AWS Audit Manager will no longer be open to new customers starting April 30, 2026. If you would like to use Audit Manager, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [AWS Audit Manager availability change](https://docs.aws.amazon.com/audit-manager/latest/userguide/audit-manager-availability-change.html). 

# Setting up AWS Audit Manager with the recommended settings
<a name="setting-up"></a>





Before you start using Audit Manager, it's important that you complete the following setup tasks. 

This chapter will walk you through the prerequisites, account setup, user permissions, and the necessary steps to enable and configure Audit Manager with the recommended features and integrations. After completing these tasks, you'll be ready to use Audit Manager and get started with streamlining your audit and compliance efforts.

**Contents**
+ [Prerequisites for setting up AWS Audit Manager](setup-prerequisites.md)
  + [Sign up for an AWS account](setup-prerequisites.md#sign-up-for-aws)
  + [Create a user with administrative access](setup-prerequisites.md#create-an-admin)
  + [Add the required permissions to access and enable Audit Manager](setup-prerequisites.md#attach-IAM)
  + [Next steps](setup-prerequisites.md#setup-prerequisites-next-steps)
+ [Enabling AWS Audit Manager](setup-audit-manager.md)
  + [Prerequisites](setup-audit-manager.md#setup-audit-manager-prerequisites)
  + [Procedure](setup-audit-manager.md#setup-audit-manager-procedure)
  + [Next steps](setup-audit-manager.md#setup-audit-manager-next-steps)
+ [Enabling the recommended features and AWS services for AWS Audit Manager](setup-recommendations.md)
  + [Key points](setup-recommendations.md#setup-recommendations-key-points)
  + [Set up recommended Audit Manager features](setup-recommendations.md#setup-recommendations-features)
  + [Set up recommended integrations with other AWS services](setup-recommendations.md#setup-recommendations-services)
  + [Next steps](setup-recommendations.md#whatnow-setup)

# Prerequisites for setting up AWS Audit Manager
<a name="setup-prerequisites"></a>



Before you can use AWS Audit Manager, you must make sure that you have properly set up your AWS account and user permissions. 

This page outlines the necessary steps to create an AWS account (if needed), configure an administrative user, and grant the permissions required to access and enable Audit Manager. 

**Tasks**

1. [Sign up for an AWS account](#sign-up-for-aws)

1. [Create a user with administrative access](#create-an-admin)

1. [Add the required permissions to access and enable Audit Manager](#attach-IAM)

**Important**  
If you’re already set up with AWS and IAM, you can skip tasks 1 and 2. However, you must complete task 3 to ensure that you have the required permissions to set up Audit Manager.

## Sign up for an AWS account
<a name="sign-up-for-aws"></a>

If you do not have an AWS account, complete the following steps to create one.

**To sign up for an AWS account**

1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup).

1. Follow the online instructions.

   Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad.

   When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks).

AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**.

## Create a user with administrative access
<a name="create-an-admin"></a>

After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.

**Secure your AWS account root user**

1.  Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password.

   For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*.

1. Turn on multi-factor authentication (MFA) for your root user.

   For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*.

**Create a user with administrative access**

1. Enable IAM Identity Center.

   For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*.

1. In IAM Identity Center, grant administrative access to a user.

   For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the *AWS IAM Identity Center User Guide*.

**Sign in as the user with administrative access**
+ To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.

  For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.

**Assign access to additional users**

1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.

   For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*.

1. Assign users to a group, and then assign single sign-on access to the group.

   For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the *AWS IAM Identity Center User Guide*.

## Add the required permissions to access and enable Audit Manager
<a name="attach-IAM"></a>

You must give users the required permissions to enable Audit Manager. For users who need full access to Audit Manager, use the [AWSAuditManagerAdministratorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSAuditManagerAdministratorAccess.html) managed policy. This is an AWS managed policy that’s available in your AWS account, and it’s the recommended policy for Audit Manager administrators. 

**Tip**  
As a security best practice, we recommend that you get started with AWS managed policies and then move toward least-privilege permissions. AWS managed policies grant permissions for many common use cases. However, keep in mind that because AWS managed policies are available for use by all AWS customers, they might not grant least-privilege permissions for your specific use cases. As a result, we recommend that you reduce permissions further by defining [customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *AWS Identity and Access Management User Guide.*

To provide access, add permissions to your users, groups, or roles:
+ Users and groups in AWS IAM Identity Center:

  Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
+ Users managed in IAM through an identity provider:

  Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
  + Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
  + (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.

