AWS Audit Manager

AWS Audit Manager: Complete Guide for AWS Security Specialty Exam

Why AWS Audit Manager is Important

In today's regulatory landscape, organizations must continuously demonstrate compliance with frameworks such as SOC 2, PCI DSS, HIPAA, GDPR, and many others. Manually collecting audit evidence from AWS environments is time-consuming, error-prone, and difficult to scale. AWS Audit Manager addresses this challenge by automating the collection of evidence, mapping it to specific compliance controls, and organizing it into audit-ready assessments. For security professionals, understanding Audit Manager is critical because it sits at the intersection of security governance, compliance management, and operational excellence — all core pillars of the AWS Security Specialty exam.

What is AWS Audit Manager?

AWS Audit Manager is a fully managed service that helps you continuously audit your AWS usage to simplify how you assess risk and compliance with regulations and industry standards. It automates evidence collection from AWS services, reducing the manual effort required to compile audit reports.

Key characteristics include:

- Prebuilt Frameworks: Audit Manager provides prebuilt frameworks aligned with common compliance standards (e.g., CIS Benchmarks, PCI DSS, SOC 2, HIPAA, GDPR, NIST 800-53, NIST CSF, AWS Foundational Security Best Practices, and more). You can also create custom frameworks tailored to your organization's needs.

- Automated Evidence Collection: The service automatically collects evidence from AWS CloudTrail, AWS Config, AWS Security Hub, and other sources on a continuous basis.

- Assessment Reports: You can generate assessment reports that compile all collected evidence, control statuses, and stakeholder comments into a single package ready for auditors.

- Delegation: Audit Manager supports delegation of control review to specific team members, enabling distributed responsibility across an organization.

- Integration with AWS Organizations: You can run assessments across multiple accounts in an AWS Organization using a delegated administrator account.

How AWS Audit Manager Works

Understanding the workflow is essential for exam success:

1. Set Up Audit Manager
When you enable Audit Manager, you specify an S3 bucket for storing assessment reports and optionally an AWS KMS key for encryption. If using AWS Organizations, you designate a delegated administrator account.

2. Create an Assessment
You select a framework (prebuilt or custom). Each framework contains a set of control sets, and each control set contains individual controls. You define the scope by specifying which AWS accounts and services are in scope for the assessment.

3. Evidence Collection (Automatic and Manual)
Audit Manager collects evidence automatically from three primary data sources:
- AWS CloudTrail: Captures API activity as evidence (e.g., who called what API, when, and from where).
- AWS Config: Evaluates resource configuration compliance against Config rules. The compliance evaluation results become evidence.
- AWS Security Hub: Security findings from Security Hub checks are imported as evidence.

You can also upload manual evidence for controls that cannot be automated (e.g., policy documents, meeting minutes, or screenshots).

4. Evidence Types
Evidence falls into four categories:
- Compliance Check: Results from AWS Config rules or Security Hub checks.
- User Activity: CloudTrail logs showing user/API activity.
- Configuration Data: Snapshots of resource configurations from AWS API calls made by Audit Manager.
- Manual Evidence: Files uploaded by users.

5. Review and Delegate Controls
Assessment owners can review evidence for each control and mark controls as reviewed. Controls can be delegated to specific IAM users or roles for review. Delegates add comments and mark their review as complete.

6. Generate Assessment Reports
Once all controls are reviewed, you generate an assessment report. This is a PDF document along with an evidence folder stored in the designated S3 bucket. The report is encrypted using the specified KMS key. This report is what you share with auditors.

Key Concepts for the Exam

- Framework: A structured collection of controls mapped to a compliance standard. Prebuilt frameworks are provided by AWS; custom frameworks can be created.
- Control: A specific requirement or best practice. Each control specifies the data source for evidence collection.
- Control Set: A logical grouping of related controls within a framework.
- Assessment: An instance of a framework applied to specific AWS accounts and services over a defined time period.
- Evidence: Data collected automatically or manually that demonstrates whether a control is being met.
- Delegated Administrator: In a multi-account setup with AWS Organizations, the delegated admin account manages Audit Manager assessments across member accounts.
- Assessment Report Destination: An S3 bucket where final reports are stored, encrypted with KMS.

