AWS Audit Manager will no longer be open to new customers starting April 30, 2026. If you would like to use Audit Manager, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [AWS Audit Manager availability change](https://docs.aws.amazon.com/audit-manager/latest/userguide/audit-manager-availability-change.html).
# Reviewing and configuring your AWS Audit Manager settings
You can review and configure your AWS Audit Manager settings at any time to ensure that they meet your specific needs.
This chapter takes you through the process of accessing, reviewing, and adjusting your Audit Manager settings step-by-step. By following along, you'll learn how to change your general settings, assessment settings, and evidence finder settings to align with your evolving compliance goals and business requirements.
## Procedure
To get started, follow these steps to view your Audit Manager settings. You can view your Audit Manager settings using the Audit Manager console, the AWS Command Line Interface (AWS CLI), or the Audit Manager API.
**To view your settings**
1. Open the AWS Audit Manager console at [https://console.aws.amazon.com/auditmanager/home](https://console.aws.amazon.com/auditmanager/home).
1. In the left navigation pane, choose **Settings**.
1. Choose the tab that meets your goal.
+ **General settings** - Choose this tab to review and update your general Audit Manager settings.
+ **Assessment settings** - Choose this tab to review and update the default settings for your assessments.
+ **Evidence finder settings** - Choose this tab to review and update your evidence finder settings.
## Next steps
To customize your Audit Manager settings for your use case, follow the procedures that are outlined here.
+ **General settings**
+ [Configuring your data encryption settings](settings-KMS.md)
+ [Adding a delegated administrator](add-delegated-admin.md)
+ [Changing a delegated administrator](change-delegated-admin.md)
+ [Removing a delegated administrator](remove-delegated-admin.md)
+ [Disabling AWS Audit Manager](disable.md)
+ **Assessment settings**
+ [Configuring your default audit owners](settings-default-audit-owner.md)
+ [Configuring your default assessment report destination](settings-destination.md)
+ [Configuring your Audit Manager notifications](settings-notifications.md)
+ **Evidence finder settings**
+ [Enabling evidence finder](evidence-finder-settings-enable.md)
+ [Confirming the status of evidence finder](confirm-status-of-evidence-finder.md)
+ [Configuring your default export destination for evidence finder](settings-export-destination.md)
+ [Disabling evidence finder](evidence-finder-settings-disable.md)
# Configuring your data encryption settings
You can choose how you encrypt your data in AWS Audit Manager. Audit Manager automatically creates a unique AWS managed key for the secure storage of your data. By default, your Audit Manager data is encrypted with this KMS key. However, if you want to customize your data encryption settings, you can specify your own symmetric encryption customer managed key. Using your own KMS key gives you more flexibility, including the ability to create, rotate, and disable keys.
## Prerequisites
If you provide a customer managed key, it must be in the same AWS Region as your assessment in order to generate assessment reports and export evidence finder search results successfully.
## Procedure
You can update your data encryption settings using the Audit Manager console, the AWS Command Line Interface (AWS CLI), or the Audit Manager API.
**Note**
When you change your Audit Manager data encryption settings, these changes apply to any new assessments that you create. This includes any assessment reports and evidence finder exports that you create from your new assessments.
The changes don't apply to existing assessments that you created before you changed your encryption settings. This includes new assessment reports and CSV exports that you create from existing assessments, in addition to existing assessment reports and CSV exports. Existing assessments—and all their assessment reports and CSV exports—continue to use the old KMS key. If the IAM identity that generates the assessment report can't use the old KMS key, grant permissions at the key policy level.
------
#### [ Audit Manager console ]
**To update your data encryption settings on the Audit Manager console**
1. From the **General** settings tab, go to the **Data encryption** section.
1. To use the default KMS key that's provided by Audit Manager, clear the **Customize encryption settings (advanced)** check box.
1. To use a customer managed key, select the **Customize encryption settings (advanced)** check box. You can then choose an existing KMS key, or create a new one.
------
#### [ AWS CLI ]
**To update your data encryption settings in the AWS CLI**
Run the [update-settings](https://docs.aws.amazon.com/cli/latest/reference/auditmanager/update-settings.html) command and use the `--kms-key` parameter to specify your own customer managed key.
In the following example, replace the *placeholder text* with your own information.
```
aws auditmanager update-settings --kms-key arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
```
------
#### [ Audit Manager API ]
**To update your data encryption settings using the API**
Call the [UpdateSettings](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_UpdateSettings.html) operation and use the [kmsKey](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_UpdateSettings.html#auditmanager-UpdateSettings-request-kmsKey) parameter to specify your own customer managed key.
For more information, choose the previous links to read more in the *Audit Manager API Reference*. This includes information about how to use this operation and parameter in one of the language-specific AWS SDKs.
------
## Additional resources
+ For instructions on how to create keys, see [Creating keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html) in the *AWS Key Management Service User Guide*.
+ For instructions on how to grant permissions at the key policy level, see [Allowing users in other accounts to use a KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html) in the * AWS Key Management Service Developer Guide*.
# Adding a delegated administrator
If you use AWS Organizations and want to enable multi-account support for AWS Audit Manager, you can designate a member account in your organization as the delegated administrator for Audit Manager.
If you want to use Audit Manager in more than one AWS Region, you must designate a delegated administrator account separately in each Region. In your Audit Manager settings, you should use the same delegated administrator account across all Regions.