## Next steps
<a name="setup-prerequisites-next-steps"></a>

Now that you've set up your AWS account and granted the required permissions, you're ready to enable Audit Manager. For step-by-step instructions, see [Enabling AWS Audit Manager](setup-audit-manager.md).

# Enabling AWS Audit Manager
<a name="setup-audit-manager"></a>





Now that you have completed the prerequisites for setting up Audit Manager, you can enable the service in your AWS environment. 

On this page you'll learn how to enable Audit Manager using the Audit Manager console, the AWS Command Line Interface (AWS CLI), or the Audit Manager API. Choose the method that best suits your needs, and follow the corresponding steps to get Audit Manager up and running.

## Prerequisites
<a name="setup-audit-manager-prerequisites"></a>

Make sure that you completed all of the tasks that are described in [Prerequisites for setting up AWS Audit Manager](setup-prerequisites.md). 

## Procedure
<a name="setup-audit-manager-procedure"></a>

You can enable Audit Manager using the AWS Management Console, the Audit Manager API, or the AWS Command Line Interface (AWS CLI). 

------
#### [ Audit Manager console ]

**To enable Audit Manager using the console**

1. Open the AWS Audit Manager console at [https://console.aws.amazon.com/auditmanager/home](https://console.aws.amazon.com/auditmanager/home).

1. Use the credentials of your IAM identity to sign in.

1. Choose **Set up AWS Audit Manager**.   
![\[Screenshot of the setup call to action.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/setup-set-up-audit-manager-console.png)

1. Under **Permissions**, no action is required. This is because Audit Manager uses a [service-linked role](https://docs.aws.amazon.com/audit-manager/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AWSAuditManagerServiceRolePolicy) to connect to data sources on your behalf. You can review the service-linked role by choosing **View IAM service-linked role permission**.   
![\[Screenshot of the permissions section of the Audit Manager setup options.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/setup-permissions-console.png)

1. Under **Data encryption**, the default option is for Audit Manager to create and manage an AWS KMS key for securely storing your data.   
![\[Screenshot of the default encryptions setting for Audit Manager setup.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/setup-encryption-default-console.png)

   If you want to use your own customer managed key to encrypt data in Audit Manager, select the check box next to **Customize encryption settings (advanced)**. You can then choose an existing KMS key or [create a new one](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html).  
![\[Screenshot of the custom encryptions setting for Audit Manager setup.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/setup-encryption-custom-console.png)

1. (Optional) Under **Delegated administrator - optional**, you can specify a delegated administrator account if you want Audit Manager to run assessments for multiple accounts. For more information and recommendations, see [Enable and set up AWS Organizations](setup-recommendations.md#enabling-orgs).   
![\[Screenshot of the delegated administrator section of the Audit Manager setup options.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/setup-delegated-admin-console.png)

1. (Optional) Under **AWS Config – optional**, we recommend that you enable AWS Config for an optimal experience. This enables Audit Manager to generate evidence using AWS Config rules. For instructions and recommended settings, see [Enable and set up AWS Config](setup-recommendations.md#config-recommendations).  
![\[Screenshot of the AWS Config section of the Audit Manager setup options.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/setup-config-console.png)

1. (Optional) Under **Security Hub CSPM – optional**, we recommend that you enable Security Hub CSPM for an optimal experience. This enables Audit Manager to generate evidence using Security Hub CSPM checks. For instructions and recommended settings, see [Enable and set up AWS Security Hub CSPM](setup-recommendations.md#securityhub-recommendations).  
![\[Screenshot of the Security Hub CSPM section of the Audit Manager setup options.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/setup-securityhub-console.png)

1. Choose **Complete setup** to finish the setup process.  
![\[Screenshot that shows how to complete Audit Manager setup in the console.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/setup-complete-console.png)

------
#### [ AWS CLI ]

**To enable Audit Manager using the AWS CLI**  
In the command line, run the [register-account](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/auditmanager/register-account.html) command using the following setup parameters:
+ `--kms-key` (optional) – Use this parameter to encrypt your Audit Manager data using your own customer managed key. If you don't specify an option here, Audit Manager creates and manages an AWS KMS key on your behalf for the secure storage of your data. 
+ `--delegated-admin-account` (optional) – Use this parameter to designate your organization’s delegated administrator account for Audit Manager. If you don't specify an option here, no delegated administrator is registered.