Integration Points

- AWS Config: Must have AWS Config enabled and Config rules deployed for compliance-check evidence. Audit Manager relies heavily on Config for resource configuration compliance.
- AWS CloudTrail: Must be enabled to provide user activity evidence.
- AWS Security Hub: When enabled, Security Hub findings feed into Audit Manager as compliance check evidence. This is particularly useful for controls aligned with frameworks like CIS or AWS Foundational Best Practices.
- AWS Organizations: Enables cross-account evidence collection and centralized assessment management.
- Amazon S3 and AWS KMS: Assessment reports are stored in S3 and encrypted with KMS.
- AWS CloudFormation: Audit Manager resources can be provisioned via CloudFormation for infrastructure-as-code approaches.

Common Use Cases

1. Preparing for SOC 2 or PCI DSS audits — Use prebuilt frameworks to continuously collect evidence and generate audit-ready reports.
2. Ongoing compliance monitoring — Run assessments continuously to detect compliance drift before an audit.
3. Multi-account governance — Centralize audit evidence across an entire AWS Organization.
4. Custom compliance programs — Build custom frameworks for internal policies or industry-specific requirements not covered by prebuilt frameworks.
5. Reducing audit preparation time — Automate evidence collection that would otherwise require weeks of manual data gathering.

Limitations to Know

- Audit Manager does not automatically remediate non-compliant resources. It only collects and organizes evidence.
- It relies on other services (Config, CloudTrail, Security Hub) being properly configured. If these are not enabled, evidence collection will be incomplete.
- Manual evidence is still required for some controls (e.g., organizational policies, physical security documentation).
- It is a regional service — assessments are scoped to a specific region unless you set up multi-region configurations.

Exam Tips: Answering Questions on AWS Audit Manager

Tip 1: Know When to Choose Audit Manager vs. Other Services
If a question asks about continuously collecting audit evidence, mapping evidence to compliance frameworks, or generating audit-ready reports, the answer is AWS Audit Manager. Do not confuse it with:
- AWS Config: Evaluates resource compliance against rules but does not organize evidence into frameworks or generate audit reports.
- AWS Security Hub: Aggregates security findings and runs compliance checks but is not focused on audit evidence organization.
- AWS CloudTrail: Logs API activity but does not map logs to compliance controls.
- Amazon Inspector: Performs vulnerability assessments, not audit evidence collection.

Tip 2: Understand the Evidence Collection Chain
Questions may test whether you understand that Audit Manager depends on Config, CloudTrail, and Security Hub. If a scenario describes missing evidence, check whether these prerequisite services are enabled.

Tip 3: Multi-Account Scenarios
If a question involves auditing across multiple AWS accounts within an Organization, Audit Manager with a delegated administrator is the correct approach. Remember that the management account designates the delegated admin.

Tip 4: Encryption and Storage
Assessment reports are stored in S3 and can be encrypted with a customer-managed KMS key. If a question asks about securing audit reports at rest, this is the mechanism.

Tip 5: Custom Frameworks
If a question mentions a compliance standard not available as a prebuilt framework, or an internal policy, the answer involves creating a custom framework with custom controls in Audit Manager.

Tip 6: Audit Manager Does Not Remediate
If a question asks about automatically fixing non-compliant resources, Audit Manager is not the answer. Remediation typically involves AWS Config auto-remediation rules, Systems Manager Automation, or Lambda functions. Audit Manager only collects evidence and reports.

Tip 7: Keyword Recognition
Look for these keywords in exam questions that point to Audit Manager:
- Audit evidence
- Compliance framework
- Assessment report
- Audit-ready
- Continuous auditing
- Evidence collection for compliance
- SOC 2, PCI DSS, HIPAA preparation

Tip 8: Delegation Model
Understand that within an assessment, specific controls can be delegated to team members. This is useful in scenarios where different teams own different controls (e.g., network team reviews network controls, database team reviews data controls).

Tip 9: Regional Considerations
Audit Manager is regional. If a question describes a multi-region architecture requiring audit coverage in every region, you need to set up Audit Manager in each region where compliance evidence is needed.

Tip 10: Prebuilt Framework Updates
AWS periodically updates prebuilt frameworks. However, once you create an assessment from a framework, it uses the version at the time of creation. If a newer version is released, you need to create a new assessment to use the updated framework.

Summary

AWS Audit Manager is a purpose-built service for automating audit evidence collection and compliance assessment. It leverages AWS Config, CloudTrail, and Security Hub as data sources, organizes evidence into framework-aligned controls, and produces audit-ready reports stored securely in S3. For the AWS Security Specialty exam, remember that Audit Manager is about evidence collection and organization for audits, not about remediation or real-time threat detection. Mastering the distinction between Audit Manager and related services like Config, Security Hub, and CloudTrail is key to answering exam questions correctly.