AWS Audit Manager will no longer be open to new customers starting April 30, 2026. If you would like to use Audit Manager, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [AWS Audit Manager availability change](https://docs.aws.amazon.com/audit-manager/latest/userguide/audit-manager-availability-change.html).
# Supported frameworks in AWS Audit Manager
When you explore the framework library in AWS Audit Manager, you'll find a comprehensive list of pre-built standard frameworks that can help you to streamline your compliance efforts. These prebuilt frameworks are based on AWS best practices for various compliance standards and regulations. You can use these frameworks to assist you with your audit preparation, whether you need to assess your environment against HIPAA, PCI DSS, SOC 2, or more.
**Note**
If you’re new to Audit Manager, start with the AWS Audit Manager Sample Framework. This framework is designed for learning purposes and doesn't support any specific compliance standard. It provides a controlled environment for you to explore Audit Manager's core functionality within a manageable scope. After you use the sample framework to familiarize yourself with Audit Manager, you'll be ready to use the other frameworks for actual compliance assessments.
The following list provides an overview of the available frameworks so that you can easily identify the ones that align with your specific requirements. Take a moment to review the list and familiarize yourself with the frameworks that are most relevant to your organization's needs. Open any page to see an overview of that framework and learn how you can use it to create an assessment and start collecting evidence in Audit Manager.
**Topics**
+ [
# ACSC Essential Eight
](essential-eight.md)
+ [
# ACSC ISM 02 March 2023
](acsc-information-security-manual.md)
+ [
# AWS Audit Manager Sample Framework
](Sample.md)
+ [
# AWS Control Tower Guardrails
](controltower.md)
+ [
# AWS Generative AI Best Practices Framework v2
](aws-generative-ai-best-practices.md)
+ [
# AWS License Manager
](Licensemanager.md)
+ [
# AWS Foundational Security Best Practices
](aws-foundational-security-best-practices.md)
+ [
# AWS Operational Best Practices
](OBP.md)
+ [
# AWS Well Architected Framework WAF v10
](well-architected.md)
+ [
# CCCS Medium Cloud Control
](cccs-medium.md)
+ [
# CIS AWS Benchmark v1.2.0
](CIS-1-2.md)
+ [
# CIS AWS Benchmark v1.3.0
](CIS-1-3.md)
+ [
# CIS AWS Benchmark v1.4.0
](CIS-1-4.md)
+ [
# CIS Controls v7.1, IG1
](CIS-controls.md)
+ [
# CIS Critical Security Controls version 8.0, IG1
](CIS-controls-v8.md)
+ [
# FedRAMP Security Baseline Controls r4
](fedramp-moderate.md)
+ [
# GDPR 2016
](GDPR.md)
+ [
# Gramm-Leach-Bliley Act
](gramm-leach-bliley-act.md)
+ [
# Title 21 CFR Part 11
](GxP.md)
+ [
# EU GMP Annex 11, v1
](GxP-EU-Annex-11.md)
+ [
# HIPAA Security Rule: Feb 2003
](HIPAA.md)
+ [
# HIPAA Omnibus Final Rule
](HIPAA-omnibus-rule.md)
+ [
# ISO/IEC 27001:2013 Annex A
](iso-27001-2013.md)
+ [
# NIST SP 800-53 Rev 5
](NIST800-53r5.md)
+ [
# NIST Cybersecurity Framework v1.1
](NIST-Cybersecurity-Framework-v1-1.md)
+ [
# NIST SP 800-171 Rev 2
](NIST-800-171-r2-1.1.md)
+ [
# PCI DSS V3.2.1
](PCI.md)
+ [
# PCI DSS V4.0
](pci-v4.md)
+ [
# SSAE-18 SOC 2
](SOC2.md)
# ACSC Essential Eight
AWS Audit Manager provides a prebuilt standard framework that supports the Australian Cyber Security Center (ACSC) Essential Eight.
**Topics**
+ [
## What is the ACSC Essential Eight?
](#what-is-essential-eight)
+ [
## Using this framework
](#framework-essential-eight)
+ [
## Next steps
](#next-steps-essential-eight)
+ [
## Additional resources
](#resources-essential-eight)
## What is the ACSC Essential Eight?
The ACSC is the Australian government's lead agency for cyber security. To protect against cyber threats, the ACSC recommends that organizations implement eight essential mitigation strategies from the ACSC’s *Strategies to Mitigate Cyber Security Incidents* as a baseline. This baseline, known as the Essential Eight, makes it much harder for adversaries to compromise systems.
As the Essential Eight outlines a minimum set of preventative measures, your organization needs to implement additional measures where it is warranted by your environment. Further, while the Essential Eight can help to mitigate the majority of cyber threats, it will not mitigate all cyber threats. As such, additional mitigation strategies and security controls need to be considered, including those from the *Strategies to Mitigate Cyber Security Incidents* and the *Information Security Manual* (ISM).
The [Essential Eight](https://www.cyber.gov.au/acsc/view-all-content/essential-eight) by the [ACSC](https://www.cyber.gov.au/) is licensed under a [Creative Commons Attribution 4.0 International License](https://creativecommons.org/licenses/by/4.0/) and copyright information can be found at [ACSC \$1 Copyright](https://www.cyber.gov.au/acsc/copyright). © Commonwealth of Australia 2022.
## Using this framework
You can use the Essential Eight standard framework in AWS Audit Manager to help you prepare for audits. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped into control sets according to Essential Eight requirements. You can also customize this framework and its controls to support internal audits with specific requirements.
Using the framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the Essential Eight framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.
The framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| Australian Cyber Security Center (ACSC) Essential Eight | 61 | 132 | 3 |
**Important**
To ensure that this framework collects the intended evidence from AWS Security Hub CSPM, make sure that you enabled all standards in Security Hub CSPM.
To ensure that this framework collects the intended evidence from AWS Config, make sure that you enable the necessary AWS Config rules. To review the AWS Config rules that are used as data source mappings in this standard framework, download the [AuditManager\$1ConfigDataSourceMappings\$1Australian-Cyber-Security-Center-(ACSC)-Essential-Eight.zip](samples/AuditManager_ConfigDataSourceMappings_Australian-Cyber-Security-Center-(ACSC)-Essential-Eight.zip) file.
The controls in this AWS Audit Manager framework aren't intended to verify if your systems are compliant with the Essential Eight controls. Moreover, they can't guarantee that you'll pass an ACSC audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.
## Next steps
For instructions on how to view detailed information about this framework, including the list of standard controls that it contains, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using this framework, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize this framework to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
## Additional resources
+ [ACSC Essential Eight](https://www.cyber.gov.au/acsc/view-all-content/essential-eight)
# ACSC ISM 02 March 2023
AWS Audit Manager provides a prebuilt standard framework that supports the Australian Cyber Security Center (ACSC) Information Security Manual (ISM).
**Topics**
+ [
## What is the ACSC ISM?
](#what-is-acsc-information-security-manual)
+ [
## Using this framework
](#framework-acsc-information-security-manual)
+ [
## Next steps
](#next-steps-acsc-information-security-manual)
+ [
## Additional resources
](#resources-acsc-information-security-manual)
## What is the ACSC ISM?
The ACSC is the Australian government's lead agency for cyber security. The ACSC produces the ISM, which functions as a set of cyber security principles. The purpose of these principles is to provide strategic guidance on how an organization can protect their systems and data from cyber threats. These cyber security principles are grouped into four key activities: govern, protect, detect and respond. An organization should be able to demonstrate that the cyber security principles are being adhered to within their organization. The ISM is intended for Chief Information Security Officers, Chief Information Officers, cyber security professionals, and information technology managers.
The ISM framework is provided by the ACSC under a [Creative Commons Attribution 4.0 International License](https://creativecommons.org/licenses/by/4.0/), and copyright information can be found at [ACSC \$1 Copyright](https://www.cyber.gov.au/acsc/copyright). © Commonwealth of Australia 2022.
## Using this framework
You can use the ACSC ISM standard framework in AWS Audit Manager to help you prepare for audits. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped into control sets according to ACSC ISM requirements. You can also customize this framework and its controls to support internal audits with specific requirements.
Using the framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the ACSC ISM framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.
The framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| Australian Cyber Security Center (ACSC) Information Security Manual (ISM) 02 March 2023 | 88 | 789 | 22 |
**Important**
To ensure that this framework collects the intended evidence from AWS Security Hub CSPM, make sure that you enabled all standards in Security Hub CSPM.
To ensure that this framework collects the intended evidence from AWS Config, make sure that you enable the necessary AWS Config rules. To review the AWS Config rules that are used as data source mappings in this standard framework, download the [AuditManager\$1ConfigDataSourceMappings\$1Australian-Cyber-Security-Center-(ACSC)-Information-Security-Manual-(ISM)-02-March-2023.zip](samples/AuditManager_ConfigDataSourceMappings_Australian-Cyber-Security-Center-(ACSC)-Information-Security-Manual-(ISM)-02-March-2023.zip) file.
The controls in this AWS Audit Manager framework aren't intended to verify if your systems are compliant with the ACSC Information Security Manual controls. Moreover, they can't guarantee that you'll pass an ACSC audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.
## Next steps
For instructions on how to view detailed information about this framework, including the list of standard controls that it contains, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using this framework, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize this framework to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
## Additional resources
+ [ACSC Information Security Manual](https://www.cyber.gov.au/acsc/view-all-content/ism)
# AWS Audit Manager Sample Framework
If you’re new to Audit Manager, you can use the AWS Audit Manager Sample Framework to get to know how Audit Manager works. It provides a simple environment where you can explore Audit Manager functionality without getting overwhelmed by excessive evidence or exceeding your AWS Free Tier limits. After you've tried out the sample framework, you'll be ready to start using the rest of the frameworks that Audit Manager provides.
**Topics**
+ [What is the AWS Audit Manager sample framework?](#what-is-Sample)
+ [
## Using this framework
](#framework-sample)
+ [
## Next steps
](#next-steps-sample)
## What is the AWS Audit Manager Sample Framework?
The sample framework provides a streamlined, beginner-friendly way to explore the core functionality of Audit Manager – collecting evidence and attaching it to controls.
In the framework, you’ll find sample controls that show you the different data sources that Audit Manager uses to automatically collect evidence. These data sources include an AWS CloudTrail event, an AWS Config rule, an AWS Security Hub CSPM control, and an AWS API call. By using these data sources in an test assessment, you can see how Audit Manager works with different AWS services to gather evidence. In addition to demonstrating automated evidence collection, the sample framework shows how you can manually add your own evidence. It also has a manual control that allows you to upload files as evidence. By trying out both automated and manual controls, you can develop a well-rounded understanding of the different ways in which evidence can be added to your assessments.
**Note**
This framework is different from other standard frameworks. The sample framework isn’t intended for managing actual compliance assessments or audits. Its purpose is to help you learn how to use Audit Manager. It provides a controlled environment where you can collect enough evidence to experience Audit Manager's capabilities, while keeping the scope manageable for beginners.
## Using this framework
Using the AWS Audit Manager Sample Framework lets you practice navigating the Audit Manager interface, collecting evidence, and seeing how that evidence is attached to your assessment controls.
To get started, use the sample framework to create an assessment. This action starts the ongoing collection of evidence for each of the automated controls in the sample framework. Based on the control definitions, Audit Manager assesses your AWS resources, collects the relevant evidence, and then attaches it to the controls in your assessment. At this time, you can explore the evidence that Audit Manager has collected. You can also try adding your own evidence to the manual controls.
You can find this framework under the **Standard frameworks** tab of the framework library in Audit Manager.
The framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| Amazon Web Services (AWS) Audit Manager Sample Framework | 4 | 1 | 2 |
**Important**
To ensure that this framework collects the intended evidence from AWS Security Hub CSPM, make sure that you enabled all standards in Security Hub CSPM.
To ensure that this framework collects the intended evidence from AWS Config, make sure that you enable the necessary AWS Config rules. To review the AWS Config rules that are used as data source mappings in this standard framework, download the [AuditManager\$1ConfigDataSourceMappings\$1AWS-Audit-Manager-Sample-Framework.zip](samples/AuditManager_ConfigDataSourceMappings_AWS-Audit-Manager-Sample-Framework.zip) file.
## Next steps
For instructions on how to view detailed information about this framework, including the list of standard controls that it contains, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using this framework, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize this framework to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
# AWS Control Tower Guardrails
AWS Audit Manager provides a prebuilt AWS Control Tower Guardrails framework to assist you with your audit preparation.
**Topics**
+ [
## What is AWS Control Tower?
](#what-is-controltower)
+ [Using this framework](#framework-controltower)
+ [
## Next steps
](#next-steps-controltower)
+ [
## Additional resources
](#resources-controltower)
## What is AWS Control Tower?
AWS Control Tower is a management and governance service that you can use to navigate through the setup process and governance requirements that are involved in creating a multi-account AWS environment.
With AWS Control Tower, you can provision new AWS accounts that conform to your company- or organization-wide policies in a few clicks. AWS Control Tower creates an *orchestration* layer on your behalf that combines and integrates the capabilities of several other [AWS services](https://docs.aws.amazon.com/controltower/latest/userguide/integrated-services.html). These services include AWS Organizations, AWS IAM Identity Center, and AWS service Catalog. This helps streamline the process of setting up and governing a multi-account AWS environment that's both secure and compliant.
The AWS Control Tower Guardrails framework contains all of the AWS Config Rules that are based on guardrails from AWS Control Tower.
## Using this framework
You can use the *AWS Control Tower Guardrails* framework to help you prepare for audits. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped according to the AWS Config Rules that are based on guardrails from AWS Control Tower. You can also customize this framework and its controls to support internal audits with specific requirements.
Using the framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for an AWS Control Tower audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the AWS Control Tower Guardrails framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.
The AWS Control Tower Guardrails framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| AWS Control Tower Guardrails | 14 | 0 | 5 |
**Important**
To ensure that this framework collects the intended evidence from AWS Config, make sure that you enable the necessary AWS Config rules. To review the AWS Config rules that are used as data source mappings in this standard framework, download the [AuditManager\$1ConfigDataSourceMappings\$1AWS-Control-Tower-Guardrails.zip](samples/AuditManager_ConfigDataSourceMappings_AWS-Control-Tower-Guardrails.zip) file.
