits possible confidential knowledge from leaking outside of your organization.

During the course of your Audit, you can delegate a control set to an Audit Delegate. The control set contains a collection of controls that you want your delegate to review. The delegate is able to review the evidence within the set, add comments to it, manually upload additional evidence, and update the status of each control within the control set.

When the delegate is finished with their review, they can submit the review back to the Audit Owner for final sign-off. Evidence can come in a few forms. Maybe your audit is interested in whether a particular s3 bucket has had encryption enabled for the entire duration of its audit period. 

You can have AWS Audit manager continuously monitor that bucket's encryption status and aggregate all of that data to a single location. This data will allow us to verify if there was ever a time where encryption was not enabled for that bucket during the audit. The evidence gathered would then be used to evaluate if a particular control was adhered to during that time.

Your Audit Delegate would receive this evidence, along with the control, and can apply this evidence to their report. As we have mentioned earlier, within AWS Audit manager we have the Framework Library. This is the central place for browsing through the 25 managed frameworks, and for creating your own custom frameworks.

Each managed framework comes with a number of control sets, and these control sets in turn each have various controls. The frameworks and their controls help us to create and establish evidence for our various compliance goals.

If the preconfigured frameworks are not quite what you need - you can create custom frameworks from the ground up or by using some of the preconfigured controls as a starting template. This allows you to modify and enhance the managed frameworks to create a semi-hybrid custom framework that works for your purposes.

Just like the Framework Library, there is a Control library which houses over 600 standard controls. You can use these standard controls right out of the box when you create your custom frameworks, or you can create your very own custom controls that are tailored around what you wish. Now that we have a good understanding around the base components of AWS Audit Manager, it's time to actually talk about how an audit works.

Before you start off creating an audit, it's important to think about and define what the scope of your audit is. This is our opportunity to determine goals, and to specify what it is that you need to verify. I would recommend sitting down with your audit experts and thinking about what frameworks and controls that you will need to use.  Are we concerned about GDPR or are we just checking to see that our architectures are adhering to AWS security best practices?

I would also recommend designating someone to be the audit owner and determining who will be your audit delegates ahead of time. Like most things in life, prior planning prevents poor performance. Anywhoo… Once you have determined what you want to do, and who is going to do it, we can drive right into creation. 

The very first thing you will need to do is to create a new assessment. This can be done quite simply through the console, but like almost everything within aws - can also be built out using the AWS CLI /API. When creating the assessment we will specify the assessment name and a description. If you have multiple assessments running, it's important that you name these with some type of order or system, otherwise you might be confused which is which after the 20th or so you create. 

Each assessment will need an assessment reports destination, which is just a simple Amazon S3 Bucket. It is best practice to have the bucket associated with these assessments be within the same AWS region that you are running the assessment.

From here, we are able to select the framework the assessment will be based off of. You are only allowed to have one framework per assessment - so if you are looking to check multiple frameworks, you will need to run multiple assessments. Again there are 25 preconfigured frameworks for you to choose from, and you can of course choose to create your own. 

Next up you will need to specify which AWS accounts are within the scope of your audit. AWS Audit manager is integrated with AWS Organization. This integration will enable you to create and run assessment over multiple accounts and will consolidate that evidence into a single delegated administrator account. 

However, if the account you are running the audit with is not associated with AWS Organizations, you will only be able to see your current account listed. During the next phase of assessment creation you will select what services you wish to monitor and collect evidence from. This helps Audit Manage understand what data sources and services are in scope for the audit. 

If a listed AWS service is not selected, or you have not subscribed to that service within your environment, Audit Manager will not be able to collect evidence from that resource. If you are using a standard framework, one managed and created by AWS, then this part will be automatically filled out for you.

The last step when creating your assessment is to assign an Audit Owner. As we discussed earlier, the audit owner is the person in charge of driving the audit. They are normally from GRC or SecOps and they help to delegate control sets and evidence for review. Whoever this person is, it is recommended that they use the AWSAuditManagerAdministratorAccess policy within IAM. This policy will allow full access to AWS Audit Manager - including the ability to enable and disable audit manager itself.

And that's it, just review your settings and launch the assessment - AWS Audit manager will take it from there. Audit manager will continuously monitor and audit your aws usage, tracking the resources you have defined. Not all your audit data will be available immediately and AWS recommends that you check back on your assessments after 24 hours have passed. 

An Audit Manager assessment report is a summary of all the selected evidence that was collected for an assessment. This report also includes direct links to the evidence as PDF files. When you generate an assessment report, you have the option to select what evidence you wish to add to that report. Not everything that your delegates have added needs to be in the final document. Now it's important to note that reports are here to help you compile all the evidence that is relevant for you. However, it does not assess the compliance of that evidence.

The assessment report is broken down into sections which include: A Cover page, Overview, Table of contents, Control set page, Control page, Evidence summary page, and Evidence detail page. When you are ready to generate the report, it will be placed in the S3 bucket you assigned as the ‘assessment reports destination’ when you created your initial assessment. This report can be sent to the powers at be who requested your audit, or maybe printed out and put on the fridge. Either way, it's nice to have everything documented all in one place.

About the Author

William Meadows is a passionately curious human currently living in the Bay Area in California. His career has included working with lasers, teaching teenagers how to code, and creating classes about cloud technology that are taught all over the world. His dedication to completing goals and helping others is what brings meaning to his life. In his free time, he enjoys reading Reddit, playing video games, and writing books.

Covered Topics