Features
AWS Audit Manager had many features. Prebuilt frameworks with controls that are aligned to common industry standards and laws, full customization of frameworks and controls, and automated collection and organisation of evidence from users' AWS consumption as stated by each control requirement are all available through Audit Manager.
-
Prebuilt frameworks
Prebuilt frameworks for a variety of compliance requirements are available in AWS Audit Manager, and they were created with AWS best practices in mind. These frameworks assist in mapping the AWS resources to industry standards and laws. AWS Control Tower, AWS License Manager, CIS AWS Foundations Benchmark 1.2.0 & 1.3.0, CIS Controls v7.1 Implementation Group 1, and others are examples of prebuilt frameworks in AWS Audit Manager.
-
Frameworks and controls
AWS Audit Manager allows users to create their own audit framework using custom or AWS-managed controls to fulfill the audit requirements. Customizing an Audit Manager framework allows users to assess current controls for compliance with their own company requirements. Users can design custom controls to collect evidence from certain data sources.
-
Evidence collection
AWS Audit Manager automatically collects data for the AWS account and services that are selected to be audited after an assessment has been configured and launched. To assist users in demonstrating security, change management, business continuity, and software licensing compliance, the evidence contains both the data taken from that resource as well as information that specifies which control the data supports.
-
Evidence collection from multiple sources
AWS Audit Manager integrates with AWS Organizations to handle multiple accounts. Audit Manager assessments can be done across several accounts and will collect, and aggregate evidence into an AWS Organizations delegated administrator account.
-
Workflow for delegation
Control sets can be delegated to team members who are experts in specific areas like network infrastructure, identity management, software licencing, or personnel policies. Members of the support team can evaluate the control set and accompanying evidence, provide comments, upload more evidence, and alter the status of each control using the delegation function.
-
Audit ready reports
AWS Audit Manager automates the collection of evidence and arranges it according to the control set in the framework. The team can review evidence, provide comments, submit more supporting evidence, and change the status of each control.
Security in AWS Audit Manager
At AWS, cloud security is a top focus. As AWS customers, users have access to data centers and network topologies designed to fulfill the needs of the most security-conscious businesses. This is referred to as cloud security and cloud-based security under the shared responsibility model:
- Cloud security - AWS is in charge of safeguarding the infrastructure that runs AWS services in the AWS Cloud. AWS also offers services that can be utilized in a secure manner. As part of the AWS Compliance Programs, third-party auditors examine and certify the effectiveness of our security.
- Cloud-based security – The AWS service that utilises determines users' obligations. Other considerations, such as the sensitivity of the data, the company's requirements, and applicable laws and regulations, are also users' responsibilities.
Data protection in AWS Audit Manager
Protecting AWS account credentials and setting up individual user accounts with AWS Identity and Access Management is recommended for data security reasons (IAM). As a result, each user is only given the rights they need to do their job obligations. It is advised to protect the data in the following ways:
- With each account, use multi-factor authentication (MFA).
- To communicate with AWS resources, use SSL/TLS. TLS 1.2 or later is recommended.
- AWS CloudTrail can be used to log API and user activity.
- Use AWS encryption solutions, as well as all of AWS's basic security settings.
- Utilize advanced managed security services like Amazon Macie, which aids in the discovery and protection of sensitive data stored in Amazon S3.
AWS Audit Manager clients should not include sensitive identifying information in free-form fields when building assessments, custom controls, custom frameworks, or delegation comments. Customer data is stored on AWS Audit Manager's fast storage for up to a year. Users' data will be deleted after one year by default.
Encryption at rest
For all of its data storage and logs, AWS Audit Manager uses server-side encryption with AWS-managed keys to secure data at rest. Depending on the user preferences, the data is encrypted using a customer-managed key or an AWS-owned key. If the user doesn't supply a customer-managed key, AWS Audit Manager encrypts the material with an AWS-owned key. In Audit Manager, all service metadata in DynamoDB and Amazon S3 is encrypted with an AWS-owned key.
Encryption in transit
Secure and private endpoints for encrypting data in transit are provided by AWS Audit Manager. AWS can guarantee the integrity of API queries to Audit Manager by using secure and private endpoints.
Key Management
For encrypting all Audit Manager resources (assessments, controls, frameworks, evidence, and assessment reports saved to Amazon S3 buckets in the account), AWS Audit Manager supports both AWS-owned keys and client managed keys.
Concepts and Terminology
Assessment
An assessment is based on a framework, which is a collection of audit-related rules. Users can design an evaluation using a standard framework or a bespoke framework, depending on the business needs. Prebuilt control sets support a specific compliance standard or regulation in standard frameworks. Custom frameworks, on the other hand, contain controls that can customise and group according to the internal audit needs. Users can develop an assessment that describes the AWS accounts and services that they want to include in the scope of the audit using a framework as a starting point.
Assessment Report
An assessment report is a completed document that results from an AWS Audit Manager evaluation. These reports provide a summary of the important evidence gathered for the audit. They direct users to the appropriate evidence folders. The folders are named and sorted in accordance with the controls mentioned in the assessment. Users can review the evidence that the Audit Manager collects for each assessment and choose which evidence to include in the assessment report.
Audit
An audit is a non-biased assessment of the company's assets, operations, or financial integrity. An information technology (IT) audit evaluates the controls within the organization's information systems. An IT audit's purpose is to see if information systems are protecting assets, operating efficiently, and maintaining data integrity. All of these are necessary in order to meet the regulatory requirements imposed by a compliance standard or regulation.
Audit Owner
Depending on the context, the phrase audit owner has two alternative connotations.