## Prerequisites
Take note of the following factors that define how the delegated administrator operates in Audit Manager:
+ Your account must be part of an organization.
+ Before you designate a delegated administrator, you must [enable all features in your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html). You must also [configure your organization's Security Hub CSPM settings](https://docs.aws.amazon.com/audit-manager/latest/userguide/setup-recommendations.html#securityhub-recommendations). This way, Audit Manager can collect Security Hub CSPM evidence from your member accounts.
+ The delegated administrator account must have access on the KMS key that you provided when setting up Audit Manager.
+ You can't use your AWS Organizations management account as a delegated administrator in Audit Manager.
## Procedure
You can add a delegated administrator using the Audit Manager console, the AWS Command Line Interface (AWS CLI), or the Audit Manager API.
**Note**
After you add a delegated administrator in your Audit Manager settings, your management account can no longer create additional assessments in Audit Manager. Additionally, evidence collection stops for any existing assessments created by the management account. Audit Manager collects and attaches evidence to the delegated administrator account, which is the main account for managing your organization's assessments.
------
#### [ Audit Manager console ]
**To add a delegated administrator on the Audit Manager console**
1. From the **General** settings tab, go to the **Delegated administrator** section.
1. Under **Delegated administrator account ID**, enter the account ID of the delegated administrator.
1. Choose **Delegate**.
------
#### [ AWS CLI ]
**To add a delegated administrator in the AWS CLI**
Run the [register-organization-admin-account](https://docs.aws.amazon.com/cli/latest/reference/auditmanager/register-organization-admin-account.html) command and use the `--admin-account-id` parameter to specify the account ID of the delegated administrator.
In the following example, replace the *placeholder text* with your own information.
```
aws auditmanager register-organization-admin-account --admin-account-id 111122223333
```
------
#### [ Audit Manager API ]
**To add a delegated administrator using the API**
Call the [RegisterOrganizationAdminAccount](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_RegisterOrganizationAdminAccount.html) operation and use the [adminAccountId](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_RegisterOrganizationAdminAccount.html#auditmanager-RegisterOrganizationAdminAccount-request-adminAccountId) parameter to specify the account ID of the delegated administrator.
For more information, choose the previous links to read more in the *Audit Manager API Reference*. This includes information about how to use this operation and parameter in one of the language-specific AWS SDKs.
------
## Next steps
To change your delegated administrator account, see [Changing a delegated administrator](change-delegated-admin.md).
To remove your delegated administrator account, see [Removing a delegated administrator](remove-delegated-admin.md).
## Additional resources
+ [Creating and managing an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org.html)
+ [Troubleshooting delegated administrator and AWS Organizations issues](delegated-admin-issues.md)
# Changing a delegated administrator
Changing your delegated administrator in AWS Audit Manager is a two-step process. First, you need to remove the current delegated administrator account. Then, you can add a new account as the delegated administrator.
Follow the steps on this page to change your delegated administrator.
**Contents**
+ [Prerequisites](#change-delegated-admin-prerequisites)
+ [Before you remove the current account](#before-you-remove)
+ [Before you add the new account](#before-you-add)
+ [Procedure](#change-delegated-admin-procedure)
+ [Next steps](#change-delegated-admin-next-steps)
+ [Additional resources](#change-delegated-admin-additional-resources)
## Prerequisites
### Before you remove the current account
Before you remove the current delegated administrator account, keep in mind the following considerations:
+ **Evidence finder cleanup task** - If the current delegated administrator (account A) enabled evidence finder, you'll need to perform a cleanup task before you assign account B as the new delegated administrator.
Before you use your management account to remove account A, make sure that account A signs in to Audit Manager and disables evidence finder. Disabling evidence finder automatically deletes the event data store that was created in the account when evidence finder was enabled.
If this task isn’t completed, the event data store remains in account A. In this case, we recommend that the original delegated administrator uses CloudTrail Lake to manually [delete the event data store](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-eds-disable-termination.html).
This cleanup task is necessary to ensure that you don't end up with multiple event data stores. Audit Manager ignores an unused event data store after you remove or change a delegated administrator account. However, if you don't delete the unused event data store, the event data store continues to incur storage costs from CloudTrail Lake.
+ **Data deletion** - When you remove a delegated administrator account for Audit Manager, the data for that account isn’t deleted. If you want to delete resource data for a delegated administrator account, you must perform that task separately before you remove the account. Either, you can do this in the Audit Manager console. Or, you can use one of the delete API operations that are provided by Audit Manager. For a list of available delete operations, see [Deletion of Audit Manager data](https://docs.aws.amazon.com/audit-manager/latest/userguide/data-protection.html#data-deletion-and-retention).
At this time, Audit Manager doesn't provide an option to delete evidence for a specific delegated administrator. Instead, when your management account deregisters Audit Manager, we perform a cleanup for the current delegated administrator account at the time of deregistration.
### Before you add the new account
Before you add the new delegated administrator account, keep in mind the following considerations:
+ The new account must be part of an organization.
+ Before you designate a new delegated administrator, you must [enable all features in your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html). You must also [configure your organization's Security Hub CSPM settings](https://docs.aws.amazon.com/audit-manager/latest/userguide/setup-recommendations.html#securityhub-recommendations). This way, Audit Manager can collect Security Hub CSPM evidence from your member accounts.
+ The delegated administrator account must have access on the KMS key that you provided when setting up Audit Manager.
