Skip to content

AWS Audit Manager

What Is This Service?

AWS Audit Manager continuously collects, normalizes, and organizes evidence from AWS environments to simplify audit readiness and continuous compliance assessments.

Mental model:
Audit Manager = compliance evidence collection + control mapping + auditor workflow orchestration.

It helps prove controls exist.

It does not enforce controls.

Why It Matters for Security

Security is not only prevention — it is also provable governance.

Audit Manager helps organizations:

  • Reduce manual evidence gathering
  • Continuously collect audit artifacts
  • Standardize assessments
  • Demonstrate regulatory compliance
  • Maintain traceable security controls
  • Shorten audit cycles

Common use cases:

  • SOC 2 readiness
  • PCI DSS audits
  • ISO 27001 assessments
  • HIPAA evidence collection
  • Internal control validation
  • Continuous compliance operations

Operational outcomes:

  • Faster audits
  • Lower compliance overhead
  • Centralized evidence repository
  • Reduced human error

Core Concepts

Assessment

An active audit engagement.

Contains:

  • Framework
  • Accounts
  • Services
  • Controls
  • Evidence
  • Assessment reports

Example:

Assessment: PCI DSS Production Environment

Framework

Collection of controls.

Framework types:

  • AWS managed frameworks
  • Custom frameworks

Examples:

  • PCI DSS
  • CIS AWS Foundations
  • HIPAA
  • ISO 27001
  • SOC 2
  • GDPR

Hierarchy:

Framework
 └── Controls
      └── Evidence

Control

A compliance requirement.

Examples:

  • Root MFA enabled
  • CloudTrail enabled
  • Encryption enabled
  • Logging retained

Controls define:

  • Evidence source
  • Evaluation mechanism

Control types:

  • AWS managed controls
  • Custom controls

Evidence

Proof that controls exist.

Collected automatically or manually.

Evidence sources:

  • AWS Config
  • CloudTrail
  • Security Hub
  • API snapshots
  • User uploads

Evidence attaches to controls.

Automated Evidence

Collected continuously.

Examples:

  • Resource configurations
  • API activity
  • Security findings

Preferred in real audits.

Manual Evidence

Uploaded externally.

Examples:

  • Policies
  • Vendor reports
  • Approvals
  • Exception documentation

Delegation

Assign audit activities.

Example:

  • Security → defines controls
  • Operations → uploads evidence
  • Compliance → reviews

Assessment Report

Final audit package.

Generated from completed assessment.

Export destination:

  • Amazon S3

Report package contains:

  • PDF summary
  • CSV evidence datasets
  • Evidence folders

Important Integrations

AWS Config

Primary evidence engine.

Provides:

  • Resource inventory
  • Compliance evaluations
  • Configuration history

Exam importance:

Audit Manager automation heavily depends on Config.

AWS Config Custom Rules

Enables organization-specific controls.

Pattern:

Lambda
   ↓
Config Custom Rule
   ↓
Audit Manager Custom Control

Example:

Requirement:

"All EC2 instances must have CostCenter=1234"

Implementation:

  • Config Custom Rule evaluates tags
  • Audit Manager consumes Config results

Audit Manager itself does not evaluate arbitrary logic.

AWS CloudTrail

Provides:

  • API activity
  • Change tracking
  • Operational evidence

Useful for:

  • Proving actions occurred

AWS Security Hub

Provides:

  • Security findings
  • Compliance summaries

Used as supplemental evidence.

AWS Organizations

Supports:

  • Multi-account assessments
  • Centralized compliance

Common enterprise pattern.

AWS Control Tower

Provides:

  • Governance baselines
  • Landing zone controls

Audit Manager consumes governance outputs.

Amazon EventBridge

Event-driven audit workflows.

Examples:

  • Assessment state changes
  • Report generation completed
  • Compliance notifications

Typical automation:

Audit Manager
   ↓
EventBridge
   ↓
SNS / Lambda / Ticketing

Amazon S3

Stores:

  • Reports
  • Exported evidence
  • Assessment packages

AWS Artifact

Critical distinction:

Artifact: - AWS proves AWS compliance

Audit Manager: - Customer proves customer compliance

Security Features

Continuous Evidence Collection

Automatically gathers evidence.

Benefits:

  • Reduced audit gaps
  • Continuous assurance

Evidence Integrity Protection (HIGH VALUE)

Audit Manager protects evidence integrity.

Process:

  • Evidence collected
  • SHA-256 hash generated
  • Evidence encrypted
  • Stored securely

Purpose:

Prevent undetected evidence tampering.

Exam wording:

"How can auditors verify evidence was not modified?"

Answer pattern:

  • Cryptographic hashing
  • SHA-256 integrity verification

Encryption

Supports:

  • AWS managed encryption
  • Customer-managed AWS KMS

Protects:

  • Assessment data
  • Evidence artifacts

Access Control

IAM-based.

Supports:

  • Assessment ownership
  • Delegated contributors
  • Read-only audit access

Cross-Account Governance

Centralized audit operations across Organizations.