Input example (replace the *placeholder text* with your own information):

```
aws auditmanager register-account \ 
--kms-key arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab \
--delegated-admin-account 111122224444
```

Output example:

```
{
    "status": "ACTIVE"
}
```

For more information about the AWS CLI and for instructions on installing the AWS CLI tools, see the following in the *AWS Command Line Interface User Guide*.
+ [AWS Command Line Interface User Guide](https://docs.aws.amazon.com/cli/latest/userguide/)
+ [Getting Set Up with the AWS Command Line Interface](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-set-up.html)

------
#### [ Audit Manager API ]

**To enable Audit Manager using the Audit Manager API**  
Use the [RegisterAccount](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_RegisterAccount.html) operation with the following setup parameters:
+ [kmsKey](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_RegisterAccount.html#auditmanager-RegisterAccount-request-kmsKey) (optional) – Use this parameter to encrypt your Audit Manager data using your own customer managed key. If you don't specify an option here, Audit Manager creates and manages an AWS KMS key on your behalf for the secure storage of your data. 
+ [delegatedAdminAccount](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_RegisterAccount.html#auditmanager-RegisterAccount-request-delegatedAdminAccount) (optional) – Use this parameter to specify your organization’s delegated administrator account for Audit Manager. If you don't specify one, no delegated administrator is registered.

Input example (replace the *placeholder text* with your own information):

```
{
    "kmsKey":"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
    "delegatedAdminAccount":"111122224444"
}
```

Output example:

```
{
  "status": "ACTIVE"
}
```

------

## Next steps
<a name="setup-audit-manager-next-steps"></a>

After you enable Audit Manager, we recommend that you set up some recommended features and integrations for an optimal experience. For more information, see [Enabling the recommended features and AWS services for AWS Audit Manager](setup-recommendations.md).

# Enabling the recommended features and AWS services for AWS Audit Manager
<a name="setup-recommendations"></a>





Now that you have enabled AWS Audit Manager, it's time to set up the recommended features and integrations to get the most out of the service.

## Key points
<a name="setup-recommendations-key-points"></a>

For an optimal experience in Audit Manager, we recommend that you set up the following features and enable the following AWS services.

**Tasks**
+ [Set up recommended Audit Manager features](#setup-recommendations-features)
+ [Set up recommended integrations with other AWS services](#setup-recommendations-services)
  + [Enable and set up AWS Config](#config-recommendations)
  + [Enable and set up AWS Security Hub CSPM](#securityhub-recommendations)
  + [Enable and set up AWS Organizations](#enabling-orgs)

## Set up recommended Audit Manager features
<a name="setup-recommendations-features"></a>

After you enable Audit Manager, we recommend that you enable the evidence finder feature. 

**[Evidence finder](evidence-finder.md)** provides a powerful way to search for evidence in Audit Manager. Instead of browsing deeply nested evidence folders to find what you're looking for, you can use evidence finder to quickly query your evidence. If you use evidence finder as a delegated administrator, you can search for evidence across all member accounts in your organization. 

Using a combination of filters and groupings, you can progressively narrow the scope of your search query. For example, if you want a high-level view of your system health, perform a broad search and filter by assessment, date range, and resource compliance. If your goal is to remediate a specific resource, you can perform a narrow search to target evidence for a specific control or resource ID. After you define your filters, you can group and then preview the matching search results before creating an assessment report.

## Set up recommended integrations with other AWS services
<a name="setup-recommendations-services"></a>

For an optimal experience in Audit Manager, we strongly recommend that you enable the following AWS services:
+ **AWS Organizations** – You can use Organizations to run Audit Manager assessments over multiple accounts and consolidate evidence into a delegated administrator account. 
+ **AWS Security Hub CSPM** and **AWS Config** – Audit Manager relies on these AWS services as data sources for evidence collection. When you enable AWS Config and Security Hub CSPM, Audit Manager can operate with its full functionality, collecting comprehensive evidence and accurately reporting the results of compliance checks directly from these services.

**Important**  
If you don’t enable and configure AWS Config and Security Hub CSPM, you won’t be able to collect the intended evidence for many controls in your Audit Manager assessments. As a result, you risk incomplete or failed evidence collection for certain controls. More specifically:  
If Audit Manager attempts to use AWS Config as a control data source, but the required AWS Config rules aren’t enabled, no evidence will be collected for those controls.
Similarly, if Audit Manager attempts to use Security Hub CSPM as a control data source, but the required standards aren’t enabled in Security Hub CSPM, no evidence will be collected for those controls.
To mitigate these risks and ensure comprehensive evidence collection, follow the steps on this page to enable and configure AWS Config and Security Hub CSPM before you create your Audit Manager assessments.

