AWS Audit Manager will no longer be open to new customers starting April 30, 2026. If you would like to use Audit Manager, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [AWS Audit Manager availability change](https://docs.aws.amazon.com/audit-manager/latest/userguide/audit-manager-availability-change.html).
# Getting started with AWS Audit Manager
Use the step-by-step tutorials in this section to learn how to perform tasks using AWS Audit Manager.
**Tip**
The following tutorials are categorized by audience. Choose the tutorial that's appropriate for you based on your role as an *audit owner* or *delegate*.
**Audit owners** are Audit Manager users who are responsible for creating and managing assessments. In the business world, audit owners are typically governance, risk management, and compliance (GRC) professionals. In the context of Audit Manager, however, individuals from SecOps or DevOps teams might also assume the user persona of an audit owner. Audit owners can request assistance from a subject matter expert—also known as a delegate—to review specific controls and validate evidence. Audit owners must have the necessary permissions to manage an assessment.
**Delegates** are subject matter experts with specialized technical or business expertise. Although they don't own or manage Audit Manager assessments, they can still contribute to them. Delegates assist audit owners with tasks such as validating evidence for the controls that fall under their area of expertise. Delegates have limited permissions in Audit Manager. This is because audit owners delegate specific control sets for review, and not entire assessments.
For more information about these personas and other Audit Manager concepts, see [](concepts.md#audit-owner) and [](concepts.md#delegate-persona) in the [Understanding AWS Audit Manager concepts and terminology](concepts.md) section of this guide.
For more information about the recommended IAM permissions for each persona, see [Recommended policies for user personas in AWS Audit Manager](security_iam_service-with-iam.md#security_iam_service-with-iam-id-based-policies-personas).
## Audit Manager tutorials
**[Creating an assessment](https://docs.aws.amazon.com/audit-manager/latest/userguide/tutorial-for-audit-owners.html)**
**Audience: **Audit owners
**Overview: **Follow step-by-step instructions to create your first assessment and get up and running fast. This tutorial walks you through how you can use a standard framework to create an assessment and begin the automated collection of evidence.
**[ Reviewing a control set](https://docs.aws.amazon.com/audit-manager/latest/userguide/tutorial-for-delegates.html)**
**Audience:** Delegates
**Overview: **Assist an audit owner by reviewing evidence for controls that fall under your area of expertise. Learn to review control sets and their related evidence, add comments, upload evidence, and update the status of a control.
# Tutorial for Audit Owners: Creating an assessment
This tutorial provides an introduction to AWS Audit Manager. In this tutorial, you create an assessment using the [AWS Audit Manager Sample Framework](Sample.md). By creating an assessment, you start the ongoing process of automated evidence collection for the controls in that framework.
**Note**
AWS Audit Manager assists in collecting evidence that's relevant for verifying compliance with specific compliance frameworks and regulations. However, it doesn't assess your compliance itself. The evidence that's collected through AWS Audit Manager therefore might not include all the information about your AWS usage that's needed for audits. AWS Audit Manager isn't a substitute for legal counsel or compliance experts.
## Prerequisites
**Before you start this tutorial, make sure that you meet the following conditions:**
+ You completed all the prerequisites that are described in [Setting up AWS Audit Manager with the recommended settings](setting-up.md). You must use your AWS account and the AWS Audit Manager console to complete this tutorial.
+ Your IAM identity is granted with the appropriate permissions to create and manage an assessment in AWS Audit Manager. Two suggested policies that grant these permissions are [Allow users full administrator access to AWS Audit Manager](security_iam_id-based-policy-examples.md#example-2) and [Allow users management access to AWS Audit Manager](security_iam_id-based-policy-examples.md#management-access).
+ You're familiar with Audit Manager terminology and functionality. For a general overview, see [What is AWS Audit Manager?](what-is.md) and [Understanding AWS Audit Manager concepts and terminology](concepts.md).
## Procedure
**Topics**
+ [
### Step 1: Specify assessment details
](#select-framework)
+ [
### Step 2: Specify AWS accounts in scope
](#specifyaccounts)
+ [
### Step 3: Specify audit owners
](#chooseauditowners)
+ [
### Step 4: Review and create
](#reviewcreate)
### Step 1: Specify assessment details
For the first step, select a framework and provide basic information for your assessment.