The controls in this AWS Audit Manager framework aren't intended to verify if your systems are compliant with AWS Control Tower Guardrails. Moreover, they can't guarantee that you'll pass an audit.
## Next steps
For instructions on how to view detailed information about this framework, including the list of standard controls that it contains, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using this framework, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize this framework to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
## Additional resources
+ [AWS Control Tower service page](https://aws.amazon.com/controltower)
+ [AWS Control Tower user guide](https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html)
# AWS Generative AI Best Practices Framework v2
**Note**
On June 11, 2024, AWS Audit Manager upgraded this framework to a new version, *AWS generative AI best practices framework v2*. In addition to supporting best practices for Amazon Bedrock, v2 enables you to collect evidence that demonstrates you’re following best practices on Amazon SageMaker AI.
The *AWS generative AI best practices framework v1* is no longer supported. If you previously created an assessment from the v1 framework, your existing assessments will continue to work. However, you can no longer create new assessments from the v1 framework. We encourage you to use the v2 upgraded framework instead.
AWS Audit Manager provides a prebuilt standard framework to help you gain visibility into how your generative AI implementation on Amazon Bedrock and Amazon SageMaker AI is working against AWS recommended best practices.
Amazon Bedrock is a fully managed service that makes AI models from Amazon and other leading AI companies available through an API. With Amazon Bedrock, you can privately tune existing models with your organization’s data. This enables you to harness foundation models (FMs) and large language models (LLMs) to build applications securely, without compromising data privacy. For more information, see [What is Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/what-is-service.html)? in the *Amazon Bedrock User Guide*.
Amazon SageMaker AI is a fully managed machine learning (ML) service. With SageMaker AI, data scientists and developers can build, train, and deploy ML models for extended use cases that require deep customization and model fine-tuning. SageMaker AI provides managed ML algorithms to run efficiently against extremely large data in a distributed environment. With built-in support for your own algorithms and frameworks, SageMaker AI offers flexible distributed training options that adjust to your specific workflows. For more information, see [What is Amazon SageMaker AI?](https://docs.aws.amazon.com/sagemaker/latest/dg/whatis.html) in the *Amazon SageMaker AI User Guide*.
**Topics**
+ [
## What are AWS generative AI best practices for Amazon Bedrock?
](#what-are-aws-generative-ai-best-practices)
+ [
## Using this framework to support your audit preparation
](#framework-aws-generative-ai-best-practices)
+ [
## Manually verifying prompts in Amazon Bedrock
](#manual-prompt-verification)
+ [
## Next steps
](#next-steps-aws-generative-ai-best-practices)
+ [
## Additional resources
](#resources-aws-generative-ai-best-practices)
## What are AWS generative AI best practices for Amazon Bedrock?
Generative AI refers to a branch of AI that focuses on enabling machines to generate content. Generative AI models are designed to create outputs that closely resemble the examples that they were trained on. This creates scenarios where AI can mimic human conversation, generate creative content, analyze vast volumes of data, and automate processes that are normally done by humans. The rapid growth of generative AI brings promising new innovation. At the same time, it raises new challenges around how to use generative AI responsibly and in compliance with governance requirements.
AWS is committed to providing you with the tools and guidance needed to build and govern applications responsibly. To help you with this goal, Audit Manager has partnered with Amazon Bedrock and SageMaker AI to create the *AWS generative AI best practices framework v2*. This framework provides you with a purpose-built tool for monitoring and improving the governance of your generative AI projects on Amazon Bedrock and Amazon SageMaker AI. You can use the best practices in this framework to gain tighter control and visibility over your model usage and stay informed on model behavior.
The controls in this framework were developed in collaboration with AI experts, compliance practitioners, security assurance specialists across AWS, and with input from Deloitte. Each automated control maps to an AWS data source from which Audit Manager collects evidence. You can use the collected evidence to evaluate your generative AI implementation based on the following eight principles:
1. **Responsible** – Develop and adhere to ethical guidelines for the deployment and usage of generative AI models
1. **Safe** – Establish clear parameters and ethical boundaries to prevent the generation of harmful or problematic output
1. **Fair** – Consider and respect how an AI system impacts different sub-populations of users
1. **Sustainable** – Strive for greater efficiency and more sustainable power sources
1. **Resilience** – Maintain integrity and availability mechanisms to ensure an AI system operates reliably
1. **Privacy** – Ensure that sensitive data is protected from theft and exposure
1. **Accuracy** – Build AI systems that are accurate, reliable, and robust
1. **Secure ** – Prevent unauthorized access to generative AI systems
### Example
Let's say that your application uses a third-party foundational model that’s available on Amazon Bedrock. You can use the AWS generative AI best practices framework to monitor your usage of this model. By using this framework, you can collect evidence that demonstrates that your usage is compliant with generative AI best practices. This provides you with a consistent approach for tracking track model usage and permissions, flagging sensitive data, and being alerted about any inadvertent disclosures. For instance, specific controls in this framework can collect evidence that helps you show that you’ve implemented mechanisms for the following:
+ Documenting the source, nature, quality, and treatment of the new data, to ensure transparency and help in troubleshooting or audits (*Responsible*)
+ Regularly evaluating the model using predefined performance metrics to ensure it meets accuracy and safety benchmarks (*Safe*)
+ Using automated monitoring tools to detect and alert on potential biased outcomes or behaviors in real-time (*Fair*)
+ Evaluating, identifying, and documenting model usage and scenarios where existing models can be reused, whether you generated them or not (*Sustainable*)
+ Setting up procedures for notification if there is inadvertent PII spillage or unintentional disclosure (*Privacy*)
+ Establishing real-time monitoring of the AI system and setting up alerts for any anomalies or disruptions (*Resilience*)
+ Detecting inaccuracies, and conducting a thorough error analysis to understand the root causes (*Accuracy*)
+ Implementing end-to-end encryption for input and output data of the AI models to minimum industry standards (*Secure*)
## Using this framework to support your audit preparation
**Note**
If you're an Amazon Bedrock or SageMaker AI customer, you can use this framework directly in Audit Manager. Make sure that you use the framework and run assessments in the AWS accounts and Regions where you run your generative AI models and applications.
If you want to encrypt your CloudWatch logs for Amazon Bedrock or SageMaker AI with your own KMS key, make sure that Audit Manager has access to that key. To do this, you can choose your customer managed key in your Audit Manager [Configuring your data encryption settings](settings-KMS.md) settings.
This framework uses the Amazon Bedrock [ListCustomModels](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_ListCustomModels.html) operation to generate evidence about your custom model usage. This API operation is currently supported in the US East (N. Virginia) and US West (Oregon) AWS Regions only. For this reason, you might not see evidence about your custom models usage in the Asia Pacific (Tokyo), Asia Pacific (Singapore), or Europe (Frankfurt) Regions.
You can use this framework to help you prepare for audits about your usage of generative AI on Amazon Bedrock and SageMaker AI. It includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped into control sets according to generative AI best practices. You can also customize this framework and its controls to support internal audits with specific requirements.
Using the framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that helps you monitor compliance with your intended policies. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the AWS generative AI Best Practices framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.
The framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| AWS Generative AI Best Practices Framework v2 | 72 | 38 | 8 |
**Important**
To ensure that this framework collects the intended evidence from AWS Config, make sure that you enable the necessary AWS Config rules. To review the AWS Config rules that are used as control data source mappings in this standard framework, download the [AuditManager\$1ConfigDataSourceMappings\$1AWS-Generative-AI-Best-Practices-Framework-v2](samples/AuditManager_ConfigDataSourceMappings_AWS-Generative-AI-Best-Practices-Framework-v2.zip) file.
The controls in this AWS Audit Manager framework aren't intended to verify if your systems are compliant with generative AI best practices. Moreover, they can't guarantee that you'll pass an audit about your generative AI usage. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.
## Manually verifying prompts in Amazon Bedrock
You might have different sets of prompts that you need to evaluate against specific models. In this case, you can use the `InvokeModel` operation to evaluate each prompt and collect the responses as manual evidence.
### Using the `InvokeModel` operation
To get started, create a list of predefined prompts. You'll use these prompts to verify the model's responses. Make sure that your prompt list has all of the use cases that you want to evaluate. For example, you might have prompts that you can use to verify that the model responses don't disclose any personally identifiable information (PII).
After you create your list of prompts, test each one using the [InvokeModel](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_runtime_InvokeModel.html) operation that Amazon Bedrock provides. You can then collect the model's responses to these prompts, and [upload this data as manual evidence](https://docs.aws.amazon.com/audit-manager/latest/userguide/upload-evidence.html) in your Audit Manager assessment.
There are three different ways to use the `InvokeModel` operation.
**1. HTTP Request**
You can use tools like Postman to create a HTTP request call to `InvokeModel` and store the response.
Postman is developed by a third-party company. It isn't developed or supported by AWS. To learn more about using Postman, or for assistance with issues related to Postman, see the [Support center](https://www.getpostman.com/support) on the Postman website.
**2. AWS CLI**
You can use the AWS CLI to run the [invoke-model](https://docs.aws.amazon.com/cli/latest/reference/bedrock-runtime/invoke-model.html) command. For instructions and more information, see [Running inference on a model](https://docs.aws.amazon.com/bedrock/latest/userguide/api-methods-run-inference.html) in the *Amazon Bedrock User Guide.*
The following example shows how to generate text with the AWS CLI using the prompt *"story of two dogs"* and the *Anthropic Claude V2* model. The example returns up to *300* tokens in the response and saves the response to the file *invoke-model-output.txt*:
```
aws bedrock-runtime invoke-model \
--model-id anthropic.claude-v2 \
--body "{\"prompt\": \"\n\nHuman:story of two dogs\n\nAssistant:\", \"max_tokens_to_sample\" : 300}" \
--cli-binary-format raw-in-base64-out \
invoke-model-output.txt
```
**3. Automated verification**
You can use CloudWatch Synthetics canaries to monitor your model responses. With this solution, you can verify the `InvokeModel` result for a list of predefined prompts, and then use CloudWatch to monitor the model's behavior for these prompts.
To get started with this solution, you must first [create a Synthetics canary](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_Create.html). After you create a canary, you can then use the following code snippet to verify your prompt and the model’s response.
```
const invokeModel = async function () {
log.info("Starting Bedrock::Invoke.");
const prompt = "Hello";
const maxTokenCount = 512;
const stopSequences = [];
const temperature = 0.5;
const topP = 0.5;
const modelId = "amazon.titan-tg1-large";
var bedrockRuntime = new AWS.BedrockRuntime({apiVersion: "2023-09-30", region: "us-west-2"});
const param = {
body: {
"inputText": prompt,
"textGenerationConfig": {
"maxTokenCount": maxTokenCount,
"stopSequences": stopSequences,
"temperature": temperature,
"topP": topP
}
},
modelId: modelId
};
const response = await bedrockRuntime.invokeModel(param);
return "Successfully completed Bedrock::Invoke.";
};
```
Alternatively, you can also use a Lambda function to run this script. If you choose this solution, you'll need to [create a Lambda function](https://docs.aws.amazon.com/lambda/latest/dg/getting-started.html) first.
### Sample prompts
You can use these sample prompts as a starting point to test your model's responses. In the following examples, replace the *placeholder text* with your own data to reflect your specific testing use cases.
**To test for inappropriate content in model responses**
```
"Can you help me to ?"
"What do you think about ?"
"Have you been to ? The people there are "
```
**To test for PII in model responses**
```
"hi, you can reach customer service at " -> "hi, you can reach customer service at {PHONE}"
```
**To test for profanity in model responses**
```
"" -> "**** *** **** **"
"Hello, " -> "Hello, ******"
```
## Next steps
For instructions on how to view detailed information about this framework, including the list of standard controls that it contains, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using this framework, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize this framework to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
## Additional resources
+ [Amazon Bedrock](https://aws.amazon.com/bedrock/)
+ [Amazon Bedrock User Guide](https://docs.aws.amazon.com/bedrock/latest/userguide/what-is-service.html)
+ [Amazon SageMaker AI](https://aws.amazon.com/sagemaker/)
+ [Amazon SageMaker AI User Guide](https://docs.aws.amazon.com/sagemaker/latest/dg/whatis.html)
+ [Transform responsible AI from theory into practice](https://aws.amazon.com/machine-learning/responsible-ai)
+ [Protecting Consumers and Promoting Innovation – AI Regulation and Building Trust in Responsible AI](https://aws.amazon.com/blogs/machine-learning/protecting-consumers-and-promoting-innovation-ai-regulation-and-building-trust-in-responsible-ai/)
+ [Responsible Use of Machine Learning guide](https://d1.awsstatic.com/responsible-machine-learning/responsible-use-of-machine-learning-guide.pdf)
# AWS License Manager
AWS Audit Manager provides a prebuilt AWS License Manager framework to assist you with your audit preparation.
**Topics**
+ [
## What is AWS License Manager?
](#what-is-Licensemanager)
+ [Using this framework](#framework-Licensemanager)
+ [
## Next steps
](#next-steps-License-manager)
+ [
## Additional resources
](#resources-License-manager)
## What is AWS License Manager?
With AWS License Manager, you can manage your software licenses from various software vendors (such as Microsoft, SAP, Oracle, or IBM) centrally across AWS and on-premises environments. Having all your software licenses in one location allows for better control and visibility and potentially helps you to limit licensing overages and reduce the risk of non-compliance and misreporting issues.
The AWS License Manager framework is integrated with License Manager to aggregate license usage information based on customer defined licensing rules.
## Using this framework
You can use the *AWS License Manager* framework to help you prepare for audits. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped according to customer defined licensing rules. You can also customize this framework and its controls to support internal audits with specific requirements.
Using the framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the AWS License Manager framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.
The AWS License Manager framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| AWS License Manager | 27 | 0 | 6 |
The controls in this AWS Audit Manager framework aren't intended to verify if your systems are compliant with licensing rules. Moreover, they can't guarantee that you'll pass a licensing usage audit.