+ You can't use your AWS Organizations management account as a delegated administrator in Audit Manager.
## Procedure
You can change a delegated administrator using the Audit Manager console, the AWS Command Line Interface (AWS CLI), or the Audit Manager API.
**Warning**
When you change a delegated administrator, you continue to have access to the evidence that you previously collected under the old delegated administrator account. However, Audit Manager stops collecting and attaching evidence to the old delegated administrator account.
------
#### [ Audit Manager console ]
**To change the current delegated administrator on the Audit Manager console**
1. (Optional) If the current delegated administrator (account A) enabled evidence finder, perform the following cleanup task:
1. Before assigning account B as the new delegated administrator, make sure that account A signs in to Audit Manager and disables evidence finder.
Disabling evidence finder automatically deletes the event data store that was created when account A enabled evidence finder. If you don't complete this step, then account A must go to CloudTrail Lake and manually [delete the event data store](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-eds-disable-termination.html). Otherwise, the event data store remains in account A and continues to incur CloudTrail Lake storage charges.
1. From the **General** settings tab, go to the **Delegated administrator** section and choose **Remove**.
1. In the pop-up window that appears, choose **Remove** to confirm.
1. Under **Delegated administrator account ID**, enter the ID of the new delegated administrator account.
1. Choose **Delegate**.
------
#### [ AWS CLI ]
**To change the current delegated administrator in the AWS CLI**
First, run the [deregister-organization-admin-account](https://docs.aws.amazon.com/cli/latest/reference/auditmanager/deregister-organization-admin-account.html) command using the `--admin-account-id` parameter to specify the account ID of the current delegated administrator.
In the following example, replace the *placeholder text* with your own information.
```
aws auditmanager deregister-organization-admin-account --admin-account-id 111122223333
```
Then, run the [register-organization-admin-account](https://docs.aws.amazon.com/cli/latest/reference/auditmanager/register-organization-admin-account.html) command using the `--admin-account-id` parameter to specify the account ID of the new delegated administrator.
In the following example, replace the *placeholder text* with your own information.
```
aws auditmanager register-organization-admin-account --admin-account-id 444455556666
```
------
#### [ Audit Manager API ]
**To change the current delegated administrator using the API**
First, call the [DeregisterOrganizationAdminAccount](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_DeregisterOrganizationAdminAccount.html) operation and use the [adminAccountId](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_DeregisterOrganizationAdminAccount.html#auditmanager-DeregisterOrganizationAdminAccount-request-adminAccountId) parameter to specify the account ID of the current delegated administrator.
Then, call the [RegisterOrganizationAdminAccount](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_RegisterOrganizationAdminAccount.html) operation and use the [adminAccountId](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_RegisterOrganizationAdminAccount.html#auditmanager-RegisterOrganizationAdminAccount-request-adminAccountId) parameter to specify the account ID of the new delegated administrator.
For more information, choose the previous links to read more in the *Audit Manager API Reference*. This includes information about how to use this operation and parameter in one of the language-specific AWS SDKs.
------
## Next steps
To remove your delegated administrator account, see [Removing a delegated administrator](remove-delegated-admin.md).
## Additional resources
+ [Creating and managing an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org.html)
+ [Troubleshooting delegated administrator and AWS Organizations issues](delegated-admin-issues.md)
# Removing a delegated administrator
Removing the delegated administrator account stops further evidence collection for that account, but you retain access to the previously collected evidence.
If you need to remove your delegated administrator account for Audit Manager, you can follow the necessary steps on this page. Follow the prerequisites and procedures carefully, as they involve cleaning up resources to avoid unnecessary storage costs.
## Prerequisites
Before you remove the delegated administrator account from Audit Manager, keep in mind the following considerations:
**Evidence finder cleanup task**
If the current delegated administrator enabled evidence finder, you need to perform a cleanup task.
Before you use your management account to remove the current delegated administrator, make sure that the current delegated administrator account signs in to Audit Manager and disables evidence finder. Disabling evidence finder automatically deletes the event data store that was created in the account when evidence finder was enabled.
If this task isn’t completed, the event data store remains in their account. In this case, we recommend that the original delegated administrator uses CloudTrail Lake to manually [delete the event data store](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-eds-disable-termination.html).
This cleanup task is necessary to ensure that you don't end up with multiple event data stores. Audit Manager ignores an unused event data store after you remove or change a delegated administrator account. However, if you don't delete the unused event data store, the event data store continues to incur storage costs from CloudTrail Lake.
**Data deletion**
When you remove a delegated administrator account for Audit Manager, the data for that account isn’t deleted. If you want to delete resource data for a delegated administrator account, you must perform that task separately before you remove the account. Either, you can do this in the Audit Manager console. Or, you can use one of the delete API operations that are provided by Audit Manager. For a list of available delete operations, see [Deletion of Audit Manager data](https://docs.aws.amazon.com/audit-manager/latest/userguide/data-protection.html#data-deletion-and-retention).
At this time, Audit Manager doesn't provide an option to delete evidence for a specific delegated administrator. Instead, when your management account deregisters Audit Manager, we perform a cleanup for the current delegated administrator account at the time of deregistration.
## Procedure
You can remove a delegated administrator using the Audit Manager console, the AWS Command Line Interface (AWS CLI), or the Audit Manager API.
