Prerequisites Procedure Additional resources

Disabling evidence finder

If you no longer want to use evidence finder, you can disable the feature at any time.

Follow these steps to learn how to disable evidence finder. Pay close attention to the prerequisites, as you'll need specific permissions to delete the event data store in CloudTrail Lake that was created when you enabled evidence finder.

Prerequisites

Required permissions to disable evidence finder

To disable evidence finder, you need permissions to delete an event data store in CloudTrail Lake. For an example policy that you can use, see Permissions to disable evidence finder.

If you need help with permissions, contact your AWS administrator. If you’re an AWS administrator, you can attach the required permission statement to an IAM policy.

Procedure

You can complete this task using the Audit Manager console, the AWS Command Line Interface (AWS CLI), or the Audit Manager API.

Warning

Disabling evidence finder deletes the CloudTrail Lake event data store that Audit Manager created. As a result, you can’t re-enable the feature. To re-use evidence finder after you disable it, you must disable AWS Audit Manager, and then re-enable the service completely.

Additional resources

Troubleshooting evidence finder issues

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Confirming the status of evidence finder

Configuring your default export destination

Disabling evidence finder

Prerequisites

Required permissions to disable evidence finder

Procedure

Warning

To disable evidence finder on the Audit Manager console

To disable evidence finder in the AWS CLI

To disable evidence finder using the API

Additional resources