## Next steps
For instructions on how to view detailed information about this framework, including the list of standard controls that it contains, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using this framework, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize this framework to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
## Additional resources
**License Manager links**
+ [AWS License Manager service page](https://aws.amazon.com/license-manager)
+ [AWS License Manager user guide](https://docs.aws.amazon.com/license-manager/latest/userguide/license-manager.html)
**License Manager APIs**
For this framework, Audit Manager uses a custom activity called `GetLicenseManagerSummary` to collect evidence. The `GetLicenseManagerSummary` activity calls the following three License Manager APIs:
1. [ListLicenseConfigurations](https://docs.aws.amazon.com/license-manager/latest/APIReference/API_ListLicenseConfigurations.html)
1. [ListAssociationsForLicenseConfiguration](https://docs.aws.amazon.com/license-manager/latest/APIReference/API_ListAssociationsForLicenseConfiguration.html)
1. [ListUsageForLicenseConfiguration](https://docs.aws.amazon.com/license-manager/latest/APIReference/API_ListUsageForLicenseConfiguration.html)
The data that’s returned is then converted into evidence and attached to the relevant controls in your assessment.
For example: Let's say that you use two licensed products (*SQL Server 2017* and *Oracle Database Enterprise Edition*). First, the `GetLicenseManagerSummary` activity calls the [ListLicenseConfigurations](https://docs.aws.amazon.com/license-manager/latest/APIReference/API_ListLicenseConfigurations.html) API, which provides details of license configurations in your account. Next, it adds additional contextual data for each license configuration by calling [ListUsageForLicenseConfiguration](https://docs.aws.amazon.com/license-manager/latest/APIReference/API_ListUsageForLicenseConfiguration.html) and [ListAssociationsForLicenseConfiguration](https://docs.aws.amazon.com/license-manager/latest/APIReference/API_ListAssociationsForLicenseConfiguration.html). Finally, it converts the license configuration data into evidence and attaches it to the respective controls in the framework (*4.5 - Customer managed license for SQL Server 2017* and *3.0.4 - Customer managed license for Oracle Database Enterprise Edition*). If you’re using a licensed product that isn’t covered by any of the controls in the framework, that license configuration data is attached as evidence to the following control: *5.0 - Customer managed license for other licenses*.
# AWS Foundational Security Best Practices
AWS Audit Manager provides a prebuilt standard framework that supports the AWS Foundational Security Best Practices.
**Topics**
+ [
## What is the AWS Foundational Security Best Practices standard?
](#what-is-aws-foundational-security-best-practices)
+ [Using this framework](#framework-aws-foundational-security-best-practices)
+ [
## Next steps
](#next-steps-aws-foundational-security-best-practices)
+ [
## Additional resources
](#resources-aws-foundational-security-best-practices)
## What is the AWS Foundational Security Best Practices standard?
The AWS Foundational Security Best Practices standard is a set of controls that detect when your deployed accounts and resources deviate from security best practices.
You can use this standard to continually evaluate all of your AWS accounts and workloads and quickly identify areas of deviation from best practices. The standard provides actionable and prescriptive guidance on how to improve and maintain your organization’s security posture.
The controls include best practices from across multiple AWS services. Each control is assigned a category that reflects the security function that it applies to. For more information, see [Control categories](https://docs.aws.amazon.com/securityhub/latest/userguide/control-categories.html) in the *AWS Security Hub CSPM User Guide*.
## Using this framework
You can use the AWS Foundational Security Best Practices framework to help you prepare for audits. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped into control sets according to AWS Foundational Security Best Practices requirements. You can also customize this framework and its controls to support internal audits with specific requirements.
Using the framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess resources in your AWS accounts and services. It does this based on the controls that are defined in the AWS Foundational Security Best Practices framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.
The AWS Foundational Security Best Practices framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| AWS Foundational Security Best Practices | 146 | 0 | 31 |
**Important**
To ensure that this framework collects the intended evidence from AWS Security Hub CSPM, make sure that you enabled all standards in Security Hub CSPM.
The controls in this AWS Audit Manager framework aren't intended to verify if your systems are compliant with AWS Foundational Security Best Practices. Moreover, they can't guarantee that you'll pass an AWS Foundational Security Best Practices audit.
## Next steps
For instructions on how to view detailed information about this framework, including the list of standard controls that it contains, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using this framework, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize this framework to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
## Additional resources
+ [AWS Foundational Security Best Practices standard](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp.html) in the *AWS Security Hub CSPM User Guide*
+ [Control categories](https://docs.aws.amazon.com/securityhub/latest/userguide/control-categories.html) in the *AWS Security Hub CSPM User Guide*
# AWS Operational Best Practices
AWS Audit Manager provides a prebuilt AWS Operational Best Practices (OBP) framework to assist you with your audit preparation.
This framework offers a subset of controls from the AWS Foundational Security Best Practices standard. These controls serve as baseline checks to detect when your deployed accounts and resources deviate from security best practices.
**Topics**
+ [
## What is the AWS Foundational Security Best Practices standard?
](#what-is-OBP)
+ [Using this framework](#framework-OBP)
+ [
## Next steps
](#next-steps-OBP)
+ [
## Additional resources
](#resources-operational-best-practices)
## What is the AWS Foundational Security Best Practices standard?
You can use the *AWS Foundational Security Best Practices* standard to evaluate your accounts and workloads and quickly identify areas of deviation from best practices. The standard provides actionable and prescriptive guidance on how to improve and maintain your organization’s security posture.
The controls include best practices from across multiple AWS services. Each control is assigned a category that reflects the security function that it applies to. For more information, see [Control categories](https://docs.aws.amazon.com/securityhub/latest/userguide/control-categories.html) in the *AWS Security Hub CSPM User Guide*.
## Using this framework
You can use the *AWS Operational Best Practices* framework to help you prepare for audits. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped into control sets according to AWS Operational Best Practices requirements. You can also customize this framework and its controls to support internal audits with specific requirements.
The AWS Operational Best Practices framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| AWS Operational Best Practices | 0 | 51 | 20 |
**Important**
To ensure that this framework collects the intended evidence from AWS Security Hub CSPM, make sure that you enabled all standards in Security Hub CSPM.
The controls in this framework aren't intended to verify if your systems are compliant with AWS Operational Best Practices. Moreover, they can't guarantee that you'll pass an AWS Operational Best Practices audit.
This framework contains only manual controls. These manual controls don't collect evidence automatically. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.
## Next steps
For instructions on how to view detailed information about this framework, including the list of standard controls that it contains, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using this framework, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize this framework to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
## Additional resources
+ [AWS Foundational Security Best Practices standard](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp.html) in the *AWS Security Hub CSPM User Guide*
+ [Control categories](https://docs.aws.amazon.com/securityhub/latest/userguide/control-categories.html) in the *AWS Security Hub CSPM User Guide*
# AWS Well Architected Framework WAF v10
AWS Audit Manager provides a prebuilt standard framework that supports the AWS Well-Architected Framework v10.
**Topics**
+ [
## What is the AWS Well-Architected Framework?
](#what-is-well-architected)
+ [Using this framework](#framework-well-architected)
+ [
## Next steps
](#next-steps-well-architected)
+ [
## Additional resources
](#resources-aws-foundational-security-best-practices)
## What is the AWS Well-Architected Framework?
[AWS Well-Architected](https://aws.amazon.com/architecture/well-architected/) is a framework that can help you to build secure, high-performing, resilient, and efficient infrastructure for your applications and workloads. Based on six pillars—operational excellence, security, reliability, performance efficiency, cost optimization, and sustainability—AWS Well-Architected provides a consistent approach for you and your partners to evaluate architectures and implement designs that can scale over time.
## Using this framework
You can use the AWS Well-Architected Framework to help you prepare for audits. This framework describes the key concepts, design principles, and architectural best practices for designing and running workloads in the cloud. Out of the six pillars that AWS Well-Architected is based on, the security and reliability pillars are the pillars that AWS Audit Manager offers a prebuilt framework and controls for. You can also customize this framework and its controls to support internal audits with specific requirements.
Using the framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the AWS Well-Architected Framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.
The framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| Amazon Web Services (AWS) Well Architected Framework (WAF) v10 | 43 | 291 | 6 |
**Important**
To ensure that this framework collects the intended evidence from AWS Security Hub CSPM, make sure that you enabled all standards in Security Hub CSPM.
To ensure that this framework collects the intended evidence from AWS Config, make sure that you enable the necessary AWS Config rules. To review the AWS Config rules that are used as data source mappings in this standard framework, download the [AuditManager\$1ConfigDataSourceMappings\$1AWS-Well-Architected-Framework-WAF-v10.zip](samples/AuditManager_ConfigDataSourceMappings_AWS-Well-Architected-Framework-WAF-v10.zip) file.
The controls in this framework aren't intended to verify if your systems are compliant. Moreover, they can't guarantee that you'll pass an audit.
## Next steps
For instructions on how to view detailed information about this framework, including the list of standard controls that it contains, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using this framework, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize this framework to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
## Additional resources
+ [AWS Well-Architected](https://aws.amazon.com/architecture/well-architected)
+ [AWS Well-Architected Framework documentation](https://docs.aws.amazon.com/wellarchitected/latest/framework/welcome.html)
# CCCS Medium Cloud Control
AWS Audit Manager provides a prebuilt standard framework that supports the Canadian Centre for Cyber Security (CCCS) Medium Cloud Control.
**Topics**
+ [
## What is the CCCS?
](#what-is-cccs-medium)
+ [
## Using this framework
](#framework-cccs-medium)
+ [
## Next steps
](#next-steps-cccs-medium)
## What is the CCCS?
The CCCS is Canada’s authoritative source of cybersecurity expert guidance, services, and support. CCCS provides this expertise to Canadian governments, industry, and the general public. Their rigorous assessments of cloud service providers are relied on by Canadian public sector organizations across the country to make informed cloud procurement decisions.
The CCCS Medium Cloud Control Profile replaced the government of Canada's PROTECTED B / Medium Integrity / Medium Availability (PBMM) profile in May 2020. The CCCS Medium Cloud Security Control Profile is suitable if your organization uses public cloud services to support business activities with medium confidentiality, integrity, and availability (AIC) requirements. Workloads with medium AIC requirements mean that unauthorized disclosure, modification, or loss of access to the information or services that are used by the business activity can reasonably be expected to cause serious injury to an individual or organization or limited injury to a group of individuals. Examples of these levels of injury include the following:
+ Significant effect on annual profit
+ Loss of major accounts
+ Loss of goodwill
+ Clear compliance violation
+ Privacy violation for hundreds or thousands of people
+ Affects program performance
+ Causing mental disorder or illness
+ Sabotage
+ Damage to reputation
+ Individual financial hardship
## Using this framework
You can use the AWS Audit Manager framework for CCCS Medium Cloud Control to help you prepare for audits. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped into control sets according to CCCS requirements. You can also customize this framework and its controls to support internal audits with specific requirements.
Using the framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for a CCCS Medium Cloud Control audit. In your assessment, you can specify the AWS accounts that you want to include in the scope of your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the CCCS Medium Cloud Control framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.
The framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| Canadian Centre for Cyber Security (CCCS) Medium Cloud Control | 71 | 282 | 175 |
**Important**
To ensure that this framework collects the intended evidence from AWS Security Hub CSPM, make sure that you enabled all standards in Security Hub CSPM.
To ensure that this framework collects the intended evidence from AWS Config, make sure that you enable the necessary AWS Config rules. To review the AWS Config rules that are used as data source mappings in this standard framework, download the [AuditManager\$1AuditManager\$1ConfigDataSourceMappings\$1CCCS-Medium-Cloud-Control.zip](samples/AuditManager_ConfigDataSourceMappings_CCCS-Medium-Cloud-Control.zip) file.
The controls in this AWS Audit Manager framework aren't intended to verify if your systems are compliant with the CCCS Medium Cloud Control requirements. Moreover, they can't guarantee that you'll pass an CCCS audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.
## Next steps
For instructions on how to view detailed information about this framework, including the list of standard controls that it contains, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using this framework, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize this framework to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
# CIS AWS Benchmark v1.2.0
AWS Audit Manager provides two prebuilt frameworks that support the Center for Internet Security (CIS) Amazon Web Services (AWS) Benchmark v1.2.0*.*
**Note**
For information about the Audit Manager frameworks that support v1.3.0, see [CIS AWS Benchmark v1.3.0](CIS-1-3.md).
For information about the Audit Manager frameworks that support v1.4.0, see [CIS AWS Benchmark v1.4.0](CIS-1-4.md).
**Topics**
+ [
## What is CIS?
](#what-is-CIS-1-2)
+ [Using this framework](#framework-CIS-1-2)
+ [
## Next steps
](#next-steps-CIS-1-2)
+ [
## Additional resources
](#resources-CIS-1-2)
## What is CIS?
The CIS is a nonprofit that developed the [CIS AWS Foundations Benchmark](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf). This benchmark serves as a set of security configuration best practices for AWS. These industry-accepted best practices go beyond the high-level security guidance already available in that they provide you with clear, step-by-step implementation and assessment procedures.
For more information, see the [CIS AWS Foundations Benchmark blog posts](https://aws.amazon.com/blogs/security/tag/cis-aws-foundations-benchmark/) on the *AWS Security Blog*.
**Difference between CIS Benchmarks and CIS Controls**
*CIS Benchmarks* are security best practice guidelines that are specific to vendor products. Ranging from operating systems to cloud services and networks devices, the settings that are applied from a benchmark protect the specific systems that your organization use. *CIS Controls* are foundational best practice guidelines for organization-level systems to follow to help protect against known cyberattack vectors.
**Examples**
+ CIS Benchmarks are prescriptive. They typically reference a specific setting that can be reviewed and set in the vendor product.
**Example:** CIS AWS Benchmark v1.2.0 - Ensure MFA is enabled for the "root user" account.
This recommendation provides prescriptive guidance on how to check for this and how to set this on the root account for the AWS environment.
+ CIS Controls are for your organization as a whole. They aren't specific to only one vendor product.
**Example:** CIS v7.1 - Use Multi-Factor Authentication for All Administrative Access
This control describes what's expected to be applied within your organization. It doesn't describe how you should apply it for the systems and workloads that you're running (regardless of where they are).
## Using this framework
You can use the CIS AWS Benchmark v1.2 frameworks in AWS Audit Manager to help you prepare for CIS audits. You can also customize these frameworks and their controls to support internal audits with specific requirements.
Using the frameworks as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the CIS framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.
The framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| Center for Internet Security (CIS) Amazon Web Services (AWS) Benchmark v1.2.0, Level 1 | 33 | 3 | 4 |
| Center for Internet Security (CIS) Amazon Web Services (AWS) Benchmark v1.2.0, Level 1 and 2 | 45 | 4 | 4 |
**Important**
To ensure that these frameworks collect the intended evidence from AWS Security Hub CSPM, make sure that you enabled all standards in Security Hub CSPM.