An audit owner is an IAM user or role that manages an assessment and its associated resources in the Audit Manager. This Audit Manager persona's tasks include creating assessments, assessing evidence, and generating assessment reports. Audit Manager is a collaborative service, and audit owners benefit from the participation of other stakeholders in their assessments.
An audit owner, in business terminology, is someone who manages and oversees their company's audit readiness efforts and delivers evidence to an auditor. A governance, risk, and compliance (GRC) specialist, such as a Compliance Officer or a GDPR Data Protection Officer, is usually in charge of this.
Changelog
AWS Audit Manager captures changelogs for each control in an evaluation to track user activity for that control. The audit trail of activities relating to a certain control can then be reviewed.
Cloud compliance
Cloud compliance refers to the idea that cloud-delivered services must adhere to the same standards as cloud consumers.
Compliance regulation
Compliance regulation is a law, rule, or other directive issued by a government agency to regulate behaviour. GDPR is one such example.
Compliance standard
A compliance standard is a set of structured instructions that define an organization's methods for adhering to established standards, specifications, or legislation. PCI DSS and HIPAA are two examples.
Control
A control is a prescriptive statement of how to follow a set of instructions. It ensures that the organization's resources are functioning as intended, that data is accurate, and that the organisation is following all applicable rules and regulations. Multiple controls are combined into control sets in a compliance standard or regulation.
In AWS Audit Manager, there are two types of controls:
- Standard controls – Predefined controls for many compliance standards and regulations based on AWS best practices. These controls can help to prepare for audits based on common compliance standards and legislation.
- Custom controls — As an AWS Audit Manager user, the users can define their own custom controls. These controls can assist in meeting specific compliance obligations.
Control domains
A control domain can be thought of as a broad set of controls that aren't tied to any particular framework. One of the most useful elements of the Audit Manager interface is control domain groups. The controls in assessments that have non-compliant evidence are highlighted in Audit Manager and grouped by control domain.
Delegate
A delegate is a user with restricted access to AWS Audit Manager. Delegates are usually experts in a specific field, such as business or technology. These skills could include data retention regulations, training programs, network architecture, and identity management.
Evidence
Evidence is a document that contains the information needed to demonstrate that a control's requirements have been met. A user-initiated modification activity and a system configuration snapshot are two examples of proof.
In AWS Audit Manager, there are two sorts of evidence: automatic and manual.
- Automated Evidence — Evidence collected automatically by AWS Audit Manager is known as automated evidence.
- Manual Evidence — This is evidence that can be manually uploaded as an additional support document to AWS Audit Manager.
Framework
AWS Audit Manager frameworks are files that organise and automate assessments for a certain standard or risk governance principle. These frameworks aid in the mapping of AWS resources to control requirements. They come with a set of pre-built or user-defined controls. Each control has a description and testing protocol in the collection.
In AWS Audit Manager, there are two types of frameworks:
Standard frameworks — Prebuilt frameworks for various compliance standards and laws based on AWS best practices. Users can use these frameworks to help in preparing for an audit.
Custom frameworks — As an AWS Audit Manager user, the user can create their own customised frameworks. These frameworks can help to prepare for audits based on the specific compliance or risk governance requirements.
Framework sharing
Users may instantly distribute their custom frameworks across AWS accounts and Regions by using Audit Manager's custom framework sharing capability. A share request is used to share a custom framework. The share request's receiver has 120 days to accept or deny the request. When they approve, the Audit Manager adds the shared custom framework to their library of frameworks. Audit Manager not only replicates the custom framework, but it also replicates any custom control sets and controls contained within it. These custom controls are added to the control library of the recipient.
Resource
In an audit, a resource is a physical or information asset that is evaluated. Amazon EC2 instances, Amazon RDS instances, Amazon S3 buckets, and Amazon VPC subnets are examples of AWS resources.
Resource Assessment
The practice of evaluating a single resource is known as resource assessment. This evaluation is based on the need for control. AWS Audit Manager executes resource evaluations for each individual resource in the scope of the assessment while it is active. The following tasks are carried out during a resource assessment:
- Evidence is collected in the form of resource setups, event logs, and findings.
- Evidence is translated and mapped to controls.
- To ensure evidence integrity, it stores and tracks the lineage of evidence.
Frequently Asked Questions
What is AWS?
Amazon Web Services (AWS) is the most comprehensive and widely used cloud platform in the world, with over 200 fully-featured services delivered from data centers.
What is AWS Audit Manager?
AWS Audit Manager simplifies how to analyse risk and compliance with regulations and industry standards by allowing users to audit AWS consumption on a regular basis.
What are the main features of AWS Audit Manager?
The main features of AWS Audit Manager are Prebuilt frameworks, Frameworks, and controls, Evidence collection, Workflow for delegation, Audit ready reports.
What are the two types of control in AWS Audit Manager?
The two types of control in AWS Audit Manager are Standard controls and custom controls.
Conclusion
In this article, we have extensively discussed AWS Audit Manager. The article explains the details of AWS Audit Manager, its features, security, and data protection in AWS Audit Manager.
We hope that this blog has helped you enhance your knowledge regarding AWS Audit Manager and if you would like to learn more, check out our articles on Amazon Web Services (AWS).You can refer to our guided paths on the Coding Ninjas Studio platform to learn more about DSA, DBMS, Competitive Programming, Python, Java, JavaScript, etc. To practice and improve yourself in the interview, you can check out Top 100 SQL problems, Interview experience, Coding interview questions, and the Ultimate guide path for interviews.
Do upvote our blog to help other ninjas grow.
Happy Coding!!