**Warning**
When you remove a delegated administrator, you continue to have access to the evidence that you previously collected under that delegated administrator account. However, Audit Manager stops collecting and attaching evidence to the old delegated administrator account.
------
#### [ Audit Manager console ]
**To remove the current delegated administrator on the Audit Manager console**
1. (Optional) If the current delegated administrator enabled evidence finder, perform the following cleanup task:
1. Make sure that the current delegated administrator account signs in to Audit Manager and disables evidence finder.
Disabling evidence finder automatically deletes the event data store that was created in their account when they enabled evidence finder. If this step isn't completed, the delegated administrator account must use CloudTrail Lake to manually [delete the event data store](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-eds-disable-termination.html). Otherwise, the event data store remains in their account and continues to incur CloudTrail Lake storage charges.
1. From the **General** settings tab, go to the **Delegated administrator** section and choose **Remove**.
1. In the pop-up window that appears, choose **Remove** to confirm.
------
#### [ AWS CLI ]
Disabling evidence finder automatically deletes the event data store that was created in their account when they enabled evidence finder. If this step isn't completed, the delegated administrator account must use CloudTrail Lake to manually [delete the event data store](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-eds-disable-termination.html). Otherwise, the event data store remains in their account and continues to incur CloudTrail Lake storage charges.
**To remove the current delegated administrator in the AWS CLI**
Run the [deregister-organization-admin-account](https://docs.aws.amazon.com/cli/latest/reference/auditmanager/deregister-organization-admin-account.html) command and use the `--admin-account-id` parameter to specify the account ID of the delegated administrator.
In the following example, replace the *placeholder text* with your own information.
```
aws auditmanager deregister-organization-admin-account --admin-account-id 111122223333
```
------
#### [ Audit Manager API ]
**To remove the current delegated administrator using the API**
Call the [DeregisterOrganizationAdminAccount](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_DeregisterOrganizationAdminAccount.html) operation and use the [adminAccountId](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_DeregisterOrganizationAdminAccount.html#auditmanager-DeregisterOrganizationAdminAccount-request-adminAccountId) parameter to specify the account ID of the delegated administrator.
For more information, choose the previous links to read more in the *Audit Manager API Reference*. This includes information about how to use this operation and parameter in one of the language-specific AWS SDKs.
------
## Additional resources
+ [Troubleshooting delegated administrator and AWS Organizations issues](delegated-admin-issues.md)
# Configuring your default audit owners
You can use this setting to specify the default [](concepts.md#audit-owner)s who have primary access to your assessments in Audit Manager.
## Procedure
You can update this setting using the Audit Manager console, the AWS Command Line Interface (AWS CLI), or the Audit Manager API.
------
#### [ Audit Manager console ]
You can choose from the AWS accounts listed in the table, or use the search bar to look for other AWS accounts.
**To update your default audit owners on the Audit Manager console**
1. From the **Assessment** settings tab, go to the **Default audit owners** section and choose **Edit**.
1. To add a default audit owner, select the check box next to the account name under **Audit owner**.
1. To remove a default audit owner, clear the check box next to the account name under **Audit owner**.
1. When you’re done, choose **Save**.
------
#### [ AWS CLI ]
**To update your default audit owner in the AWS CLI**
Run the [update-settings](https://docs.aws.amazon.com/cli/latest/reference/auditmanager/update-settings.html) command and use the `--default-process-owners` parameter to specify an audit owner.
In the following example, replace the *placeholder text* with your own information. Note that `roleType` can only be `PROCESS_OWNER`.
```
aws auditmanager update-settings --default-process-owners roleType=PROCESS_OWNER,roleArn=arn:aws:iam::111122223333:role/Administrator
```
------
#### [ Audit Manager API ]
**To update your default audit owner using the API**
Call the [UpdateSettings](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_UpdateSettings.html) operation and use the [defaultProcessOwners](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_UpdateSettings.html#auditmanager-UpdateSettings-request-defaultProcessOwners) parameter to specify default audit owners. Note that `roleType` can only be `PROCESS_OWNER`.
------
## Additional resources
+ For more information about audit owners, see [Audit owners](https://docs.aws.amazon.com/audit-manager/latest/userguide/concepts.html#audit-owner) in the *Concepts and terminology* section of this guide.
# Configuring your default assessment report destination
When you generate an assessment report, Audit Manager publishes the report to the S3 bucket of your choice. This S3 bucket is referred to as an [](concepts.md#assessment-report-destination). You can choose the S3 bucket that Audit Manager stores your assessment reports in.
## Prerequisites
### Configuration tips for your assessment report destination
To ensure the successful generation of your assessment report, we recommend that you use the following configurations for your assessment report destination.
**Same-Region buckets**
We recommend that you use an S3 bucket that's in the same AWS Region as your assessment. When you use a same-Region bucket and assessment, your assessment report can include up to 22,000 evidence items. Conversely, when you use a cross-Region bucket and assessment, only 3,500 evidence items can be included.
**AWS Region**
The AWS Region of your customer managed key (if you provided one) must match the Region of your assessment and your assessment report destination S3 bucket. For instructions on how to change the KMS key, see [Configuring your data encryption settings](settings-KMS.md). For a list of supported Audit Manager Regions, see [AWS Audit Manager endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/audit-manager.html) in the *Amazon Web Services General Reference*.