To ensure that these frameworks collect the intended evidence from AWS Config, make sure that you enable the necessary AWS Config rules. To review a list of the AWS Config rules that are used as data source mappings for these standard frameworks, download the following files:
[AuditManager\$1ConfigDataSourceMappings\$1CIS-AWS-Benchmark-v1.2.0,-Level-1.zip](samples/AuditManager_ConfigDataSourceMappings_CIS-AWS-Benchmark-v1.2.0,-Level-1.zip)
[AuditManager\$1ConfigDataSourceMappings\$1CIS-AWS-Benchmark-v1.2.0,-Level-1-and-2.zip](samples/AuditManager_ConfigDataSourceMappings_CIS-AWS-Benchmark-v1.2.0,-Level-1-and-2.zip)
The controls in these frameworks aren't intended to verify if your systems are compliant with CIS AWS Benchmark best practices. Moreover, they can't guarantee that you'll pass a CIS audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.
### Prerequisites for using these frameworks
Many controls in the CIS AWS Benchmark v1.2 frameworks use AWS Config as a data source type. To support these controls, you must [enable AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/getting-started.html) on all accounts in each AWS Region where you enabled Audit Manager. You must also make sure that specific AWS Config rules are enabled, and that these rules are configured correctly.
The following AWS Config rules and parameters are required to collect the correct evidence and capture an accurate compliance status for the CIS AWS Foundations Benchmark v1.2. For instructions on how to enable or configure a rule, see [Working with AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managing-aws-managed-rules.html).
| Required AWS Config rule | Required parameters |
| --- | --- |
| [ACCESS\$1KEYS\$1ROTATED](https://docs.aws.amazon.com/config/latest/developerguide/access-keys-rotated.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/CIS-1-2.html) |
| [CLOUD\$1TRAIL\$1CLOUD\$1WATCH\$1LOGS\$1ENABLED](https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-cloud-watch-logs-enabled.html) | Not applicable |
| [CLOUD\$1TRAIL\$1ENCRYPTION\$1ENABLED](https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-encryption-enabled.html) | Not applicable |
| [CLOUD\$1TRAIL\$1LOG\$1FILE\$1VALIDATION\$1ENABLED](https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-log-file-validation-enabled.html) | Not applicable |
| [CMK\$1BACKING\$1KEY\$1ROTATION\$1ENABLED](https://docs.aws.amazon.com/config/latest/developerguide/cmk-backing-key-rotation-enabled.html) | Not applicable |
| [IAM\$1PASSWORD\$1POLICY](https://docs.aws.amazon.com/config/latest/developerguide/iam-password-policy.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/CIS-1-2.html) |
| [IAM\$1PASSWORD\$1POLICY](https://docs.aws.amazon.com/config/latest/developerguide/iam-password-policy.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/CIS-1-2.html) |
| [IAM\$1PASSWORD\$1POLICY](https://docs.aws.amazon.com/config/latest/developerguide/iam-password-policy.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/CIS-1-2.html) |
| [IAM\$1PASSWORD\$1POLICY](https://docs.aws.amazon.com/config/latest/developerguide/iam-password-policy.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/CIS-1-2.html) |
| [IAM\$1PASSWORD\$1POLICY](https://docs.aws.amazon.com/config/latest/developerguide/iam-password-policy.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/CIS-1-2.html) |
| [IAM\$1PASSWORD\$1POLICY](https://docs.aws.amazon.com/config/latest/developerguide/iam-password-policy.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/CIS-1-2.html) |
| [IAM\$1PASSWORD\$1POLICY](https://docs.aws.amazon.com/config/latest/developerguide/iam-password-policy.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/CIS-1-2.html) |
| [IAM\$1POLICY\$1IN\$1USE](https://docs.aws.amazon.com/config/latest/developerguide/iam-policy-in-use.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/CIS-1-2.html) |
| [IAM\$1POLICY\$1NO\$1STATEMENTS\$1WITH\$1ADMIN\$1ACCESS](https://docs.aws.amazon.com/config/latest/developerguide/iam-policy-no-statements-with-admin-access.html) | Not applicable |
| [IAM\$1ROOT\$1ACCESS\$1KEY\$1CHECK](https://docs.aws.amazon.com/config/latest/developerguide/iam-root-access-key-check.html) | Not applicable |
| [IAM\$1USER\$1NO\$1POLICIES\$1CHECK](https://docs.aws.amazon.com/config/latest/developerguide/iam-user-no-policies-check.html) | Not applicable |
| [IAM\$1USER\$1UNUSED\$1CREDENTIALS\$1CHECK](https://docs.aws.amazon.com/config/latest/developerguide/iam-user-unused-credentials-check.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/CIS-1-2.html) |
| [INCOMING\$1SSH\$1DISABLED](https://docs.aws.amazon.com/config/latest/developerguide/restricted-ssh.html) | Not applicable |
| [MFA\$1ENABLED\$1FOR\$1IAM\$1CONSOLE\$1ACCESS](https://docs.aws.amazon.com/config/latest/developerguide/mfa-enabled-for-iam-console-access.html) | Not applicable |
| [MULTI\$1REGION\$1CLOUD\$1TRAIL\$1ENABLED](https://docs.aws.amazon.com/config/latest/developerguide/multi-region-cloudtrail-enabled.html) | Not applicable |
| [RESTRICTED\$1INCOMING\$1TRAFFIC](https://docs.aws.amazon.com/config/latest/developerguide/restricted-common-ports.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/CIS-1-2.html) |
| [ROOT\$1ACCOUNT\$1HARDWARE\$1MFA\$1ENABLED](https://docs.aws.amazon.com/config/latest/developerguide/root-account-hardware-mfa-enabled.html) | Not applicable |
| [ROOT\$1ACCOUNT\$1MFA\$1ENABLED](https://docs.aws.amazon.com/config/latest/developerguide/root-account-mfa-enabled.html) | Not applicable |
| [S3\$1BUCKET\$1LOGGING\$1ENABLED](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-logging-enabled.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/CIS-1-2.html) |
| [S3\$1BUCKET\$1PUBLIC\$1READ\$1PROHIBITED](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-public-read-prohibited.html) | Not applicable |
| [VPC\$1DEFAULT\$1SECURITY\$1GROUP\$1CLOSED](https://docs.aws.amazon.com/config/latest/developerguide/vpc-default-security-group-closed.html) | Not applicable |
| [VPC\$1FLOW\$1LOGS\$1ENABLED](https://docs.aws.amazon.com/config/latest/developerguide/vpc-flow-logs-enabled.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/CIS-1-2.html) |
## Next steps
For instructions on how to view detailed information about these frameworks, including the list of standard controls that they contain, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using these frameworks, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize these frameworks to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
## Additional resources
+ [The CIS AWS Foundations Benchmark v1.2.0](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
+ [CIS AWS Foundations Benchmark blog posts](https://aws.amazon.com/blogs/security/tag/cis-aws-foundations-benchmark/) on the *AWS Security Blog*
# CIS AWS Benchmark v1.3.0
AWS Audit Manager provides two prebuilt standard frameworks that support the CIS AWS Benchmark v1.3.
**Note**
For information about the Audit Manager frameworks that support v1.2.0, see [CIS AWS Benchmark v1.2.0](CIS-1-2.md).
For information about the Audit Manager frameworks that support v1.4.0, see [CIS AWS Benchmark v1.4.0](CIS-1-4.md).
**Topics**
+ [
## What is the AWS CIS Benchmark?
](#what-is-CIS-1-3)
+ [Using these frameworks](#framework-CIS-1-3)
+ [
## Next steps
](#next-steps-CIS-1-3)
+ [
## Additional resources
](#resources-CIS-1-3)
## What is the AWS CIS Benchmark?
The CIS developed the [CIS AWS Foundations Benchmark](https://www.cisecurity.org/benchmark/amazon_web_services/) v1.3.0, a set of security configuration best practices for AWS. These industry-accepted best practices go beyond the high-level security guidance already available in that they provide AWS users with clear, step-by-step implementation and assessment procedures.
For more information, see the [CIS AWS Foundations Benchmark blog posts](https://aws.amazon.com/blogs/security/tag/cis-aws-foundations-benchmark/) on the *AWS Security Blog*.
CIS AWS Benchmark v1.3.0 provides guidance for configuring security options for a subset of AWS services with an emphasis on foundational, testable, and architecture agnostic settings. Some of the specific Amazon Web Services in scope for this document include the following:
+ AWS Identity and Access Management (IAM)
+ AWS Config
+ AWS CloudTrail
+ Amazon CloudWatch
+ Amazon Simple Notification Service (Amazon SNS)
+ Amazon Simple Storage Service (Amazon S3)
+ Amazon Virtual Private Cloud (default)
**Difference between CIS Benchmarks and CIS Controls**
The *CIS Benchmarks* are security best practice guidelines that are specific to vendor products. Ranging from operating systems to cloud services and networks devices, the settings that are applied from a benchmark protect the systems that your organization uses. The *CIS Controls* are foundational best practice guidelines for your organization to follow to help protect from known cyberattack vectors.
**Examples**
+ CIS Benchmarks are prescriptive. They typically reference a specific setting that can be reviewed and set in the vendor product.
**Example:** CIS AWS Benchmark v1.3.0 - Ensure MFA is enabled for the "root user" account
This recommendation provides prescriptive guidance on how to check for this and how to set this on the root account for the AWS environment.
+ CIS Controls are for your organization as a whole, and aren't specific to only one vendor product.
**Example:** CIS v7.1 - Use Multi-Factor Authentication for All Administrative Access
This control describes what's expected to be applied within your organization, but not how you should apply it for the systems and workloads that you're running (regardless of where they are).
## Using these frameworks
You can use the CIS AWS Benchmark v1.3 frameworks in AWS Audit Manager to help you prepare for CIS audits. You can also customize these frameworks and their controls to support internal audits with specific requirements.
Using the frameworks as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the CIS framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.
The framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| Center for Internet Security (CIS) Amazon Web Services (AWS) Benchmark v1.3.0, Level 1 | 32 | 5 | 5 |
| Center for Internet Security (CIS) Amazon Web Services (AWS) Benchmark v1.3.0, Level 1 and 2 | 49 | 6 | 5 |
**Important**
To ensure that these frameworks collect the intended evidence from AWS Security Hub CSPM, make sure that you enabled all standards in Security Hub CSPM.
To ensure that these frameworks collect the intended evidence from AWS Config, make sure that you enable the necessary AWS Config rules. To review a list of the AWS Config rules that are used as data source mappings for these standard frameworks, download the following files:
[ AuditManager\$1ConfigDataSourceMappings\$1CIS-AWS-Benchmark-v1.3.0,-Level-1.zip](samples/AuditManager_ConfigDataSourceMappings_CIS-AWS-Benchmark-v1.3.0,-Level-1.zip)
[ AuditManager\$1ConfigDataSourceMappings\$1CIS-AWS-Benchmark-v1.3.0,-Level-1-and-2.zip](samples/AuditManager_ConfigDataSourceMappings_CIS-AWS-Benchmark-v1.3.0,-Level-1-and-2.zip)
The controls in these frameworks aren't intended to verify if your systems are compliant with CIS AWS Benchmark best practices. Moreover, they can't guarantee that you'll pass a CIS audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.
## Next steps
For instructions on how to view detailed information about these frameworks, including the list of standard controls that they contain, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using these frameworks, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize these frameworks to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
## Additional resources
+ [CIS AWS Foundations Benchmark blog posts](https://aws.amazon.com/blogs/security/tag/cis-aws-foundations-benchmark/) on the *AWS Security Blog*
# CIS AWS Benchmark v1.4.0
AWS Audit Manager provides two prebuilt standard frameworks that support the Center for Internet Security (CIS) AWS Foundations Benchmark v1.4.0.
**Note**
For information about the Audit Manager frameworks that support v1.2.0, see [CIS AWS Benchmark v1.2.0](CIS-1-2.md).
For information about the Audit Manager frameworks that support v1.3.0, see [CIS AWS Benchmark v1.3.0](CIS-1-3.md).
**Topics**
+ [
## What is the CIS AWS Benchmark?
](#what-is-CIS-1-4)
+ [Using these frameworks](#framework-CIS-1-4)
+ [
## Next steps
](#next-steps-CIS-1-4)
+ [
## Additional resources
](#resources-CIS-1-4)
## What is the CIS AWS Benchmark?
The CIS AWS Benchmark v1.4.0 provides prescriptive guidance for configuring security options for a subset of Amazon Web Services. It has an emphasis on foundational, testable, and architecture agnostic settings. Some of the specific Amazon Web Services in scope for this document include the following:
+ AWS Identity and Access Management (IAM)
+ IAM Access Analyzer
+ AWS Config
+ AWS CloudTrail
+ Amazon CloudWatch
+ Amazon Simple Notification Service (Amazon SNS)
+ Amazon Simple Storage Service (Amazon S3)
+ Amazon Elastic Compute Cloud (Amazon EC2)
+ Amazon Relational Database Service (Amazon RDS)
+ Amazon Virtual Private Cloud
**Difference between CIS Benchmarks and CIS Controls**
The *CIS Benchmarks* are security best practice guidelines that are specific to vendor products. Ranging from operating systems to cloud services and networks devices, the settings that are applied from a benchmark protect the systems that are being used. The *CIS Controls* are foundational best practice guidelines for your organization to follow to help protect from known cyberattack vectors.
**Examples**
+ CIS Benchmarks are prescriptive. They typically reference a specific setting that can be reviewed and set in the vendor product.
**Example:** CIS AWS Benchmark v1.3.0 - Ensure MFA is enabled for the "root user" account
This recommendation provides prescriptive guidance on how to check for this and how to set this on the root account for the AWS environment.
+ CIS Controls are for your organization as a whole, and aren't specific to only one vendor product.
**Example:** CIS v7.1 - Use Multi-Factor Authentication for All Administrative Access
This control describes what's expected to be applied within your organization. However, it doesn't describe how to apply it for the systems and workloads that you're running, regardless of where they are.
## Using these frameworks to support your audit preparation
You can use the CIS AWS Benchmark v1.4.0 frameworks in AWS Audit Manager to help you prepare for CIS audits. You can also customize these frameworks and their controls to support internal audits with specific requirements.
Using the frameworks as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the CIS framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.
The framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| Center for Internet Security (CIS) Amazon Web Services (AWS) Benchmark v1.4.0, Level 1 | 32 | 6 | 5 |
| Center for Internet Security (CIS) Amazon Web Services (AWS) Benchmark v1.4.0, Level 1 and 2 | 50 | 8 | 5 |
**Important**
To ensure that these frameworks collect the intended evidence from AWS Security Hub CSPM, make sure that you enabled all standards in Security Hub CSPM.
To ensure that these frameworks collect the intended evidence from AWS Config, make sure that you enable the necessary AWS Config rules. To review a list of the AWS Config rules that are used as data source mappings for these standard frameworks, download the following files:
[ AuditManager\$1ConfigDataSourceMappings\$1CIS-AWS-Benchmark-v1.4.0,-Level-1.zip](samples/AuditManager_ConfigDataSourceMappings_CIS-AWS-Benchmark-v1.4.0,-Level-1.zip)
[ AuditManager\$1ConfigDataSourceMappings\$1CIS-AWS-Benchmark-v1.4.0,-Level-1-and-2.zip](samples/AuditManager_ConfigDataSourceMappings_CIS-AWS-Benchmark-v1.4.0,-Level-1-and-2.zip)
The controls in these frameworks aren't intended to verify if your systems are compliant with the CIS AWS Benchmark v1.4.0. Moreover, they can't guarantee that you'll pass a CIS audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.
## Next steps
For instructions on how to view detailed information about these framework, including the list of standard controls that they contain, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using these frameworks, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize these frameworks to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
## Additional resources
+ [CIS Benchmarks](https://benchmarks.cisecurity.org) from the *Center for Internet Security*
+ [CIS AWS Foundations Benchmark blog posts](https://aws.amazon.com/blogs/security/tag/cis-aws-foundations-benchmark/) on the *AWS Security Blog*
# CIS Controls v7.1, IG1
AWS Audit Manager provides a prebuilt standard framework that supports Center for Internet Security (CIS) v7.1 Implementation Group 1.
**Note**
For information about CIS v8 IG1and the AWS Audit Manager framework that supports this standard, see [CIS Critical Security Controls version 8.0, IG1](CIS-controls-v8.md).
**Topics**
+ [
## What are CIS Controls?
](#what-is-CIS-controls)
+ [Using this framework](#framework-CIS-controls)
+ [
## Next steps
](#next-steps-CIS-controls)
+ [
## Additional resources
](#resources-CIS-controls)
## What are CIS Controls?
The CIS Controls are a prioritized set of actions that collectively form a defense-in-depth set of best practices. These best practices mitigate the most common attacks against systems and networks. *Implementation Group 1* is generally defined for an organization with limited resources and cybersecurity expertise that are available to implement Sub-Controls.
**Difference between CIS Controls and CIS Benchmarks**
The CIS Controls are foundational best practice guidelines that an organization can follow to have protection from known cyberattack vectors. The CIS Benchmarks are security best practice guidelines specific to vendor products. Ranging from operating systems to cloud services and network devices, the settings that are applied from a Benchmark protect the systems that are being used.
**Examples**
+ *CIS Benchmarks* are prescriptive. They typically reference a specific setting that can be reviewed and set in the vendor product.
+ **Example**: CIS AWS Benchmark v1.2.0 - Ensure MFA is enabled for the "root user" account
+ This recommendation provides prescriptive guidance on how to check for this and how to set this on the root account for the AWS environment.
+ *CIS Controls* are for your organization as a whole and aren't specific to only one vendor product.
+ **Example**: CIS v7.1 - Use Multi-Factor Authentication for All Administrative Access
+ This control describes what's expected to be applied within your organization. However, it doesn't tell you how you should apply it for the systems and workloads that you're running (regardless of where they are).
## Using this framework
You can use the *CIS Controls v7.1 IG1* framework to help you prepare for audits. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped into control sets according to CIS requirements. You can also customize this framework and its controls to support internal audits with specific requirements.
Using the framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the CIS Controls v7.1 IG1 framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.
The CIS Controls v7.1 IG1 framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| Center for Internet Security (CIS) v7.1, IG1 | 8 | 35 | 18 |
**Important**
To ensure that this framework collects the intended evidence from AWS Security Hub CSPM, make sure that you enabled all standards in Security Hub CSPM.
To ensure that this framework collects the intended evidence from AWS Config, make sure that you enable the necessary AWS Config rules. To review the AWS Config rules that are used as data source mappings in this standard framework, download the [AuditManager\$1ConfigDataSourceMappings\$1Center-for-Internet-Security-(CIS)-v7.1,-IG1.zip](samples/AuditManager_ConfigDataSourceMappings_Center-for-Internet-Security-(CIS)-v7.1,-IG1.zip) file.
The controls in this framework aren't intended to verify if your systems are compliant with CIS Controls. Moreover, they can't guarantee that you'll pass a CIS audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.
## Next steps
For instructions on how to view detailed information about this framework, including the list of standard controls that it contains, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using this framework, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize this framework to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
## Additional resources
+ [CIS Controls v7.1 IG1](https://www.cisecurity.org/controls/v7-1)
# CIS Critical Security Controls version 8.0, IG1
AWS Audit Manager provides a prebuilt standard framework that supports the CIS Critical Security Controls version 8.0 , Implementation Group 1.
**Note**
For information about CIS v7.1, IG1 and the AWS Audit Manager framework that supports this standard, see [CIS Controls v7.1, IG1](CIS-controls.md).
**Topics**
+ [
## What are CIS Controls?
](#what-is-CIS-controls-v8)
+ [Using this framework](#framework-CIS-controls-v8)
+ [
## Next steps
](#next-steps-CIS-controls-v8)
+ [
## Additional resources
](#resources-CIS-controls-v8)
## What are CIS Controls?
The CIS Critical Security Controls (CIS Controls) are a prioritized set of safeguards to mitigate the most prevalent cyberattacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory, and policy frameworks. CIS Controls v8 has been enhanced to keep up with modern systems and software. Movement to cloud-based computing, virtualization, mobility, outsourcing, work-from-home, and changing attacker tactics prompted the update. This update supports the security of enterprises as they move to both fully cloud and hybrid environments.
**Difference between CIS Controls and CIS Benchmarks**
The CIS Controls are foundational best practice guidelines that an organization can follow to have protection from known cyberattack vectors. The CIS Benchmarks are security best practice guidelines specific to vendor products. Ranging from operating systems to cloud services and network devices, the settings that are applied from a Benchmark protect the systems that are being used.
**Examples**
+ *CIS Benchmarks* are prescriptive. They typically reference a specific setting that can be reviewed and set in the vendor product.
+ **Example**: CIS AWS Benchmark v1.2.0 - Ensure MFA is enabled for the "root user" account
+ This recommendation provides prescriptive guidance on how to check for this and how to set this on the root account for the AWS environment.
+ *CIS Controls* are for your organization as a whole and aren't specific to only one vendor product.
+ **Example**: CIS v7.1 - Use Multi-Factor Authentication for All Administrative Access
+ This control describes what's expected to be applied within your organization. However, it doesn't tell you how you should apply it for the systems and workloads that you're running (regardless of where they are).
## Using this framework
You can use the CIS v8 IG1 framework to help you prepare for audits. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped into control sets according to CIS requirements. You can also customize this framework and its controls to support internal audits with specific requirements.
Using the framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the CIS v8 framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.
The framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| CIS Critical Security Controls version 8.0 (CIS v8.0), IG1 | 11 | 45 | 15 |
**Important**
To ensure that this framework collects the intended evidence from AWS Security Hub CSPM, make sure that you enabled all standards in Security Hub CSPM.
To ensure that this framework collects the intended evidence from AWS Config, make sure that you enable the necessary AWS Config rules. To review the AWS Config rules that are used as data source mappings in this standard framework, download the [AuditManager\$1ConfigDataSourceMappings\$1CIS-Critical-Security-Controls-version-8.0-(CIS-v8.0),-IG1.zip](samples/AuditManager_ConfigDataSourceMappings_CIS-Critical-Security-Controls-version-8.0-(CIS-v8.0),-IG1.zip) file.
The controls in this framework aren't intended to verify if your systems are compliant with CIS Controls. Moreover, they can't guarantee that you'll pass a CIS audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.
## Next steps
For instructions on how to view detailed information about this framework, including the list of standard controls that it contains, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using this framework, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize this framework to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
## Additional resources
+ [CIS Controls v8](https://www.cisecurity.org/controls/v8/)
# FedRAMP Security Baseline Controls r4
AWS Audit Manager provides a prebuilt standard framework that supports the Federal Risk And Authorization Management Program (FedRAMP) Security Baseline Controls r4.
**Topics**
+ [
## What is FedRAMP?
](#what-is-fedramp-moderate)
+ [Using this framework](#framework-fedramp-moderate)
+ [
## Next steps
](#next-steps-fedramp-moderate)
+ [
## Additional resources
](#resources-fedramp-moderate)
## What is FedRAMP?
FedRAMP was established in 2011. It provides a cost-effective, risk-based approach for the adoption and use of cloud services by the U.S. federal government. FedRAMP empowers federal agencies to use modern cloud technologies, with an emphasis on the security and protection of federal information.
For more information about the FedRAMP moderate baseline controls, see the [FedRAMP Moderate Security Test Case Procedures Template](https://www.fedramp.gov/assets/resources/templates/SAP-Appendix-A-FedRAMP-Moderate-Security-Test-Case-Procedures-Template.xlsx).
## Using this framework
You can use the FedRAMP r4 framework to help you prepare for audits. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped into control sets according to FedRAMP r4 requirements. You can also customize this framework and its controls to support internal audits with specific requirements.
Using the framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.
The FedRAMP Moderate Baseline framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| Federal Risk And Authorization Management Program (FedRAMP) Security Baseline Controls r4, Moderate | 36 | 289 | 17 |
**Important**
To ensure that this framework collects the intended evidence from AWS Security Hub CSPM, make sure that you enabled all standards in Security Hub CSPM.
To ensure that this framework collects the intended evidence from AWS Config, make sure that you enable the necessary AWS Config rules. To review the AWS Config rules that are used as data source mappings in this standard framework, download the [AuditManager\$1ConfigDataSourceMappings\$1FedRAMP-Security-Baseline-Controls-r4-Moderate.zip](samples/AuditManager_ConfigDataSourceMappings_FedRAMP-Security-Baseline-Controls-r4-Moderate.zip) file.
The controls in this framework aren't intended to verify if your systems are compliant with FedRAMP r4. Moreover, they can't guarantee that you'll pass a FedRAMP audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.
## Next steps
For instructions on how to view detailed information about this framework, including the list of standard controls that it contains, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using this framework, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize this framework to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
## Additional resources
+ [AWS Compliance page for FedRAMP](https://aws.amazon.com/compliance/fedramp)
+ [AWS FedRAMP blog posts](https://aws.amazon.com/blogs/security/tag/fedramp)
# GDPR 2016
AWS Audit Manager provides a prebuilt standard framework that supports the General Data Protection Regulation (GDPR) 2016.
This framework contains only manual controls. These manual controls don't collect evidence automatically. However, if you want to automate evidence collection for some controls under GDPR, you can use the custom control feature in Audit Manager. For more information, see [Using this framework](#framework-GDPR).
**Topics**
+ [
## What is the GDPR?
](#what-is-GDPR)
+ [Using this framework](#framework-GDPR)
+ [
## Next steps
](#next-steps-GDPR)
+ [
## Additional resources
](#resources-GDPR)
## What is the GDPR?
The GDPR is a European privacy law that became enforceable on May 25, 2018. The GDPR replaces the EU Data Protection Directive, also known as [Directive 95/46/EC](http://en.wikipedia.org/wiki/Data_Protection_Directive). It's intended to harmonize data protection laws throughout the European Union (EU). It does this by applying a single data protection law that's binding throughout each EU member state.
The GDPR applies to all organizations that are established in the EU and to organizations (no matter whether they were established in the EU) that process the personal data of EU data subjects in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behavior that takes place within the EU. Personal data is any information that relates to an identified or identifiable natural person.
You can find the GDPR framework in the framework library page of Audit Manager. For more information, see the [General Data Protection Regulation (GDPR) Center](https://aws.amazon.com/compliance/gdpr-center/).
## Using this framework
You can use the GDPR 2016 framework in Audit Manager to help you prepare for audits.
The framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| General Data Protection Regulation (GDPR) 2016 | 0 | 378 | 10 |
This standard framework contains manual controls only.
**Note**
If you want to automate evidence collection for GDPR, you can use Audit Manager to [create your own custom controls](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-controls.html) for GDPR. The following table provides recommendations on the AWS data sources that you can map to GDPR requirements in your custom controls. Although some of the following data sources are mapped to multiple controls, keep in mind that you're charged only once for each resource assessment.