**To specify assessment details**
1. Open the AWS Audit Manager console at [https://console.aws.amazon.com/auditmanager/home](https://console.aws.amazon.com/auditmanager/home).
1. Choose **Launch AWS Audit Manager**.
1. In the green banner at the top of the screen, choose **Start with a framework**.
1. Choose the framework that you want, and then choose **Create assessment from framework**. For this tutorial, use the **AWS Audit Manager Sample Framework**.
1. Under **Assessment name**, enter a name for your assessment.
1. (Optional) Under **Assessment description**, enter a description for your assessment.
1. Under **Assessment reports destination**, choose the S3 bucket where you want to save your assessment reports.
1. Under **Frameworks**, confirm that **AWS Audit Manager Sample Framework** is selected.
1. (Optional) Under **Tags**, choose **Add new tag** to associate a tag with your assessment. You can specify a key and a value for each tag. The tag key is mandatory and can be used as a search criteria when you search for this assessment.
1. Choose **Next**.
### Step 2: Specify AWS accounts in scope
Next, specify the AWS accounts that you want to include in the scope of your assessment.
AWS Audit Manager integrates with AWS Organizations, so you can run an Audit Manager assessment across multiple accounts and consolidate evidence into a delegated administrator account. To enable Organizations in Audit Manager (if you didn't do so already), see [Enable and set up AWS Organizations](setup-recommendations.md#enabling-orgs) on the *Setting up* page of this guide.
**Note**
Audit Manager can support up to 200 accounts in the scope of an assessment. If you try to include over 200 accounts, the assessment creation will fail.
Additionally, if you try to add over 250 unique accounts across all of your assessments, the assessment creation will fail.
**To specify accounts in scope**
1. Under **AWS accounts**, select the AWS accounts that you want to include in the scope of your assessment.
+ If you enabled Organizations in Audit Manager, multiple accounts are listed.
+ If you didn't enable Organizations in Audit Manager, only your current account is listed.
1. Choose **Next**.
### Step 3: Specify audit owners
In this step, you specify the audit owners for your assessment. Audit owners are the individuals in your workplace—usually from GRC, SecOps, or DevOps teams—who are responsible for managing the Audit Manager assessment. We recommend that they use the [AWSAuditManagerAdministratorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSAuditManagerAdministratorAccess.html) policy.
**To specify audit owners**
1. Under **Audit owners**, choose the audit owners for your assessment. To find additional audit owners, use the search bar to search by name or AWS account.
1. Choose **Next**.
### Step 4: Review and create
Review the information for your assessment. To change the information for a step, choose **Edit**. When you're finished, choose **Create assessment** to start the ongoing collection of evidence.
After you create an assessment, evidence collection continues until you [change the assessment status](https://docs.aws.amazon.com/audit-manager/latest/userguide/change-assessment-status-to-inactive.html) to *inactive*. Alternatively, you can stop evidence collection for a specific control by [changing the control status](https://docs.aws.amazon.com/audit-manager/latest/userguide/change-assessment-control-status.html) to *inactive*.
**Note**
Automated evidence is available 24 hours after you create the assessment. Audit Manager automatically collects evidence from multiple data sources, and the frequency of that evidence collection is based on the evidence type. For more information, see [Evidence collection frequency](how-evidence-is-collected.md#frequency) in this guide.
## Additional resources
We recommend that you continue to learn more about the concepts and tools that are introduced in this tutorial. You can do so by reviewing the following resources:
+ **[Reviewing assessment details in AWS Audit Manager](review-assessments.md) – **Introduces you to the assessment details page where you can explore the different components of your assessment.