**S3 bucket encryption**
If your assessment report destination has a bucket policy that requires server-side encryption (SSE) using [SSE-KMS](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#require-sse-kms), then the KMS key used in that bucket policy must match the KMS key that you configured in your Audit Manager data encryption settings. If you haven't configured a KMS key in your Audit Manager settings, and your assessment report destination bucket policy requires SSE, ensure that the bucket policy allows [SSE-S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html). For instructions on how to configure the KMS key that's used for data encryption, see [Configuring your data encryption settings](settings-KMS.md).
**Cross-account S3 buckets**
Using a cross-account S3 bucket as your assessment report destination isn’t supported in the Audit Manager console. It’s possible to specify a cross-account bucket as your assessment report destination by using the AWS CLI or one of the AWS SDKs, but for simplicity, we recommend that you not do this.
For optimal security and performance, we recommend using an S3 bucket in the same AWS account and region as your assessment.
If you do choose to use a cross-account S3 bucket as your assessment report destination, consider the following points.
+ By default, S3 objects—such as assessment reports—are owned by the AWS account that uploads the object. You can use the [S3 Object Ownership](https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html) setting to change this default behavior so that any new objects that are written by accounts with the `bucket-owner-full-control` canned access control list (ACL) automatically become owned by the bucket owner.
Although it’s not a requirement, we recommend that you make the following changes to your cross-account bucket settings. Making these changes ensures that the bucket owner has full control of the assessment reports that you publish to their bucket.
+ [Set the object ownership of the S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html#enable-object-ownership) to *bucket owner preferred*, instead of the default * object writer*
+ [Add a bucket policy](https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html#ensure-object-ownership) to ensure that objects uploaded to that bucket have the `bucket-owner-full-control` ACL
+ To allow Audit Manager to publish reports in a cross-account S3 bucket, you must add the following S3 bucket policy to your assessment report destination. Replace the *placeholder text* with your own information. The `Principal` element in this policy is the user or role that owns the assessment and creates the assessment report. The `Resource` specifies the cross-account S3 bucket where the report is published.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Allow cross account assessment report publishing",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/AssessmentOwnerUserName"
},
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject",
"s3:GetBucketLocation",
"s3:PutObjectAcl",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::CROSS-ACCOUNT-BUCKET",
"arn:aws:s3:::CROSS-ACCOUNT-BUCKET/*"
]
}
]
}
```
------
## Procedure
You can update this setting using the Audit Manager console, the AWS Command Line Interface (AWS CLI), or the Audit Manager API.
------
#### [ Audit Manager console ]
**To update your default assessment report destination on the Audit Manager console**
1. From the **Assessment** settings tab, go to the **Assessment report destination** section.
1. To use an existing S3 bucket, select a bucket name from the dropdown menu.
1. To create a new S3 bucket, choose **Create new bucket**.
1. When you’re done, choose **Save**.
------
#### [ AWS CLI ]
**To update your default assessment report destination in the AWS CLI**
Run the [update-settings](https://docs.aws.amazon.com/cli/latest/reference/auditmanager/update-settings.html) command and use the `--default-assessment-reports-destination` parameter to specify an S3 bucket.
In the following example, replace the *placeholder text* with your own information:
```
aws auditmanager update-settings --default-assessment-reports-destination destinationType=S3,destination=s3://amzn-s3-demo-destination-bucket
```
------
#### [ Audit Manager API ]
**To update your default assessment report destination using the API**
Call the [UpdateSettings](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_UpdateSettings.html) operation and use the [defaultAssessmentReportsDestination](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_UpdateSettings.html#auditmanager-UpdateSettings-request-defaultAssessmentReportsDestination) parameter to specify an S3 bucket.
------
## Additional resources
+ [Creating a bucket](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/create-bucket.html)
+ [Assessment reports](assessment-reports.md)
# Configuring your Audit Manager notifications
You can configure Audit Manager to send notifications to the Amazon SNS topic of your choice. If you're subscribed to that SNS topic, you receive notifications directly whenever you sign in to Audit Manager.
Follow the steps on this page to learn how to view and update your notification settings to suit your preferences. You can use either a standard SNS topic or a FIFO (first-in-first-out) SNS topic. Although Audit Manager supports sending notifications to FIFO topics, the order that messages are sent in isn't guaranteed.
## Prerequisites
If you want to use an Amazon SNS topic that you don't own, you must configure your AWS Identity and Access Management (IAM) policy for this. More specifically, you must configure it to allow publishing from the Amazon Resource Name (ARN) of the topic. For an example policy that you can use, see [Example 1 (Permissions for the SNS topic)](security_iam_id-based-policy-examples.md#sns-topic-permissions).
## Procedure
You can update this setting using the Audit Manager console, the AWS Command Line Interface (AWS CLI), or the Audit Manager API.
------
#### [ Audit Manager console ]
**To update your notification settings on the Audit Manager console**
1. From the **Assessment** settings tab, go to the **Notifications** section.
1. To use an existing SNS topic, select the topic name from the dropdown menu.
1. To create a new SNS topic, choose **Create new topic**.
1. When you’re done, choose **Save**.
------
#### [ AWS CLI ]
**To update your notification settings in the AWS CLI**
Run the [update-settings](https://docs.aws.amazon.com/cli/latest/reference/auditmanager/update-settings.html) command and use the `--sns-topic` parameter to specify an SNS topic.