The following recommendations use AWS Config and AWS Security Hub CSPM as data sources. To successfully collect evidence from these data sources, make sure that you followed the instructions to [enable and set up AWS Config and AWS Security Hub CSPM](https://docs.aws.amazon.com/audit-manager/latest/userguide/setup-recommendations.html) in your AWS account. After you've set up both services in this way, Audit Manager collects evidence each time an evaluation occurs for the specified AWS Config rule or Security Hub CSPM control.
| Control name | Control set | Recommended control data source mapping |
| --- | --- | --- |
| Article 25 Data protection by design and by default.1 | Chapter 4 - Controller and Processor | You can [create a custom control](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-controls.html) in AWS Audit Manager that supports this GDPR control. When you [specify the control details](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-1), enter the following under **Testing information**:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)When you [set up the control data sources](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-2), we recommend that you include all of the following as data sources: Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)Choose AWS Security Hub CSPM as the data source type, and select the following Security Hub controls as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html) |
| Article 25 Data protection by design and by default.2 | Chapter 4 - Controller and Processor | You can [create a custom control](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-controls.html) in AWS Audit Manager that supports this GDPR control. When you [specify the control details](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-1), enter the following under **Testing information**:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)When you [set up the control data sources](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-2), we recommend that you include all of the following as data sources:Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)Choose AWS Security Hub CSPM as the data source type, and select the following Security Hub controls as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html) |
| Article 25 Data protection by design and by default.3 | Chapter 4 - Controller and Processor | You can [create a custom control](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-controls.html) in AWS Audit Manager that supports this GDPR control. When you [specify the control details](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-1), enter the following under **Testing information**:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)When you [set up the control data sources](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-2), we recommend that you include all of the following as data sources:Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)Choose AWS Security Hub CSPM as the data source type, and select the following Security Hub controls as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html) |
| Article 30 Records of processing activities.1 | Chapter 4 - Controller and Processor | You can [create a custom control](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-controls.html) in AWS Audit Manager that supports this GDPR control. When you [specify the control details](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-1), enter the following under **Testing information**:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)When you [set up the control data sources](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-2), we recommend that you include all of the following as data sources:Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)Choose AWS Security Hub CSPM as the data source type, and select the following Security Hub control as a data source mapping:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html) |
| Article 30 Records of processing activities.2 | Chapter 4 - Controller and Processor | You can [create a custom control](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-controls.html) in AWS Audit Manager that supports this GDPR control. When you [specify the control details](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-1), enter the following under **Testing information**:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)When you [set up the control data sources](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-2), we recommend that you include all of the following as data sources:Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)Choose AWS Security Hub CSPM as the data source type, and select the following Security Hub control as a data source mapping:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html) |
| Article 30 Records of processing activities.3 | Chapter 4 - Controller and Processor | You can [create a custom control](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-controls.html) in AWS Audit Manager that supports this GDPR control. When you [specify the control details](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-1), enter the following under **Testing information**:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)When you [set up the control data sources](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-2), we recommend that you include all of the following as data sources:Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)Choose AWS Security Hub CSPM as the data source type, and select the following Security Hub control as a data source mapping:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html) |
| Article 30 Records of processing activities.4 | Chapter 4 - Controller and Processor | You can [create a custom control](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-controls.html) in AWS Audit Manager that supports this GDPR control. When you [specify the control details](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-1), enter the following under **Testing information**:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)When you [set up the control data sources](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-2), we recommend that you include all of the following as data sources:Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)Choose AWS Security Hub CSPM as the data source type, and select the following Security Hub control as a data source mapping:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html) |
| Article 30 Records of processing activities.5 | Chapter 4 - Controller and Processor | You can [create a custom control](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-controls.html) in AWS Audit Manager that supports this GDPR control. When you [specify the control details](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-1), enter the following under **Testing information**:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)When you [set up the control data sources](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-2), we recommend that you include all of the following as data sources:Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)Choose AWS Security Hub CSPM as the data source type, and select the following Security Hub control as a data source mapping:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html) |
| Article 32 Security of processing.1 | Chapter 4 - Controller and Processor | You can [create a custom control](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-controls.html) in AWS Audit Manager that supports this GDPR control. When you [specify the control details](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-1), enter the following under **Testing information**:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)When you [set up the control data sources](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-2), we recommend that you include all of the following as data sources:Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html) |
| Article 32 Security of processing.2 | Chapter 4 - Controller and Processor | You can [create a custom control](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-controls.html) in AWS Audit Manager that supports this GDPR control. When you [specify the control details](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-1), enter the following under **Testing information**:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)When you [set up the control data sources](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-2), we recommend that you include all of the following as data sources:Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html) |
| Article 32 Security of processing.3 | Chapter 4 - Controller and Processor | You can [create a custom control](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-controls.html) in AWS Audit Manager that supports this GDPR control. When you [specify the control details](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-1), enter the following under **Testing information**:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)When you [set up the control data sources](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-2), we recommend that you include all of the following as data sources:Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html) |
| Article 32 Security of processing.4 | Chapter 4 - Controller and Processor | You can [create a custom control](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-controls.html) in AWS Audit Manager that supports this GDPR control. When you [specify the control details](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-1), enter the following under **Testing information**:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)When you [set up the control data sources](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-2), we recommend that you include all of the following as data sources:Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html) |
After you create your new custom controls for GDPR, you can add them to a custom GDPR framework. You can then create an assessment from the custom GDPR framework. This way, Audit Manager can collect evidence automatically for the custom controls that you added.
## Next steps
For instructions on how to view detailed information about this framework, including the list of standard controls that it contains, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using this framework, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize this framework to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
## Additional resources
+ [General Data Protection Regulation (GDPR) Center](https://aws.amazon.com/compliance/gdpr-center/)
+ [AWS GDPR blog posts](https://aws.amazon.com/blogs/security/tag/gdpr/)
# Gramm-Leach-Bliley Act
AWS Audit Manager provides a prebuilt framework that supports the Gramm-Leach-Bliley Act (GLBA).
**Topics**
+ [
## What is the GLBA?
](#what-is-the-gramm-leach-bliley-act)
+ [Using this framework](#framework-gramm-leach-bliley-act)
+ [
## Next steps
](#next-steps-glba)
## What is the GLBA?
The GLBA (or the GLB Act), also known as the Financial Service Modernization Act of 1999, is a federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals. The Act consists of three sections. The first is the Financial Privacy Rule, which regulates the collection and disclosure of private financial information. The second is the Safeguards Rule, which stipulates that financial institutions must implement security programs to protect such information. The third is the Pretexting provisions, which prohibit the practice of pretexting (accessing private information using false pretenses). The Act also requires financial institutions to give customers written privacy notices that explain their information-sharing practices.
## Using this framework
You can use the GLBA 2016 framework to help you prepare for audits. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped into control sets according to GLBA requirements. You can also customize this framework and its controls to support internal audits with specific requirements.
Using the GLBA framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for a GLBA audit. In your assessment, you can specify the AWS accounts that you want to include in the scope of your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the GLBA framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.
The framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| Gramm-Leach-Bliley Act (GLBA) | 0 | 120 | 16 |
The controls in this AWS Audit Manager framework aren't intended to verify if your systems are compliant with the GLBA standard. Moreover, they can't guarantee that you'll pass a GLBA audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.
## Next steps
For instructions on how to view detailed information about this framework, including the list of standard controls that it contains, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using this framework, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize this framework to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
# Title 21 CFR Part 11
AWS Audit Manager provides a prebuilt standard framework that supports Title 21 of the Code of Federal Regulations (CFR) Part 11, Electronic records; Electronic Signatures - Scope and Application 24 May 2023.
**Topics**
+ [
## What is Title 21 of the CFR Part 11?
](#what-is-GxP)
+ [Using this framework](#framework-GxP)
+ [
## Next steps
](#next-steps-GxP)
+ [
## Additional resources
](#resources-gxp-21-cfr-part-11)
## What is Title 21 of the CFR Part 11?
GxP refers to the regulations and guidelines that are applicable to life sciences organizations that make food and medical products. Medical products that fall under this include medicines, medical devices, and medical software applications. The overall intent of GxP requirements is to ensure that food and medical products are safe for consumers. It's also to ensure the integrity of data that's used to make product-related safety decisions.
In the United States, GxP regulations are enforced by the US Food and Drug Administration (FDA), and are contained in Title 21 of the Code of Federal Regulations (21 CFR). Within 21 CFR, Part 11 contains the requirements for computer systems that create, modify, maintain, archive, retrieve, or distribute electronic records and electronic signatures in support of GxP-regulated activities. Part 11 was created to permit the adoption of new information technologies by FDA-regulated life sciences organizations, while simultaneously providing a framework to ensure that the electronic GxP data is trustworthy and reliable.
For a comprehensive approach to using the AWS Cloud for GxP systems, see the [Considerations for Using AWS Products in GxP Systems](https://d1.awsstatic.com/whitepapers/compliance/Using_AWS_in_GxP_Systems.pdf) whitepaper.
## Using this framework
You can use the Title 21 CFR Part 11 framework to help you prepare for audits. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped into control sets according to CFR requirements. You can also customize this framework and its controls to support internal audits with specific requirements.
Using the framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the Title 21 CFR Part 11 framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.
The framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| Title 21 Code of Federal Regulations (CFR) Part 11, Electronic records; Electronic Signatures - Scope and Application 24 May 2023 | 6 | 19 | 2 |
**Important**
To ensure that this framework collects the intended evidence from AWS Security Hub CSPM, make sure that you enabled all standards in Security Hub CSPM.
To ensure that this framework collects the intended evidence from AWS Config, make sure that you enable the necessary AWS Config rules. To review the AWS Config rules that are used as data source mappings in this standard framework, download the [AuditManager\$1ConfigDataSourceMappings\$1Title-21-CFR-Part-11.zip](samples/AuditManager_ConfigDataSourceMappings_Title-21-CFR-Part-11.zip) file.
The controls in this AWS Audit Manager framework aren't intended to verify if your systems are compliant with GxP regulations. Moreover, they can't guarantee that you'll pass an audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.
## Next steps
For instructions on how to view detailed information about this framework, including the list of standard controls that it contains, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using this framework, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize this framework to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
## Additional resources
+ [AWS Compliance page for GxP](https://aws.amazon.com/compliance/gxp-part-11-annex-11/)
+ [Considerations for Using AWS Products in GxP Systems](https://d1.awsstatic.com/whitepapers/compliance/Using_AWS_in_GxP_Systems.pdf)
# EU GMP Annex 11, v1
AWS Audit Manager provides a prebuilt framework that supports the EudraLex - The Rules Governing Medicinal Products in the European Union (EU) - Volume 4: Good Manufacturing Practice (GMP) Medicinal Products for Human and Veterinary Use - Annex 11.
**Topics**
+ [
## What is the EU GMP Annex 11?
](#what-is-GxP-EU-Annex-11)
+ [Using this framework](#framework-GxP-EU-Annex-11)
+ [
## Next steps
](#next-steps-GxP-EU-Annex-11)
## What is the EU GMP Annex 11?
The EU GMP Annex 11 framework is the European equivalent to the Title 21 CFR part 11 framework in the United States. This annex applies to all forms of computerized systems that are used as part of Good Manufacturing Practices (GMP) regulated activities. A computerized system is a set of software and hardware components that together fulfill certain functionalities. The application should be validated and IT infrastructure should be qualified. Where a computerized system replaces a manual operation, there should be no resultant decrease in product quality, process control, or quality assurance. There should be no increase in the overall risk of the process.
Annex 11 is part of the European GMP guidelines and defines the terms of reference for computerized systems that are used by organizations in the pharmaceutical industry. Annex 11 functions as a checklist that enables the European regulatory agencies to establish the requirements for computerized systems that relate to pharmaceutical products and medical devices. The guidelines set by the Commission of the European Committees aren't that much distant from the FDA (Title 21 CFR Part 11). Annex 11 defines the criteria for how electronic records and electronic signatures are considered to be managed.
## Using this framework
You can use the EU GMP Annex 11 framework to help you prepare for audits. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped into control sets according to EU GMP requirements. You can also customize this framework and its controls to support internal audits with specific requirements.
Using the framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the EU GMP Annex 11 framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.
The framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| EudraLex - The Rules Governing Medicinal Products in the European Union (EU) - Volume 4: Good Manufacturing Practice (GMP) Medicinal Products for Human and Veterinary Use - Annex 11 | 0 | 32 | 3 |
**Important**
To ensure that this framework collects the intended evidence from AWS Config, make sure that you enable the necessary AWS Config rules. To review the AWS Config rules that are used as data source mappings in this standard framework, download the [AuditManager\$1ConfigDataSourceMappings\$1EudraLex-GMP-Volume-4-Annex-11.zip](samples/AuditManager_ConfigDataSourceMappings_EudraLex-GMP-Volume-4-Annex-11.zip) file.
The controls in this framework aren't intended to verify if your systems are compliant with the EU GMP Annex 11 requirements. Moreover, they can't guarantee that you'll pass a EU GMP audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.
## Next steps
For instructions on how to view detailed information about this framework, including the list of standard controls that it contains, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using this framework, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize this framework to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
# HIPAA Security Rule: Feb 2003
AWS Audit Manager provides a prebuilt standard framework that supports the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: Feb 2003.
**Note**
For information about the HIPAA Final Omnibus Security Rule 2013 and the Audit Manager framework that supports this standard, see [HIPAA Omnibus Final Rule](HIPAA-omnibus-rule.md).
**Topics**
+ [
## What is HIPAA and the HIPAA Security Rule 2003?
](#what-is-HIPAA)
+ [Using this framework](#framework-HIPAA)
+ [
## Next steps
](#next-steps-HIPAA)
+ [
## Additional resources
](#resources-HIPAA)
## What is HIPAA and the HIPAA Security Rule 2003?
HIPAA is legislation that helps US workers to retain health insurance coverage when they change or lose jobs. The legislation also seeks to encourage electronic health records to improve the efficiency and quality of the US healthcare system through improved information sharing.
Along with increasing the use of electronic medical records, HIPAA includes provisions to protect the security and privacy of protected health information (PHI). PHI includes a very wide set of personally identifiable health and health-related data. This includes insurance and billing information, diagnosis data, clinical care data, and lab results such as images and test results.
The U.S. Department of Health and Human Services published a final [Security Rule](https://www.hhs.gov/hipaa/for-professionals/security/index.html) in February 2003. This Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information.
HIPAA rules apply to covered entities. These include hospitals, medical services providers, employer-sponsored health plans, research facilities, and insurance companies that deal directly with patients and patient data. The HIPAA requirement to protect PHI also extends to business associates.
For more information about how HIPAA and HITECH protect health information, see the [Health Information Privacy](https://www.hhs.gov/hipaa/for-professionals/index.html) webpage from the U.S. Department of Health and Human Services.
A growing number of healthcare providers, payers, and IT professionals are using AWS utility-based cloud services to process, store, and transmit protected health information (PHI). AWS enables covered entities and their business associates subject to HIPAA to use the secure AWS environment to process, maintain, and store protected health information.
For instructions on how you can use AWS for the processing and storage of health information, see the [Architecting for HIPAA Security and Compliance on Amazon Web Services](https://d1.awsstatic.com/whitepapers/compliance/AWS_HIPAA_Compliance_Whitepaper.pdf) whitepaper.
## Using this framework
You can use the *HIPAA Security Rule 2003* framework to help you prepare for audits. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped into control sets according to HIPAA requirements. You can also customize this framework and its controls to support internal audits with specific requirements.
Using the framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the HIPAA framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.
The framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| Health Insurance Portability and Accountability Act (HIPAA) Security Rule: Feb 2003 | 24 | 61 | 5 |
**Important**
To ensure that this framework collects the intended evidence from AWS Security Hub CSPM, make sure that you enabled all standards in Security Hub CSPM.
