Supported data source types for automated evidence

When you create a custom control in AWS Audit Manager, you can set up your control to collect automated evidence from the following data source types:

AWS CloudTrail
AWS Security Hub
AWS Config
AWS API calls

Each data source type offers distinct capabilities for capturing user activity logs, compliance findings, resource configurations, and more.

In this chapter you can learn about each of these automated data source types, and the specific AWS Security Hub controls, AWS Config rules, and AWS API calls that are supported by Audit Manager.

Key points

The following table provides an overview of each automated data source type.

Data source type	Description	Evidence collection frequency	To use this data source type...	When this control is active in an assessment...	Related troubleshooting tips
AWS CloudTrail	Tracks a specific user activity.	Continuous.	Select from the list of supported event names.	Audit Manager filters your CloudTrail logs based on the keyword that you choose. The results are imported as User activity evidence.	My assessment isn’t collecting user activity evidence from AWS CloudTrail
AWS Config	Captures a snapshot of your resource security posture by reporting findings from AWS Config.	Based on the triggers defined in the AWS Config rule.	Choose a rule type, then select a rule. For managed rules, select from the list of supported managed rule keywords. For custom rules, select from the list of your available rules.	Audit Manager gets the findings for this rule directly from AWS Config. The result is imported as Compliance check evidence.	My assessment isn’t collecting compliance check evidence from AWS Config AWS Config integration issues
AWS Security Hub	Captures a snapshot of your resource security posture by reporting findings from Security Hub.	Based on the schedule of the Security Hub check.	Select from the list of supported Security Hub control IDs.	Audit Manager gets the result of the security check directly from Security Hub. The result is imported as Compliance check evidence.	My assessment isn’t collecting compliance check evidence from AWS Security Hub
AWS API calls	Takes a snapshot of your resource configuration directly through an API call to the specified AWS service.	Daily, weekly, or monthly.	Select from the list of supported API calls, then select your preferred frequency.	Audit Manager makes the API call based on the frequency that you specify. The response is imported as Configuration data evidence.	My assessment isn’t collecting configuration data evidence for an AWS API call

Tip

You can create custom controls that collect evidence using predefined groupings of the above data sources. These data source groupings are known as AWS managed sources. Each AWS managed source represents a common control or a core control that aligns with a common compliance requirement. This gives you an efficient way to map your compliance requirements to a relevant group of AWS data sources. To see the available common controls, see Finding the available controls in AWS Audit Manager.

Alternatively, you can use the four data source types above to define your own custom data sources. This gives you the flexibility to upload manual evidence, or collect automated evidence from a business-specific resource such as a custom AWS Config rule.

Next steps

To learn more about the specific data sources that you can use in your custom controls, see the following pages.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

SSAE-18 SOC 2

AWS Config