+ **[Managing assessments in AWS Audit Manager](assessments.md) – ** Builds upon this tutorial and provides in-depth information about the concepts and tasks for managing an assessment. In this chapter, we particularly recommend you check out the following topics:
+ How to [create an assessment](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-assessments.html) from a different framework
+ How to [review the evidence in an assessment](https://docs.aws.amazon.com/audit-manager/latest/userguide/review-evidence.html) and [generate an assessment report](https://docs.aws.amazon.com/audit-manager/latest/userguide/generate-assessment-report.html)
+ How to [change the status of an assessment](https://docs.aws.amazon.com/audit-manager/latest/userguide/complete-assessment.html) or [delete an assessment](https://docs.aws.amazon.com/audit-manager/latest/userguide/delete-assessment.html)
+ **[Using the framework library to manage frameworks in AWS Audit Manager](framework-library.md) – ** Introduces the framework library and explains how to [create a custom framework](https://docs.aws.amazon.com/audit-manager/latest/userguide/custom-frameworks.html) for your own specific compliance needs.
+ **[Using the control library to manage controls in AWS Audit Manager](control-library.md) – **Introduces the control library and explains how to [create a custom control](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-controls.html) for use in your custom framework.
+ **[Understanding AWS Audit Manager concepts and terminology](concepts.md) – **Provides definitions for the concepts and terminology used in Audit Manager.
+ [Video] Collect Evidence and Manage Audit Data Using AWS Audit Manager – Shows the assessment creation process that's described in this tutorial, and other tasks such as reviewing a control and generating an assessment report.
[](http://www.youtube.com/watch?v=https://www.youtube.com/embed/G4yRj4nLwFI)
# Tutorial for Delegates: Reviewing a control set
This tutorial describes how to review a control set that was shared with you by an audit owner in AWS Audit Manager.
Audit owners use Audit Manager to create assessments and collect evidence for the controls in that assessment. Sometimes audit owners might have questions or need assistance when validating the evidence for a control set. In this situation, an audit owner can delegate a control set to a subject matter expert for review.
As a delegate, you help audit owners to review the collected evidence for controls that fall under your area of expertise.
## Prerequisites
**Before you start this tutorial, make sure that you first meet the following conditions:**
+ Your AWS account is set up. To complete this tutorial, you must use both your AWS account and the Audit Manager console. For more information, see [Setting up AWS Audit Manager with the recommended settings](setting-up.md).
+ You're familiar with Audit Manager terminology and functionality. For a general overview of Audit Manager, see [What is AWS Audit Manager?](what-is.md) and [Understanding AWS Audit Manager concepts and terminology](concepts.md).
## Procedure
**Topics**
+ [
### Step 1: Review your notifications
](#delegate-tutorial-step1)
+ [
### Step 2: Review the control set and related evidence
](#delegate-tutorial-step2)
+ [
### Step 3. Add manual evidence (optional)
](#delegate-tutorial-step3)
+ [
### Step 4. Add a comment for a control (optional)
](#delegate-tutorial-step4)
+ [
### Step 5: Mark a control as reviewed (optional)
](#delegate-tutorial-step5)
+ [
### Step 6. Submit the reviewed control set back to the audit owner
](#delegate-tutorial-step6)
### Step 1: Review your notifications
Start by signing in to Audit Manager where you can access your notifications to see the control sets that have been delegated to you for review.
**To review your notifications**
1. Open the AWS Audit Manager console at [https://console.aws.amazon.com/auditmanager/home](https://console.aws.amazon.com/auditmanager/home).
1. In the left navigation pane, choose **Notifications**.
1. On the **Notifications** page, you review the list of control sets that have been delegated to you. The notifications table includes the following information:
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/tutorial-for-delegates.html)
**Tip**
You can also subscribe to an SNS topic to receive email alerts when a control set is assigned to you for review. For more information, see [Notifications in AWS Audit Manager](notifications.md).
### Step 2: Review the control set and related evidence
The next step is to review the control sets that the audit owner delegated to you. By examining the controls and their evidence, you can determine if any additional action is needed for a control. Additional actions can include manually uploading additional evidence to demonstrate compliance, or leaving a comment about that control.
**To review a control set**
1. From the **Notifications** page, review the list of control sets that were delegated to you. Then identify which one you want to review and choose the name of the related assessment.
1. Under the **Controls** tab of the assessment detail page, scroll down to the **Control sets** table.
1. Under the **Controls grouped by control set** column, expand the name of a control set to show its controls. Then, choose the name of a control to open the control detail page.
1. (Optional) Choose **Update control status** to change the status of the control. While your review is in progress, you can mark the status as **Under review**.