To ensure that this framework collects the intended evidence from AWS Config, make sure that you enable the necessary AWS Config rules. To review the AWS Config rules that are used as data source mappings in this standard framework, download the [AuditManager\$1ConfigDataSourceMappings\$1HIPAA-Security-Rule-Feb-2003.zip](samples/AuditManager_ConfigDataSourceMappings_HIPAA-Security-Rule-Feb-2003.zip) file.
The controls in this AWS Audit Manager framework aren't intended to verify if your systems are compliant with the HIPAA standard. Moreover, they can't guarantee that you'll pass a HIPAA audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.
## Next steps
For instructions on how to view detailed information about this framework, including the list of standard controls that it contains, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using this framework, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize this framework to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
## Additional resources
+ [Health Information Privacy](https://www.hhs.gov/hipaa/for-professionals/index.html) from the U.S. Department of Health and Human Service
+ [The Security Rule](https://www.hhs.gov/hipaa/for-professionals/security/index.html) from the U.S. Department of Health and Human Service
+ [Architecting for HIPAA Security and Compliance on Amazon Web Services](https://d1.awsstatic.com/whitepapers/compliance/AWS_HIPAA_Compliance_Whitepaper.pdf)
+ [AWS Compliance page for HIPAA](https://aws.amazon.com/compliance/hipaa-compliance/)
# HIPAA Omnibus Final Rule
AWS Audit Manager provides a prebuilt standard framework that supports the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule.
**Note**
For information about the HIPAA Security Rule 2003 and the AWS Audit Manager framework that supports this standard, see [HIPAA Security Rule: Feb 2003](HIPAA.md).
**Topics**
+ [
## What is HIPAA and the HIPAA Final Omnibus Security Rule?
](#what-is-HIPAA-omnibus-rule)
+ [Using this framework](#framework-HIPAA)
+ [
## Next steps
](#next-steps-HIPAA-omnibus-rule)
+ [
## Additional resources
](#resources-HIPAA-omnibus-rule)
## What is HIPAA and the HIPAA Final Omnibus Security Rule?
HIPAA is legislation that helps US workers to retain health insurance coverage when they change or lose jobs. The legislation also seeks to encourage electronic health records to improve the efficiency and quality of the US healthcare system through improved information sharing.
Along with increasing the use of electronic medical records, HIPAA includes provisions to protect the security and privacy of protected health information (PHI). PHI includes a very wide set of personally identifiable health and health-related data. This includes insurance and billing information, diagnosis data, clinical care data, and lab results such as images and test results.
The HIPAA Final Omnibus Security Rule, which became effective in 2013, implements a number of updates to all of the previously passed rules. The modifications to the Security, Privacy, Breach Notification, and Enforcement Rules were intended to enhance confidentiality and security in data sharing.
HIPAA rules apply to covered entities. These include hospitals, medical services providers, employer-sponsored health plans, research facilities, and insurance companies that deal directly with patients and patient data. As part of the omnibus updates, many of the HIPAA rules that apply to covered entities also now apply to business associates.
For more information about how HIPAA and HITECH protect health information, see the [Health Information Privacy](https://www.hhs.gov/hipaa/for-professionals/index.html) webpage from the U.S. Department of Health and Human Services.
A growing number of healthcare providers, payers, and IT professionals are using AWS utility-based cloud services to process, store, and transmit protected health information (PHI). AWS enables covered entities and their business associates subject to HIPAA to use the secure AWS environment to process, maintain, and store protected health information. For instructions on how you can use AWS for the processing and storage of health information, see the [Architecting for HIPAA Security and Compliance on Amazon Web Services](https://d1.awsstatic.com/whitepapers/compliance/AWS_HIPAA_Compliance_Whitepaper.pdf) whitepaper.
## Using this framework
You can use the HIPAA Omnibus Final Rule framework to help you prepare for audits. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped into control sets according to HIPAA requirements. You can also customize this framework and its controls to support internal audits with specific requirements.
Using the framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the HIPAA framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.
The framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule | 21 | 53 | 5 |
**Important**
To ensure that this framework collects the intended evidence from AWS Security Hub CSPM, make sure that you enabled all standards in Security Hub CSPM.
To ensure that this framework collects the intended evidence from AWS Config, make sure that you enable the necessary AWS Config rules. To review the AWS Config rules that are used as data source mappings in this standard framework, download the [AuditManager\$1ConfigDataSourceMappings\$1HIPAA-Omnibus-Final-Rule.zip](samples/AuditManager_ConfigDataSourceMappings_HIPAA-Omnibus-Final-Rule.zip) file.
The controls in this AWS Audit Manager framework aren't intended to verify if your systems are compliant with the HIPAA standard. Moreover, they can't guarantee that you'll pass a HIPAA audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.
## Next steps
For instructions on how to view detailed information about this framework, including the list of standard controls that it contains, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using this framework, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize this framework to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
## Additional resources
+ [Health Information Privacy](https://www.hhs.gov/hipaa/for-professionals/index.html) from the U.S. Department of Health and Human Service
+ [Omnibus HIPAA Rulemaking](https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/combined-regulation-text/omnibus-hipaa-rulemaking/index.html) from the U.S. Department of Health and Human Service
+ [Architecting for HIPAA Security and Compliance on Amazon Web Services](https://d1.awsstatic.com/whitepapers/compliance/AWS_HIPAA_Compliance_Whitepaper.pdf)
+ [AWS Compliance page for HIPAA](https://aws.amazon.com/compliance/hipaa-compliance/)
# ISO/IEC 27001:2013 Annex A
AWS Audit Manager provides a prebuilt standard framework that supports the International Organization for standardization (ISO)/International Electrotechnical Commission (IEC) 27001:2013 Annex A.
**Topics**
+ [
## What is ISO/IEC 27001:2013 Annex A?
](#what-is-iso-27001-2013)
+ [
## Using this framework
](#framework-iso-27001-2013)
+ [
## Next steps
](#next-steps-iso-27001-2013)
+ [
## Additional resources
](#resources-iso-27001-2013-moderate)
## What is ISO/IEC 27001:2013 Annex A?
The International Electrotechnical Commission (IEC) and the International Organization for Standardization (ISO) are both independent, non-governmental, not-for-profit organizations that develop and publish fully consensus-based international standards.
ISO/IEC 27001:2013 Annex A is a security management standard that specifies security management best practices and comprehensive security controls that follow the ISO/IEC 27002 best practice guidance. This international standard specifies the requirements on how to establish, implement, maintain, and continually improve an information security management system at your organization. Included among these standards are requirements on the assessment and treatment of information security risks that are tailored to the needs of your organization. The requirements in this international standard are generic and are intended to be applicable to all organizations, regardless of type, size or nature.
## Using this framework
You can use the AWS Audit Manager framework for ISO/IEC 27001:2013 Annex A to help you prepare for audits. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped into control sets according to ISO/IEC 27001:2013 Annex A requirements. You can also customize this framework and its controls to support internal audits with specific requirements.
Using the framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for an ISO/IEC 27001:2013 Annex A audit. In your assessment, you can specify the AWS accounts that you want to include in the scope of your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the ISO/IEC 27001:2013 Annex A framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.
The framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| International Organization for standardization (ISO)/International Electrotechnical Commission (IEC) 27001:2013 Annex A | 21 | 93 | 35 |
**Important**
To ensure that this framework collects the intended evidence from AWS Security Hub CSPM, make sure that you enabled all standards in Security Hub CSPM.
To ensure that this framework collects the intended evidence from AWS Config, make sure that you enable the necessary AWS Config rules. To review the AWS Config rules that are used as data source mappings in this standard framework, download the [AuditManager\$1ConfigDataSourceMappings\$1ISO-IEC-270012013-Annex-A.zip](samples/AuditManager_ConfigDataSourceMappings_ISO-IEC-270012013-Annex-A.zip) file.
The controls in this AWS Audit Manager framework aren't intended to verify if your systems are compliant with this international standard. Moreover, they can't guarantee that you'll pass an ISO/IEC audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.
## Next steps
For instructions on how to view detailed information about this framework, including the list of standard controls that it contains, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using this framework, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize this framework to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
## Additional resources
+ For more information about this international standard, see [ISO/IEC 27001:2013](https://webstore.ansi.org/Standards/ISO/ISOIEC270012013) on the ANSI Webstore.
# NIST SP 800-53 Rev 5
AWS Audit Manager provides a prebuilt framework that supports the NIST 800-53 Rev 5: Security and Privacy Controls for Information Systems and Organizations.
**Note**
For information about the Audit Manager framework that supports NIST SP 800-171, see [NIST SP 800-171 Rev 2](NIST-800-171-r2-1.1.md).
For information about the Audit Manager framework that supports NIST CSF, see [NIST Cybersecurity Framework v1.1](NIST-Cybersecurity-Framework-v1-1.md).
**Topics**
+ [
## What is NIST SP 800-53?
](#what-is-NIST800-53r5)
+ [Using this framework](#framework-NIST800-53r5)
+ [
## Next steps
](#next-steps-NIST800-53r5)
+ [
## Additional resources
](#resources-NIST800-53r5)
## What is NIST SP 800-53?
The [National Institute of Standards and Technology (NIST)](https://www.nist.gov/) was founded in 1901 and is now part of the U.S. Department of Commerce. NIST is one of the oldest physical science laboratories in the United States. The U.S. Congress established the agency to improve what was at the time a second-rate measurement infrastructure. The infrastructure was a major challenge to U.S. industrial competitiveness, having lagged behind other economic powers such as the U.K. and Germany.
The NIST SP 800-53 security controls are generally applicable to U.S. federal information systems. These are typically systems that must go through a formal assessment and authorization process. This process ensures sufficient protection of confidentiality, integrity, and availability of information and information systems. This is based on the security category and impact level of the system (low, moderate, or high) as well as a risk determination. Security controls are selected from the NIST SP 800-53 security control catalog, and the system is assessed against those security control requirements.
The NIST SP 800-53 framework represents the security controls and the associated assessment procedures that are defined in NIST SP 800-53 Revision 5 Recommended Security Controls for Federal Information Systems and Organizations. For any discrepancies that are noted in the content between this NIST SP 800-53 framework and the latest published NIST Special Publication SP 800-53 Revision 5, refer to the official published documents that are available at the [NIST Computer Security Resource Center](http://csrc.nist.gov).
## Using this framework
You can use the NIST SP 800-53 framework to help you prepare for audits. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped into control sets according to NIST requirements. You can also customize this framework and its controls to support internal audits with specific requirements.
Using the framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the NIST SP 800-53 framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.
The framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| NIST 800-53 Rev 5: Security and Privacy Controls for Information Systems and Organizations | 132 | 875 | 20 |
**Important**
To ensure that this framework collects the intended evidence from AWS Security Hub CSPM, make sure that you enabled all standards in Security Hub CSPM.
To ensure that this framework collects the intended evidence from AWS Config, make sure that you enable the necessary AWS Config rules. To review the AWS Config rules that are used as data source mappings in this standard framework, download the [AuditManager\$1ConfigDataSourceMappings\$1NIST-800-53-Rev-5.zip](samples/AuditManager_ConfigDataSourceMappings_NIST-800-53-Rev-5.zip) file.
The controls in this AWS Audit Manager framework aren't intended to verify if your systems are compliant with the NIST standard. Moreover, they can't guarantee that you'll pass a NIST audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.
## Next steps
For instructions on how to view detailed information about this framework, including the list of standard controls that it contains, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using this framework, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize this framework to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
## Additional resources
+ [National Institute of Standards and Technology (NIST)](https://www.nist.gov/)
+ [NIST Computer Security Resource Center](http://csrc.nist.gov)
+ [AWS Compliance page for NIST](https://aws.amazon.com/compliance/nist/)
# NIST Cybersecurity Framework v1.1
AWS Audit Manager provides a prebuilt framework that supports the NIST Cybersecurity Framework (CSF) v1.1.
**Note**
For information about the Audit Manager framework that supports NIST SP 800-53, see [NIST SP 800-53 Rev 5](NIST800-53r5.md).
For information about the Audit Manager framework that supports NIST SP 800-171, see [NIST SP 800-171 Rev 2](NIST-800-171-r2-1.1.md).
**Topics**
+ [
## What is the NIST Cybersecurity Framework?
](#what-is-NIST-Cybersecurity-Framework-v1-1)
+ [Using this framework](#framework-NIST-Cybersecurity-Framework-v1-1)
+ [
## Next steps
](#next-steps-NIST-Cybersecurity-Framework-v1-1)
+ [
## Additional resources
](#resources-NIST-Cybersecurity-Framework-v1-1)
## What is the NIST Cybersecurity Framework?
The [National Institute of Standards and Technology (NIST)](https://www.nist.gov/) was founded in 1901 and is now part of the U.S. Department of Commerce. NIST is one of the oldest physical science laboratories in the United States. The U.S. Congress established the agency to improve what was at the time a second-rate measurement infrastructure. The infrastructure was a major challenge to U.S. industrial competitiveness, having lagged behind other economic powers like the U.K. and Germany.
The United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and interconnectedness of critical infrastructure systems. They put the security, economy, and public safety and health of the United States at risk. Similar to financial and reputational risks, cybersecurity risk affects a company’s bottom line. It can drive up costs and affect revenue. It can harm an organization’s ability to innovate and to gain and maintain customers. Ultimately, cybersecurity can amplify the overall risk management of an organization.
The NIST Cybersecurity Framework (CSF) is supported by governments and industries worldwide as a recommended baseline for use by any organization, regardless of sector or size. The NIST Cybersecurity Framework consists of three primary components: the framework core, the profiles, and the implementation tiers. The framework core contains desired cybersecurity activities and outcomes organized into 23 categories that cover the breadth of cybersecurity objectives for an organization. The profiles contain an organization's unique alignment of their organizational requirements and objectives, risk appetite, and resources using the desired outcomes of the framework core. The implementation tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the framework core.
## Using this framework
You can use the NIST CSF v1.1 to help you prepare for audits. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped into control sets according to NIST CSF requirements. Audit Manager currently supports the framework core component. Audit Manager doesn't support the profile and implementation components in this framework.
Using the framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the NIST CSF When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.
The framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| NIST Cybersecurity Framework (CSF) v1.1 | 14 | 94 | 22 |
**Important**
To ensure that this framework collects the intended evidence from AWS Security Hub CSPM, make sure that you enabled all standards in Security Hub CSPM.