In the following example, replace the *placeholder text* with your own information:
```
aws auditmanager update-settings --sns-topic arn:aws:sns:us-east-1:111122223333:my-assessment-topic
```
------
#### [ Audit Manager API ]
**To update your notification settings using the API**
Call the [UpdateSettings](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_UpdateSettings.html) operation and use the [snsTopic](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_UpdateSettings.html#auditmanager-UpdateSettings-request-snsTopic) parameter to specify an SNS topic.
------
## Additional resources
+ For instructions on how to create an Amazon SNS topic, see [Creating an Amazon SNS topic](https://docs.aws.amazon.com/sns/latest/dg/sns-create-topic.html) in the *Amazon SNS User Guide*.
+ For an example policy that you can use to allow Audit Manager to send notifications to Amazon SNS topics , see [Example 1 (Permissions for the SNS topic)](security_iam_id-based-policy-examples.md#sns-topic-permissions)
+ To learn more about the list of actions that invoke notifications in Audit Manager, see [Notifications in AWS Audit Manager](notifications.md).
+ For solutions to notification issues in Audit Manager, see [Troubleshooting notification issues](notification-issues.md).
# Enabling evidence finder
You can enable the evidence finder feature in Audit Manager to search for evidence in your AWS account. If you're a delegated administrator for Audit Manager, you can search for evidence for all member accounts in your organization.
Follow these steps to learn how to enable evidence finder. Pay close attention to the prerequisites, as you'll need specific permissions to create and manage an event data store in CloudTrail Lake for this functionality.
## Prerequisites
### Required permissions to enable evidence finder
To enable evidence finder, you need permissions to create and manage an event data store in CloudTrail Lake. To use the feature, you need permissions to perform CloudTrail Lake queries. For an example permission policy that you can use, see [Example 3 (Permissions to enable evidence finder)](security_iam_id-based-policy-examples.md#full-administrator-access-enable-evidence-finder).
If you need help with permissions, contact your AWS administrator. If you’re an AWS administrator, you can copy the required permission statement and [attach it to an IAM policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html#add-policies-console).
## Procedure
### Requesting to enable evidence finder
You can complete this task using the Audit Manager console, the AWS Command Line Interface (AWS CLI), or the Audit Manager API.
**Note**
You must enable evidence finder in each AWS Region where you want to search for evidence.
------
#### [ Audit Manager console ]
**To request to enable evidence finder on the Audit Manager console**
1. Open the AWS Audit Manager console at [https://console.aws.amazon.com/auditmanager/home](https://console.aws.amazon.com/auditmanager/home).
1. From the **Evidence finder** settings tab, go to the **Evidence finder** section.
1. Choose **Required permission policy**, then **View CloudTrail Lake permissions** to view the required evidence finder permissions. If you don't already have these permissions, you can copy this policy statement and [attach it to an IAM policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html#add-policies-console).
1. Choose **Enable**.
1. In the pop-up window, choose **Request to enable**.
------
#### [ AWS CLI ]
**To request to enable evidence finder in the AWS CLI**
Run the [update-settings](https://docs.aws.amazon.com/cli/latest/reference/auditmanager/update-settings.html) command with the `--evidence-finder-enabled` parameter.
```
aws auditmanager update-settings --evidence-finder-enabled
```
------
#### [ Audit Manager API ]
**To request to enable evidence finder using the API**
Call the [UpdateSettings](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_UpdateSettings.html) operation and use the [evidenceFinderEnabled](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_UpdateSettings.html#auditmanager-UpdateSettings-request-evidenceFinderEnabled) parameter.
For more information, choose the previous links to read more in the *Audit Manager API Reference*. This includes information about how to use this operation and parameter in one of the language-specific AWS SDKs.
------
## Next steps
After you've requested to enable evidence finder, you can check the status of your request. For instructions, see [Confirming the status of evidence finder](confirm-status-of-evidence-finder.md).
## Additional resources
+ [Evidence finder](evidence-finder.md)
+ [Troubleshooting evidence finder issues](evidence-finder-issues.md)
# Confirming the status of evidence finder
After you submit your request to enable evidence finder, it takes up to 10 minutes to enable the feature and create an event data store. As soon as the event data store is created, all new evidence is ingested into the event data store moving forward.
When evidence finder is enabled and the event data store is created, we backfill the newly created event data store with up to two years’ worth of your past evidence. This process happens automatically and takes up to seven days to complete.
Follow the steps on this page to check and understand the status of your request to enable evidence finder.
## Prerequisites
Make sure that you followed the steps to enable evidence finder. For instructions, see [Enabling evidence finder](evidence-finder-settings-enable.md).
## Procedure
You can check the current status of evidence finder using the Audit Manager console, the AWS CLI, or the Audit Manager API.
------
#### [ Audit Manager console ]
**To see the current status of evidence finder on the Audit Manager console**
1. Open the AWS Audit Manager console at [https://console.aws.amazon.com/auditmanager/home](https://console.aws.amazon.com/auditmanager/home).
1. In the left navigation pane, choose **Settings**.
1. Under **Enable evidence finder – optional**, review the current status.
Each status is defined as follows:
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/confirm-status-of-evidence-finder.html)
------
#### [ AWS CLI ]
**To see the current status of evidence finder in the AWS CLI**
Run the [get-settings](https://docs.aws.amazon.com/cli/latest/reference/auditmanager/get-settings.html) command with the `--attribute` parameter set to `EVIDENCE_FINDER_ENABLEMENT`.
