AWS Audit Manager
A service that automates compliance audit evidence collection and continuously assesses adherence to frameworks such as SOC 2, PCI DSS, and HIPAA
Overview
AWS Audit Manager is a service that automates evidence collection and assessment for compliance audits in AWS environments. It comes with prebuilt industry-standard frameworks including SOC 2, PCI DSS, HIPAA, GDPR, and NIST 800-53, and automatically gathers evidence from AWS Config rules, CloudTrail logs, and Security Hub findings. It also supports manual evidence uploads, enabling you to build audit workflows that integrate both automated technical verification and manual review processes.
Framework and Control Structure
At the core of Audit Manager is a three-tier structure: frameworks, control sets, and controls. A framework represents an entire audit standard (e.g., SOC 2 Type II), which contains control sets (e.g., logical access controls), each defining individual controls (e.g., verifying MFA is enabled). While you can use the standard frameworks provided by AWS as-is, in practice organizations often create custom frameworks that reflect their specific requirements. Custom frameworks let you add controls based on your own policies alongside standard controls, combining AWS Config custom rules with manual verification items. Each control is linked to data sources that automatically ingest AWS Config compliance/non-compliance status, CloudTrail API call logs, and Security Hub findings as evidence. Clearly defining the evaluation frequency and responsible parties for each control during the framework design phase helps prevent confusion during the operational phase.
Automated Evidence Collection and Manual Evidence
Audit Manager handles three types of evidence. First, compliance check evidence automatically retrieves evaluation results from AWS Config rules. Second, user activity evidence extracts specific API calls (such as IAM policy changes and S3 bucket configuration modifications) from CloudTrail. Third, configuration snapshot evidence periodically captures the current configuration state of resources. Manual evidence fills gaps that automated collection cannot cover. For example, security training completion records, physical access control logs, and vendor assessment reports can be uploaded as PDFs or screenshots. Evidence is organized in a folder structure per assessment and linked to individual controls, allowing auditors to view all evidence for a specific control at a glance. Integration with Organizations enables centralized evidence collection from a delegated administrator account even in multi-account environments.
Assessment Report Generation and Audit Response
When you create an assessment, automated evidence collection begins based on the specified framework. The assessment scope is defined by a combination of AWS accounts and regions, allowing you to narrow the audit target to production environments only, for example. Collected evidence is automatically mapped to each control, and assigned reviewers update the status after review. Once all controls have been reviewed, an assessment report is generated as a PDF and output to an S3 bucket. This report includes an evidence list per control, a compliance/non-compliance summary, and manual review comments, making it ready for submission to external auditors as-is. A practical tip is to run assessments continuously and take quarterly snapshots. Rather than scrambling to gather evidence right before an annual audit, building a system where evidence accumulates on an ongoing basis dramatically reduces the effort required for audit response.