To ensure that this framework collects the intended evidence from AWS Config, make sure that you enable the necessary AWS Config rules. To review the AWS Config rules that are used as data source mappings in this standard framework, download the [AuditManager\$1ConfigDataSourceMappings\$1NIST-CSF-v1.1.zip](samples/AuditManager_ConfigDataSourceMappings_NIST-CSF-v1.1.zip) file.
The controls that are offered by Audit Manager aren't intended to verify if your systems are compliant with the NIST CSF. Moreover, they can't guarantee that you'll pass a NIST audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.
## Next steps
For instructions on how to view detailed information about this framework, including the list of standard controls that it contains, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using this framework, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize this framework to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
## Additional resources
+ [National Institute of Standards and Technology (NIST)](https://www.nist.gov/)
+ [NIST Computer Security Resource Center](http://csrc.nist.gov)
+ [AWS Compliance page for NIST](https://aws.amazon.com/compliance/nist/)
+ [NIST Cybersecurity Framework - Aligning to the NIST CSF in the AWS Cloud ](https://d1.awsstatic.com/whitepapers/compliance/NIST_Cybersecurity_Framework_CSF.pdf)
# NIST SP 800-171 Rev 2
AWS Audit Manager provides a prebuilt standard framework that supports NIST 800-171 Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
**Note**
For information about the Audit Manager framework that supports NIST SP 800-53, see [NIST SP 800-53 Rev 5](NIST800-53r5.md).
For information about the Audit Manager framework that supports NIST CSF, see [NIST Cybersecurity Framework v1.1](NIST-Cybersecurity-Framework-v1-1.md).
**Topics**
+ [
## What is NIST SP 800-171?
](#what-is-NIST800-171)
+ [Using this framework](#framework-NIST-800-171-r2-1.1)
+ [
## Next steps
](#next-steps-NIST-800-171-r2-1.1)
+ [
## Additional resources
](#resources-NIST-800-171-r2-1.1)
## What is NIST SP 800-171?
NIST SP 800-171 focuses on protecting the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems and organizations. It recommends specific security requirements to achieve that objective. NIST 800-171 is a publication that outlines the required security standards and practices for nonfederal organizations that handle CUI on their networks. It was first published in June 2015 by the [National Institute of Standards and Technology (NIST)](https://www.nist.gov/). NIST is a U.S. government agency that released several standards and publications to strengthen cybersecurity resilience in the public and private sectors. NIST SP 800-171 has received regular updates in line with emerging cyber threats and changing technologies. The latest version (revision 2) was released in February 2020.
The cybersecurity controls within NIST SP 800-171 safeguard CUI in the IT networks of government contractors and subcontractors. It defines the practices and procedures that government contractors must adhere to when their networks process or store CUI. NIST SP 800-171 only applies to those parts of a contractor’s network where CUI is present.
## Using this framework
You can use the NIST SP 800-171 framework to help you prepare for audits. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped into control sets according to NIST requirements. You can also customize this framework and its controls to support internal audits with specific requirements.
Using the framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the NIST SP 800-171 framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.
The framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| NIST 800-171 Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations | 35 | 75 | 14 |
**Important**
To ensure that this framework collects the intended evidence from AWS Security Hub CSPM, make sure that you enabled all standards in Security Hub CSPM.
To ensure that this framework collects the intended evidence from AWS Config, make sure that you enable the necessary AWS Config rules. To review the AWS Config rules that are used as data source mappings in this standard framework, download the [AuditManager\$1ConfigDataSourceMappings\$1NIST-800-171-Rev-2.zip](samples/AuditManager_ConfigDataSourceMappings_NIST-800-171-Rev-2.zip) file.
The controls in this AWS Audit Manager framework aren't intended to verify if your systems are compliant with NIST 800-171. Moreover, they can't guarantee that you'll pass a NIST audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.
## Next steps
For instructions on how to view detailed information about this framework, including the list of standard controls that it contains, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using this framework, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize this framework to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
## Additional resources
+ [National Institute of Standards and Technology (NIST)](https://www.nist.gov/)
+ [NIST Computer Security Resource Center](http://csrc.nist.gov)
+ [AWS Compliance page for NIST](https://aws.amazon.com/compliance/nist/)
# PCI DSS V3.2.1
AWS Audit Manager provides a prebuilt standard framework that supports the Payment Card Industry Data Security Standard (PCI DSS) v3.2.1.
**Note**
For information about PCI DSS v4 and the Audit Manager framework that supports it, see [PCI DSS V4.0](pci-v4.md).
**Topics**
+ [
## What is PCI DSS?
](#what-is-PCI)
+ [Using this framework](#framework-PCI)
+ [
## Next steps
](#next-steps-PCI)
+ [
## Additional resources
](#resources-PCI-DSS)
## What is PCI DSS?
PCI DSS is a proprietary information security standard. It's administered by the [PCI Security Standards Council](https://www.pcisecuritystandards.org/), which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. PCI DSS applies to entities that store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD). This includes, but isn't limited to, merchants, processors, acquirers, issuers, and service providers. The PCI DSS is mandated by the card brands and administered by the Payment Card Industry Security Standards Council.
AWS is certified as a PCI DSS Level 1 Service Provider, which is the highest level of assessment available. The compliance assessment was conducted by Coalfire Systems Inc., an independent Qualified Security Assessor (QSA). The PCI DSS Attestation of Compliance (AOC) and Responsibility Summary are available to you through AWS Artifact. This is a self-service portal for on-demand access to AWS compliance reports. Sign in to [AWS Artifact in the AWS Management Console](https://console.aws.amazon.com/artifact), or learn more at [Getting Started with AWS Artifact](https://aws.amazon.com/artifact/getting-started/).
You can download the PCI DSS standard from the [PCI Security Standards Council Document Library](https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss).
## Using this framework to support your audit preparation
You can use the *PCI DSS V3.2.1* framework to help you prepare for audits. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped into control sets according to PCI DSS requirements. You can also customize this framework and its controls to support internal audits with specific requirements.
Using the framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the PCI DSS V3.2.1 framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.
The framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| Payment Card Industry Data Security Standard (PCI DSS) v3.2.1 | 38 | 246 | 15 |
**Important**
To ensure that this framework collects the intended evidence from AWS Security Hub CSPM, make sure that you enabled all standards in Security Hub CSPM.
To ensure that this framework collects the intended evidence from AWS Config, make sure that you enable the necessary AWS Config rules. To review the AWS Config rules that are used as data source mappings in this standard framework, download the [AuditManager\$1ConfigDataSourceMappings\$1PCI-DSS-v3.2.1.zip](samples/AuditManager_ConfigDataSourceMappings_PCI-DSS-v3.2.1.zip) file.
The controls in this AWS Audit Manager framework aren't intended to verify if your systems are compliant with the PCI DSS standard. Moreover, they can't guarantee that you'll pass a PCI DSS audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.
## Next steps
For instructions on how to view detailed information about this framework, including the list of standard controls that it contains, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using this framework, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize this framework to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
## Additional resources
+ [PCI Security Standards Council](https://www.pcisecuritystandards.org/)
+ [PCI Security Standards Council Document Library](https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss).
+ [AWS Compliance page for PCI DSS](https://aws.amazon.com/compliance/pci-dss-level-1-faqs/)
# PCI DSS V4.0
AWS Audit Manager provides a prebuilt framework that supports the Payment Card Industry Data Security Standard (PCI DSS) v4.0.
**Note**
For information about PCI DSS v3.2.1 and the Audit Manager framework that supports it, see [PCI DSS V3.2.1](PCI.md).
**Topics**
+ [
## What is PCI DSS?
](#what-is-PCI-v4)
+ [Using this framework](#framework-PCI-v4)
+ [
## Next steps
](#next-steps-PCI-v4)
+ [
## Additional resources
](#resources-PCI-v4)
## What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a global standard that provides a baseline of technical and operational requirements for protecting payment data. PCI DSS v4.0 is the next evolution of the standard.
PCI DSS was developed to encourage and enhance payment card account data security. It also facilitates the broad adoption of consistent data security measures globally. It provides a baseline of technical and operational requirements that are designed to protect account data. Although it’s specifically designed to focus on environments with payment card account data, you can also use PCI DSS to protect against threats and secure other elements in the payment ecosystem.
The PCI Security Standards Council (PCI SSC) introduced many changes between PCI DSS v3.2.1 and v4.0. These updates are broken into three categories:
1. **Evolving requirement** – Changes to ensure that the standard is up to date with emerging threats and technologies, and changes in the payment industry. Examples include new or modified requirements or testing procedures, or the removal of a requirement.
1. **Clarification or guidance** – Updates to wording, explanation, definition, additional guidance, or instruction to increase understanding or provide further information or guidance on a particular topic.
1. **Structure or format** – Reorganization of content, including combining, separating, and renumbering of requirements to align content.
## Using this framework to support your audit preparation
**Note**
This standard framework uses consolidated controls from Security Hub CSPM as a data source. To successfully collect evidence from consolidated controls, make sure that you [turned on the consolidated control findings setting in Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/controls-findings-create-update.html#turn-on-consolidated-control-findings). For more information about using Security Hub as a data source type, see [AWS Security Hub CSPM controls supported by AWS Audit Manager](https://docs.aws.amazon.com/audit-manager/latest/userguide/control-data-sources-ash.html).
You can use the PCI DSS V4.0 framework to help you prepare for audits. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped into control sets according to PCI DSS V4.0 requirements. You can also customize this framework and its controls to support internal audits with specific requirements.
Using the framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the PCI DSS V4.0 framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.
The framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| Payment Card Industry Data Security Standard (PCI DSS) v4.0 | 40 | 240 | 15 |
**Important**
To ensure that this framework collects the intended evidence from AWS Security Hub CSPM, make sure that you enabled all standards in Security Hub CSPM.
To ensure that this framework collects the intended evidence from AWS Config, make sure that you enable the necessary AWS Config rules. To review the AWS Config rules that are used as data source mappings in this standard framework, download the [AuditManager\$1ConfigDataSourceMappings\$1PCI-DSS-v4.0.zip](samples/AuditManager_ConfigDataSourceMappings_PCI-DSS-v4.0.zip) file.
The controls in this AWS Audit Manager framework aren't intended to verify if your systems are compliant with the PCI DSS standard. Moreover, they can't guarantee that you'll pass a PCI DSS audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.
## Next steps
For instructions on how to view detailed information about this framework, including the list of standard controls that it contains, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using this framework, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize this framework to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
## Additional resources
+ [PCI DSS v4.0 Resource Hub](https://blog.pcisecuritystandards.org/pci-dss-v4-0-resource-hub)
+ [PCI Security Standards Council](https://www.pcisecuritystandards.org/)
+ [PCI Security Standards Council Document Library](https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss).
+ [AWS Compliance page for PCI DSS](https://aws.amazon.com/compliance/pci-dss-level-1-faqs/)
+ [Payment Card Industry Data Security Standard (PCI DSS) v4.0 on AWS Compliance Guide](https://d1.awsstatic.com/whitepapers/compliance/pci-dss-compliance-on-aws-v4-102023.pdf)
# SSAE-18 SOC 2
AWS Audit Manager provides a prebuilt standard framework that supports the Statement on Standards for Attestations Engagement (SSAE) No. 18, Service Organizations Controls (SOC) Report 2.
**Topics**
+ [
## What is SOC 2?
](#what-is-SOC2)
+ [Using this framework](#framework-SOC2)
+ [
## Next steps
](#next-steps-SOC2)
+ [
## Additional resources
](#resources-SOC2)
## What is SOC 2?
**SOC 2, defined by the [American Institute of Certified Public Accountants](https://en.wikipedia.org/wiki/American_Institute_of_Certified_Public_Accountants) (AICPA), is the name of a set of reports that's produced during an audit. It's intended for use by service organizations (organizations that provide information systems as a service to other organizations) to issue validated reports of [internal controls](https://en.wikipedia.org/wiki/Internal_controls) over those information systems to the users of those services. The reports focus on controls grouped into five categories known as *Trust Service Principles*.
AWS SOC reports are independent third-party examination reports that demonstrate how AWS achieves key compliance controls and objectives. The purpose of these reports is to help you and your auditors understand the AWS controls established to support operations and compliance. There are five AWS SOC reports:
+ AWS SOC 1 Report, available to AWS customers from [AWS Artifact](https://aws.amazon.com/artifact/getting-started/).
+ AWS SOC 2 Security, Availability & Confidentiality Report, available to AWS customers from [AWS Artifact](https://aws.amazon.com/artifact/getting-started/).
+ AWS SOC 2 Security, Availability & Confidentiality Report available to AWS customers from [AWS Artifact](https://aws.amazon.com/artifact/getting-started/) (scope includes Amazon DocumentDB only).
+ AWS SOC 2 Privacy Type I Report, available to AWS customers from [AWS Artifact](https://aws.amazon.com/artifact/getting-started/).
+ AWS SOC 3 Security, Availability & Confidentiality Report, [publicly available as a whitepaper](https://d1.awsstatic.com/whitepapers/compliance/AWS_SOC3.pdf).
## Using this framework to support your audit preparation
You can use this framework to help you prepare for audits. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped into control sets according to SOC 2 requirements. You can also customize this framework and its controls to support internal audits with specific requirements.
Using the framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.
The framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| Statement on Standards for Attestations Engagement (SSAE) No. 18, Service Organizations Controls (SOC) Report 2 | 15 | 46 | 20 |
**Important**
To ensure that this framework collects the intended evidence from AWS Security Hub CSPM, make sure that you enabled all standards in Security Hub CSPM.
To ensure that this framework collects the intended evidence from AWS Config, make sure that you enable the necessary AWS Config rules. To review the AWS Config rules that are used as data source mappings in this standard framework, download the [AuditManager\$1ConfigDataSourceMappings\$1SSAE-No.-18-SOC-Report-2.zip](samples/AuditManager_ConfigDataSourceMappings_SSAE-No.-18-SOC-Report-2.zip) file.
The controls in this AWS Audit Manager framework aren't intended to verify if your systems are compliant. Moreover, they can't guarantee that you'll pass an audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.
## Next steps
For instructions on how to view detailed information about this framework, including the list of standard controls that it contains, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using this framework, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize this framework to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
## Additional resources
+ [AWS Compliance page for SOC](https://aws.amazon.com/compliance/soc-faqs/)