```
aws auditmanager get-settings --attribute EVIDENCE_FINDER_ENABLEMENT
```
This returns the following information:
**enablementStatus**
This attribute shows the current status of evidence finder.
+ `ENABLE_IN_PROGRESS` – You requested to enable evidence finder. An event data store is currently being created to support evidence finder queries.
+ `ENABLED` – An event data store was created and evidence finder is enabled. We recommend waiting seven days until the event data store is backfilled with your past evidence data. You can use evidence finder in the meantime, but not all data is available until the backfill is complete.
+ `DISABLE_IN_PROGRESS` – You requested to disable evidence finder, and your request is pending the event data store being deleted.
+ `DISABLED` – You permanently disabled evidence finder and the event data store is deleted. You can't re-enable evidence finder after this point.
**backfillStatus**
This attribute shows the current status of the evidence data backfill.
+ `NOT_STARTED` – The backfill hasn’t started yet.
+ `IN_PROGRESS` – The backfill is in progress. This takes up to seven days to complete, depending on the amount of evidence data.
+ `COMPLETED` – The backfill is complete. All of your past evidence is now queryable.
------
#### [ Audit Manager API ]
**To see the current status of evidence finder using the API**
Call the [GetSettings](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_GetSettings.html) operation with the `attribute` parameter set to `EVIDENCE_FINDER_ENABLEMENT`. This returns the following information:
**enablementStatus**
This attribute shows the current status of evidence finder.
+ `ENABLE_IN_PROGRESS` - You requested to enable evidence finder. An event data store is currently being created to support evidence finder queries.
+ `ENABLED` - An event data store was created and evidence finder is enabled. We recommend waiting seven days until the event data store is backfilled with your past evidence data. You can use evidence finder in the meantime, but not all data is available until the backfill is complete.
+ `DISABLE_IN_PROGRESS` - You requested to disable evidence finder, and your request is pending the deletion of the event data store.
+ `DISABLED` - You permanently disabled evidence finder and the event data store is deleted. You can't re-enable evidence finder after this point.
**backfillStatus**
This attribute shows the current status of the evidence data backfill.
+ `NOT_STARTED` means that the backfill hasn’t started yet.
+ `IN_PROGRESS` means that the backfill is in progress. This takes up to seven days to complete, depending on the amount of evidence data.
+ `COMPLETED` means that the backfill is complete. All of your past evidence is now queryable.
For more information, see [evidenceFinderEnablement](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_EvidenceFinderEnablement.html) in the *Audit Manager API Reference*.
------
## Next steps
After evidence finder is successfully enabled, you can start using the feature. We recommend waiting seven days until the event data store is backfilled with your past evidence data. You can use evidence finder in the meantime, but not all data might be available until the backfill is complete.
To get started with evidence finder, see [Searching for evidence in evidence finder](search-for-evidence-in-evidence-finder.md).
## Additional resources
+ [Troubleshooting evidence finder issues](evidence-finder-issues.md)
# Disabling evidence finder
If you no longer want to use evidence finder, you can disable the feature at any time.
Follow these steps to learn how to disable evidence finder. Pay close attention to the prerequisites, as you'll need specific permissions to delete the event data store in CloudTrail Lake that was created when you enabled evidence finder.
## Prerequisites
### Required permissions to disable evidence finder
To disable evidence finder, you need permissions to delete an event data store in CloudTrail Lake. For an example policy that you can use, see [Permissions to disable evidence finder](https://docs.aws.amazon.com/audit-manager/latest/userguide/security_iam_id-based-policy-examples.html#full-administrator-access-disable-evidence-finder).
If you need help with permissions, contact your AWS administrator. If you’re an AWS administrator, you can [attach the required permission statement to an IAM policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html#add-policies-console).
## Procedure
You can complete this task using the Audit Manager console, the AWS Command Line Interface (AWS CLI), or the Audit Manager API.
**Warning**
Disabling evidence finder deletes the CloudTrail Lake event data store that Audit Manager created. As a result, you can’t re-enable the feature. To re-use evidence finder after you disable it, you must [disable AWS Audit Manager](https://docs.aws.amazon.com/audit-manager/latest/userguide/general-settings.html#disable), and then [re-enable](https://docs.aws.amazon.com/audit-manager/latest/userguide/setup-audit-manager.html) the service completely.
------
#### [ Audit Manager console ]
**To disable evidence finder on the Audit Manager console**
1. In the **Evidence finder** section of the Audit Manager settings page, choose **Disable**.
1. In the pop-up window that appears, enter **Yes** to confirm your decision.
1. Choose **Request to disable**.
------
#### [ AWS CLI ]
**To disable evidence finder in the AWS CLI**
Run the [update-settings](https://docs.aws.amazon.com/cli/latest/reference/auditmanager/update-settings.html) command with the `--no-evidence-finder-enabled` parameter.
```
aws auditmanager update-settings --no-evidence-finder-enabled
```
------
#### [ Audit Manager API ]
**To disable evidence finder using the API**
Call the [UpdateSettings](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_UpdateSettings.html) operation and use the [evidenceFinderEnabled](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_UpdateSettings.html#auditmanager-UpdateSettings-request-evidenceFinderEnabled) parameter.
For more information, choose the previous links to read more in the *Audit Manager API Reference*. This includes information about how to use this operation and parameter in one of the language-specific AWS SDKs.