Advanced Security and Operational Concepts

Audit Manager Does NOT Enforce Compliance

Big exam trap.

Audit Manager:

✔ Collect evidence
✔ Produce reports

Audit Manager does NOT:

✖ Prevent drift
✖ Block deployment
✖ Remediate findings

Use:

  • Config
  • SCPs
  • Security Hub
  • Control Tower

for enforcement.

Evidence Is Point-in-Time

Evidence reflects collection state.

Risk:

Resource later drifts.

Mitigation:

Continuous evidence collection.

Assessment Report Export Mechanics (HIGH VALUE)

Assessment reports generate:

S3
└── assessment-report.zip
      ├── summary.pdf
      └── evidence/
            ├── controls.csv
            ├── resources.csv
            └── findings.csv

Purpose:

  • Executive review
  • Technical audit validation

Exam trap:

Report ≠ single PDF.

Framework Extension Strategy

Recommended:

Managed Framework
     ↓
Duplicate
     ↓
Add Custom Controls

Avoid direct modification.

Event-Driven Compliance Operations

Architecture pattern:

Audit Manager
   ↓
EventBridge
   ↓
Lambda
   ↓
SNS / Jira / ServiceNow

Use cases:

  • Notify compliance team
  • Open remediation ticket
  • Archive reports

Multi-Account Audit Architecture

Recommended:

Organizations
    +
Config Aggregator
    +
Audit Manager

Central security account owns assessments.

Separation of Duties

Recommended:

Security: - Define controls

Operations: - Supply evidence

Auditors: - Review only

Architecture Example

flowchart LR

subgraph Organization
A[Account A]
B[Account B]
C[Account C]
end

Config[AWS Config]
CloudTrail[CloudTrail]
SH[Security Hub]

AM[AWS Audit Manager]

EventBridge[EventBridge]

S3[S3 Reports]

Auditor[Auditor]

A --> Config
B --> Config
C --> Config

A --> CloudTrail
B --> CloudTrail
C --> CloudTrail

Config --> AM
CloudTrail --> AM
SH --> AM

AM --> S3

AM --> EventBridge

EventBridge --> SNS[Notifications]

Auditor --> AM

AM --> Auditor

Workflow(s)

Automated Evidence Collection

sequenceDiagram

participant Resource
participant Config
participant CloudTrail
participant AuditManager
participant Auditor

Resource->>Config: Configuration captured

Resource->>CloudTrail: API activity

Config->>AuditManager: Evidence

CloudTrail->>AuditManager: Evidence

AuditManager->>AuditManager: Hash (SHA-256)

AuditManager->>AuditManager: Encrypt (KMS)

Auditor->>AuditManager: Generate assessment

AuditManager-->>Auditor: Report package

Custom Control Evaluation

sequenceDiagram

participant Resource
participant ConfigRule
participant Lambda
participant AuditManager

Resource->>ConfigRule: Evaluate

ConfigRule->>Lambda: Execute custom logic

Lambda-->>ConfigRule: Compliance result

ConfigRule->>AuditManager: Evidence

AuditManager-->>AuditManager: Map to custom control

Event-Driven Reporting

sequenceDiagram

participant AuditManager
participant EventBridge
participant Lambda
participant SNS
participant Compliance

AuditManager->>EventBridge: Assessment completed

EventBridge->>Lambda: Trigger workflow

Lambda->>SNS: Notify

SNS-->>Compliance: Assessment available

Comparisons

Service Purpose Enforces Controls Produces Evidence
AWS Audit Manager Audit automation No Yes
AWS Config Configuration compliance Detect only Partial
Security Hub Security findings No Partial
AWS Artifact AWS compliance reports No No
Control Tower Governance Partial Partial
Organizations Account governance No No

Common Exam Traps

  1. Audit Manager does not enforce controls.

  2. Artifact proves AWS compliance, not yours.

  3. Config powers most automated evidence.

  4. Security Hub findings supplement evidence.

  5. Evidence is point-in-time.

  6. Assessment ≠ Framework.

  7. Report export goes to S3.

  8. Evidence integrity uses SHA-256.

  9. Custom controls often require Config Custom Rules.

  10. EventBridge enables compliance automation.

  11. Reports contain PDF + CSV bundles.

5-Second Recall

  • Audit Manager = automated compliance evidence
  • Framework → Control → Evidence
  • Config + CloudTrail = primary inputs
  • SHA-256 protects evidence integrity
  • Reports export to S3 as ZIP
  • EventBridge enables automation
  • No enforcement

Quick Revision Notes

  • Audit readiness service
  • Evidence collection only
  • Continuous compliance support
  • Config is foundational
  • Supports custom controls
  • Organizations for multi-account audits
  • EventBridge for workflows
  • KMS + SHA-256 protect evidence
  • Report exports → S3 ZIP → PDF + CSV
  • Artifact proves AWS; Audit Manager proves customer