### Enable and set up AWS Config
<a name="config-recommendations"></a>



Many controls in Audit Manager require AWS Config as a data source type. To support these controls, you must enable AWS Config on all accounts in each AWS Region where Audit Manager is enabled. 

Audit Manager doesn’t manage AWS Config for you. You can follow these steps to enable AWS Config and configure its settings.

**Important**  
Enabling AWS Config is an optional recommendation. However, if you do enable AWS Config, the following settings are required. If Audit Manager tries to collect evidence for controls that use AWS Config as a data source type, and AWS Config is not set up as described below, no evidence is collected for those controls.

**Tasks to integrate AWS Config with Audit Manager**
+ [Step 1: Enable AWS Config](#enabling-config)
+ [Step 2: Configure your AWS Config settings for use with Audit Manager](#set-up-config)

#### Step 1: Enable AWS Config
<a name="enabling-config"></a>

You can enable AWS Config using the AWS Config console or API. For instructions, see [Getting started with AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/getting-started.html) in the *AWS Config Developer Guide*.

#### Step 2: Configure your AWS Config settings for use with Audit Manager
<a name="set-up-config"></a>

After you enable AWS Config, make sure that you also [enable AWS Config rules](https://docs.aws.amazon.com/config/latest/developerguide/setting-up-aws-config-rules-with-console.html) or [deploy a conformance pack](https://docs.aws.amazon.com/config/latest/developerguide/conformance-pack-console.html) for the compliance standard that's related to your audit. This step ensures that Audit Manager can import findings for the AWS Config rules that you enabled.

After you enable an AWS Config rule, we recommend that you review the parameters of that rule. You should then validate those parameters against the requirements of your chosen compliance framework. If needed, you can [update a rule’s parameters in AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_manage-rules.html) to ensure that it aligns with framework requirements. This will help to ensure that your assessments collect the correct compliance check evidence for a given framework. 

For example, suppose that you’re creating an assessment for CIS v1.2.0. This framework has a control named [1.4 – Ensure access keys are rotated every 90 days or less](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.4). In AWS Config, the [access-keys-rotated](https://docs.aws.amazon.com/config/latest/developerguide/access-keys-rotated.html) rule has a `maxAccessKeyAge` parameter with a default value of 90 days. As a result, the rule aligns with the control requirements. If you aren’t using the default value, ensure that the value you’re using is equal to or greater than the 90 day requirement from CIS v1.2.0. 

You can find the default parameter details for each managed rule in the [AWS Config documentation](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html). For instructions on how to configure a rule, see [Working with AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managing-aws-managed-rules.html). 

### Enable and set up AWS Security Hub CSPM
<a name="securityhub-recommendations"></a>



Many controls in Audit Manager require Security Hub CSPM as a data source type. To support these controls, you must enable Security Hub CSPM on all accounts in each Region where Audit Manager is enabled. 

Audit Manager doesn’t manage Security Hub CSPM for you. You can follow these steps to enable Security Hub CSPM and configure its settings.

**Important**  
Enabling Security Hub CSPM is an optional recommendation. However, if you do enable Security Hub CSPM, the following settings are required. If Audit Manager tries to collect evidence for controls that use Security Hub CSPM as a data source type, and Security Hub CSPM is not set up as described below, no evidence is collected for those controls.

**Tasks to integrate AWS Security Hub CSPM with Audit Manager**
+ [Step 1: Enable AWS Security Hub CSPM](#enabling-securityhub)
+ [Step 2: Configure your Security Hub CSPM settings for use with Audit Manager](#set-up-securityhub)
+ [Step 3: Configure the Organizations settings for your organization](#set-up-securityhub-orgs)

#### Step 1: Enable AWS Security Hub CSPM
<a name="enabling-securityhub"></a>

You can enable Security Hub CSPM using either the console or the API. For instructions, see [Setting up AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html) in the *AWS Security Hub CSPM User Guide*.