------
## Additional resources
+ [Troubleshooting evidence finder issues](evidence-finder-issues.md)
# Configuring your default export destination for evidence finder
When you run queries in evidence finder, you can export your search results into a comma-separated values (CSV) file. Use this setting to choose the default S3 bucket where Audit Manager saves your exported files.
## Prerequisites
Your S3 bucket must have the required permissions policy to allow CloudTrail to write the export files to it. More specifically, the bucket policy must include an `s3:PutObject` action and the bucket ARN, and list CloudTrail as the service principal.
+ For an example permission policy that you can use, see [Resource-based policy examples for AWS Audit Manager](security_iam_resource-based-policy-examples.md).
+ For instructions to attach this policy to your S3 bucket, see [Adding a bucket policy by using the Amazon S3 console](https://docs.aws.amazon.com/AmazonS3/latest/userguide/add-bucket-policy.html).
+ For more tips, see [configuration tips for your export destination](https://docs.aws.amazon.com/audit-manager/latest/userguide/evidence-finder-settings.html#settings-export-destination-tips) on this page.
### Configuration tips for your export destination
To ensure a successful file export, we recommend that you verify the following configurations for your export destination.
**AWS Region**
The AWS Region of your customer managed key (if you provided one) must match the Region of your assessment. For instructions on how to change your KMS key, see [Audit Manager data encryption settings](https://docs.aws.amazon.com/audit-manager/latest/userguide/general-settings.html#settings-KMS).
**Cross-account S3 buckets**
Using a cross-account S3 bucket as your export destination isn’t supported in the Audit Manager console. It’s possible to specify a cross-account bucket using the AWS CLI or one of the AWS SDKs, but for simplicity, we recommend that you not do this. If you do choose to use a cross-account S3 bucket as your export destination, consider the following points.
+ By default, S3 objects—such as CSV exports—are owned by the AWS account that uploads the object. You can use the [S3 Object Ownership](https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html) setting to change this default behavior, so that any new objects that are written by accounts with the `bucket-owner-full-control` canned access control list (ACL) automatically become owned by the bucket owner.
Although it’s not a requirement, we recommend that you make the following changes to your cross-account bucket settings. Making these changes ensures that the bucket owner has full control of the exported files that you publish to their bucket.
+ [Set the object ownership of the S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html#enable-object-ownership) to *bucket owner preferred*, instead of the default * object writer*
+ [Add a bucket policy](https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html#ensure-object-ownership) to ensure that objects uploaded to that bucket have the `bucket-owner-full-control` ACL
+ To allow Audit Manager to export files to a cross-account S3 bucket, you must add the following S3 bucket policy to your export destination bucket. Replace the *placeholder text* with your own information. The `Principal` element in this policy is the user or role that owns the assessment and exports the file. The `Resource` specifies the cross-account S3 bucket where the file is exported to.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Allow cross account file exports",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/AssessmentOwnerUserName"
},
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject",
"s3:GetBucketLocation",
"s3:PutObjectAcl",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::CROSS-ACCOUNT-BUCKET",
"arn:aws:s3:::CROSS-ACCOUNT-BUCKET/*"
]
}
]
}
```
------
## Procedure
You can update this setting using the Audit Manager console, the AWS Command Line Interface (AWS CLI), or the Audit Manager API.
------
#### [ Audit Manager console ]
**To update your export destination settings on the Audit Manager console**
1. From the **Evidence finder** settings tab, go to the **Export destination** section.
1. Choose one of the following options:
+ If you want to remove the current S3 bucket, choose **Remove** to clear your settings.
+ If you want to save a default S3 bucket for the first time, proceed to step 3.
1. Specify the S3 bucket that you want to store your exported files in.
+ Choose **Browse S3** to choose from a list of your buckets.
+ Alternatively, you can enter the bucket URI in this format: **s3://bucketname/prefix**
**Tip**
To keep your destination bucket organized, you can create an optional folder for your CSV exports. To do so, append a slash (**/**) and a prefix to the value in the **Resource URI** box (for example, **/evidenceFinderCSVExports**). Audit Manager then includes this prefix when it adds the CSV file to the bucket, and Amazon S3 generates the path specified by the prefix. For more information about prefixes in Amazon S3, see [Organizing objects in the Amazon S3 console](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-folders.html) in the *Amazon Simple Storage Service* User Guide.
1. When you’re done, choose **Save**.
For instructions on how to create an S3 bucket, see [Creating a bucket](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/create-bucket.html) in the *Amazon S3 User Guide*.
------
#### [ AWS CLI ]
**To update your export destination settings in the AWS CLI**
Run the [update-settings](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/auditmanager/update-settings.html) command and use the `--default-export-destination` parameter to specify an S3 bucket.
In the following example, replace the *placeholder text* with your own information:
```
aws auditmanager update-settings --default-export-destination destinationType=S3,destination=amzn-s3-demo-destination-bucket
```
For instructions on how to create an S3 bucket, see [create-bucket](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/create-bucket.html) in the *AWS CLI Command Reference*.
------
#### [ Audit Manager API ]
**To update your export destination settings using the API**
Call the [UpdateSettings](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_UpdateSettings.html) operation and use the [defaultExportDestination](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_UpdateSettings.html#auditmanager-UpdateSettings-request-defaultAssessmentReportsDestination) parameter to specify an S3 bucket.
For instructions on how to create an S3 bucket, see [CreateBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html) in the *Amazon S3 API Reference*.
------