1. Review information about the control in the **Evidence folders**, **Details**, **Evidence sources**, **Comments**, and **Changelog** tabs. To learn about each of these tabs and how to understand the data that they contain, see [Reviewing an assessment control in AWS Audit Manager](review-controls.md).
**To review the evidence for a control**
1. From the control detail page, choose the **Evidence folders** tab.
1. Navigate to the **Evidence folders** table, where a list of folders that contains evidence for that control is displayed. These folders are organized and named based on the date when the evidence within that folder was collected.
1. Choose the name of an evidence folder to open it. From here, you can review a summary of all the evidence that was gathered on that date. To understand this information, see [Reviewing an evidence folder in AWS Audit Manager](review-evidence-folders-detail.md).
1. From the evidence folder summary page, navigate to the **Evidence** table. Under the **Time** column, choose a line item to open and review details of the evidence that was collected at that time. To understand this information, see [Reviewing evidence in AWS Audit Manager](review-evidence.md).
### Step 3. Add manual evidence (optional)
Although AWS Audit Manager automatically collects evidence for many controls, in some cases you might need to provide additional evidence. In these cases, you can manually add your own evidence that helps you to demonstrate compliance with that control.
**To add manual evidence to a control**
There are several ways to add manual evidence to a control. You can import a file from Amazon S3, upload a file from your browser, or enter a text response. For instructions for each method, see [Adding manual evidence in AWS Audit Manager](upload-evidence.md).
### Step 4. Add a comment for a control (optional)
You can add comments for any controls that you review. These comments are visible to the audit owner. For example, you can leave a comment to provide a status update and confirm that you remediated any issues with that control.
**To add a comment to a control**
1. From the **Notifications** page, review the list of control sets that were delegated to you. Find the control set that you want to leave a comment for, and choose the name of the related assessment.
1. Choose the **Controls** tab, scroll down to the **Control sets** table, and then select the name of a control to open it.
1. Choose the **Comments** tab.
1. Under **Send comments**, enter your comment in the text box.
1. Choose **Submit comments** to add your comment. Your comment now appears under the **Previous comments** section of the page, along with any other comments regarding this control.
### Step 5: Mark a control as reviewed (optional)
Changing the status of a control is optional. However, we recommend that you change the status of each control to **Reviewed** as you complete your review for that control. Regardless of the status of each individual control, you can still submit the controls to the audit owner.
**To mark a control as reviewed**
1. From the **Notifications** page, review the list of control sets that were delegated to you. Find the control set that contains the control that you want to mark as reviewed. Then, choose the name of the related assessment to open the assessment detail page.
1. Under the **Controls** tab of the assessment detail page, scroll down to the **Control sets** table.
1. Under the **Controls grouped by control set** column, expand the name of a control set to show its controls. Choose the name of a control to open the control detail page.
1. Choose **Update control status** and change the status to **Reviewed**.
1. In the pop-up window that appears, choose **Update control status** to confirm that you finished reviewing the control.
### Step 6. Submit the reviewed control set back to the audit owner
When you're done reviewing all controls, submit the control set back to the audit owner to let them know you finished your review.
**To submit a reviewed control set back to the owner**
1. In the **Notifications** page, review the list of control sets that were assigned to you. Find the control set that you want to submit to the audit owner, and choose the name of the related assessment.
1. Scroll down to the **Control sets** table, select the control set that you want to submit back to the audit owner, and then choose **Submit for review**.
1. In the pop-up window that appears, you can add any high-level comments about that control set before choosing **Submit for review**.
After you submit the control to the audit owner, the audit owner can view any comments that you left for them.
## Additional resources
You can continue to learn more about the concepts that are introduced in this tutorial. Here are some recommended resources:
+ [Reviewing assessment details in AWS Audit Manager](review-assessments.md) - Introduces you to the assessment details page, where you can explore the different components of an Audit Manager assessment.
+ [Reviewing an assessment control in AWS Audit Manager](review-controls.md) and [Reviewing evidence in AWS Audit Manager](review-evidence.md) - Provides definitions to help you understand the controls and evidence in an assessment.
+ [Understanding AWS Audit Manager concepts and terminology](concepts.md) - Provides definitions for the concepts and terminology that are used in Audit Manager.