#### Step 2: Configure your Security Hub CSPM settings for use with Audit Manager
<a name="set-up-securityhub"></a>

After you enable Security Hub CSPM, make sure that you also do the following:
+ [Enable AWS Config and configure resource recording](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-prereq-config.html) – Security Hub CSPM uses service-linked AWS Config rules to perform most of its security checks for controls. To support these controls, AWS Config must be enabled and configured to record resources that are required for the controls that you have enabled in each enabled standard.
+ [Enable all security standards](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html#securityhub-standard-enable-console) – This step ensures that Audit Manager can import findings for all supported compliance standards. 
+ [Turn on the consolidated control findings setting in Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/controls-findings-create-update.html#turn-on-consolidated-control-findings) - This setting is turned *on* by default if you enable Security Hub CSPM on or after February 23, 2023.
**Note**  
When you enable consolidated findings, Security Hub CSPM produces a single finding for each security check (even when the same check is used across multiple standards). Each Security Hub CSPM finding is collected as one unique resource assessment in Audit Manager. As a result, consolidated findings results in a decrease of the total unique resource assessments that Audit Manager performs for Security Hub CSPM findings. For this reason, using consolidated findings can often result in a reduction in your Audit Manager usages costs. For more information about using Security Hub CSPM as a data source type, see [AWS Security Hub CSPM controls supported by AWS Audit Manager](control-data-sources-ash.md). For more information about Audit Manager pricing, see [AWS Audit Manager Pricing](https://aws.amazon.com/audit-manager/pricing/).

#### Step 3: Configure the Organizations settings for your organization
<a name="set-up-securityhub-orgs"></a>

If you use AWS Organizations and you want to collect Security Hub CSPM evidence from your member accounts, you must also perform the following steps in Security Hub CSPM.

**To set up your organization's Security Hub CSPM settings**

1. Sign in to the AWS Management Console and open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).

1. Using your AWS Organizations management account, designate an account as the delegated administrator for Security Hub CSPM. For more information, see [Designating a Security Hub CSPM administrator account](https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html#designate-admin-console) in the *AWS Security Hub CSPM User Guide*. 
**Note**  
Make sure that the delegated administrator account that you designate in Security Hub CSPM is the same one that you use in Audit Manager.

1. Using your Organizations delegated administrator account, go to **Settings, Accounts**, select all accounts, and then add them as members by selecting **Auto-enroll**. For more information, see [Enabling member accounts from your organization](https://docs.aws.amazon.com/securityhub/latest/userguide/orgs-accounts-enable.html) in the *AWS Security Hub CSPM User Guide*. 

1. Enable AWS Config for every member account of the organization. For more information, see [Enabling member accounts from your organization](https://docs.aws.amazon.com/securityhub/latest/userguide/orgs-accounts-enable.html) in the *AWS Security Hub CSPM User Guide*. 

1. Enable the PCI DSS security standard for every member account of the organization. The AWS CIS Foundations Benchmark standard and the AWS Foundational Best Practices standard are already enabled by default. For more information, see [Enabling a security standard](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html#securityhub-standard-enable-console) in the *AWS Security Hub CSPM User Guide*. 

### Enable and set up AWS Organizations
<a name="enabling-orgs"></a>



Audit Manager supports multiple accounts via integration with AWS Organizations. Audit Manager can run assessments over multiple accounts and consolidate evidence into a delegated administrator account. The delegated administrator has permissions to create and manage Audit Manager resources with the organization as the zone of trust. Only the management account can designate a delegated administrator. 

**Important**  
Enabling AWS Organizations is an optional recommendation. However, if you do enable AWS Organizations, the following settings are required.

**Tasks to integrate AWS Organizations with Audit Manager**
+ [Step 1: Create or join an organization](#enabling-orgs-create)
+ [Step 2: Enable all features in your organization](#enabling-orgs-enable-all-features)
+ [Step 3: Specify a delegated administrator for Audit Manager](#enabling-orgs-designate)

#### Step 1: Create or join an organization
<a name="enabling-orgs-create"></a>

If your AWS account isn't part of an organization, you can create or join an organization. For instructions, see [Creating and managing an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org.html) in the *AWS Organizations User Guide*.

#### Step 2: Enable all features in your organization
<a name="enabling-orgs-enable-all-features"></a>

Next, you must enable all features in your organization. For instructions, see [Enabling all features in your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html) in the *AWS Organizations User Guide*.

#### Step 3: Specify a delegated administrator for Audit Manager
<a name="enabling-orgs-designate"></a>

We recommend that you enable Audit Manager using an Organizations management account, and then specify a delegated administrator. After that, you can use the delegated administrator account to log in and run assessments. As a best practice, we recommend that you only create assessments using the delegated administrator account instead of the management account. 

To add or change a delegated administrator after you enable Audit Manager, see [Adding a delegated administrator](add-delegated-admin.md) and [Changing a delegated administrator](change-delegated-admin.md).

## Next steps
<a name="whatnow-setup"></a>

Now that you have set up Audit Manager with the recommended settings, you're ready to get started with using the service. 
+ To get started with your first assessment, see [Tutorial for Audit Owners: Creating an assessment](tutorial-for-audit-owners.md).
+ To update your settings in the future, see [Reviewing and configuring your AWS Audit Manager settings](console-settings.md).