AWS Audit Manager will no longer be open to new customers starting April 30, 2026. If you would like to use Audit Manager, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [AWS Audit Manager availability change](https://docs.aws.amazon.com/audit-manager/latest/userguide/audit-manager-availability-change.html).
# Enabling the recommended features and AWS services for AWS Audit Manager
Now that you have enabled AWS Audit Manager, it's time to set up the recommended features and integrations to get the most out of the service.
## Key points
For an optimal experience in Audit Manager, we recommend that you set up the following features and enable the following AWS services.
**Tasks**
+ [Set up recommended Audit Manager features](#setup-recommendations-features)
+ [Set up recommended integrations with other AWS services](#setup-recommendations-services)
+ [Enable and set up AWS Config](#config-recommendations)
+ [Enable and set up AWS Security Hub CSPM](#securityhub-recommendations)
+ [Enable and set up AWS Organizations](#enabling-orgs)
## Set up recommended Audit Manager features
After you enable Audit Manager, we recommend that you enable the evidence finder feature.
**[Evidence finder](evidence-finder.md)** provides a powerful way to search for evidence in Audit Manager. Instead of browsing deeply nested evidence folders to find what you're looking for, you can use evidence finder to quickly query your evidence. If you use evidence finder as a delegated administrator, you can search for evidence across all member accounts in your organization.
Using a combination of filters and groupings, you can progressively narrow the scope of your search query. For example, if you want a high-level view of your system health, perform a broad search and filter by assessment, date range, and resource compliance. If your goal is to remediate a specific resource, you can perform a narrow search to target evidence for a specific control or resource ID. After you define your filters, you can group and then preview the matching search results before creating an assessment report.
## Set up recommended integrations with other AWS services
For an optimal experience in Audit Manager, we strongly recommend that you enable the following AWS services:
+ **AWS Organizations** – You can use Organizations to run Audit Manager assessments over multiple accounts and consolidate evidence into a delegated administrator account.
+ **AWS Security Hub CSPM** and **AWS Config** – Audit Manager relies on these AWS services as data sources for evidence collection. When you enable AWS Config and Security Hub CSPM, Audit Manager can operate with its full functionality, collecting comprehensive evidence and accurately reporting the results of compliance checks directly from these services.
**Important**
If you don’t enable and configure AWS Config and Security Hub CSPM, you won’t be able to collect the intended evidence for many controls in your Audit Manager assessments. As a result, you risk incomplete or failed evidence collection for certain controls. More specifically:
If Audit Manager attempts to use AWS Config as a control data source, but the required AWS Config rules aren’t enabled, no evidence will be collected for those controls.
Similarly, if Audit Manager attempts to use Security Hub CSPM as a control data source, but the required standards aren’t enabled in Security Hub CSPM, no evidence will be collected for those controls.
To mitigate these risks and ensure comprehensive evidence collection, follow the steps on this page to enable and configure AWS Config and Security Hub CSPM before you create your Audit Manager assessments.
### Enable and set up AWS Config
Many controls in Audit Manager require AWS Config as a data source type. To support these controls, you must enable AWS Config on all accounts in each AWS Region where Audit Manager is enabled.
Audit Manager doesn’t manage AWS Config for you. You can follow these steps to enable AWS Config and configure its settings.
**Important**
Enabling AWS Config is an optional recommendation. However, if you do enable AWS Config, the following settings are required. If Audit Manager tries to collect evidence for controls that use AWS Config as a data source type, and AWS Config is not set up as described below, no evidence is collected for those controls.
**Tasks to integrate AWS Config with Audit Manager**
+ [Step 1: Enable AWS Config](#enabling-config)
+ [Step 2: Configure your AWS Config settings for use with Audit Manager](#set-up-config)
#### Step 1: Enable AWS Config
You can enable AWS Config using the AWS Config console or API. For instructions, see [Getting started with AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/getting-started.html) in the *AWS Config Developer Guide*.
#### Step 2: Configure your AWS Config settings for use with Audit Manager
After you enable AWS Config, make sure that you also [enable AWS Config rules](https://docs.aws.amazon.com/config/latest/developerguide/setting-up-aws-config-rules-with-console.html) or [deploy a conformance pack](https://docs.aws.amazon.com/config/latest/developerguide/conformance-pack-console.html) for the compliance standard that's related to your audit. This step ensures that Audit Manager can import findings for the AWS Config rules that you enabled.
After you enable an AWS Config rule, we recommend that you review the parameters of that rule. You should then validate those parameters against the requirements of your chosen compliance framework. If needed, you can [update a rule’s parameters in AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_manage-rules.html) to ensure that it aligns with framework requirements. This will help to ensure that your assessments collect the correct compliance check evidence for a given framework.
For example, suppose that you’re creating an assessment for CIS v1.2.0. This framework has a control named [1.4 – Ensure access keys are rotated every 90 days or less](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.4). In AWS Config, the [access-keys-rotated](https://docs.aws.amazon.com/config/latest/developerguide/access-keys-rotated.html) rule has a `maxAccessKeyAge` parameter with a default value of 90 days. As a result, the rule aligns with the control requirements. If you aren’t using the default value, ensure that the value you’re using is equal to or greater than the 90 day requirement from CIS v1.2.0.
You can find the default parameter details for each managed rule in the [AWS Config documentation](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html). For instructions on how to configure a rule, see [Working with AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managing-aws-managed-rules.html).
### Enable and set up AWS Security Hub CSPM
Many controls in Audit Manager require Security Hub CSPM as a data source type. To support these controls, you must enable Security Hub CSPM on all accounts in each Region where Audit Manager is enabled.
Audit Manager doesn’t manage Security Hub CSPM for you. You can follow these steps to enable Security Hub CSPM and configure its settings.
**Important**
Enabling Security Hub CSPM is an optional recommendation. However, if you do enable Security Hub CSPM, the following settings are required. If Audit Manager tries to collect evidence for controls that use Security Hub CSPM as a data source type, and Security Hub CSPM is not set up as described below, no evidence is collected for those controls.
**Tasks to integrate AWS Security Hub CSPM with Audit Manager**
+ [Step 1: Enable AWS Security Hub CSPM](#enabling-securityhub)
+ [Step 2: Configure your Security Hub CSPM settings for use with Audit Manager](#set-up-securityhub)
+ [Step 3: Configure the Organizations settings for your organization](#set-up-securityhub-orgs)
#### Step 1: Enable AWS Security Hub CSPM
You can enable Security Hub CSPM using either the console or the API. For instructions, see [Setting up AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html) in the *AWS Security Hub CSPM User Guide*.
#### Step 2: Configure your Security Hub CSPM settings for use with Audit Manager
After you enable Security Hub CSPM, make sure that you also do the following:
+ [Enable AWS Config and configure resource recording](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-prereq-config.html) – Security Hub CSPM uses service-linked AWS Config rules to perform most of its security checks for controls. To support these controls, AWS Config must be enabled and configured to record resources that are required for the controls that you have enabled in each enabled standard.
+ [Enable all security standards](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html#securityhub-standard-enable-console) – This step ensures that Audit Manager can import findings for all supported compliance standards.
+ [Turn on the consolidated control findings setting in Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/controls-findings-create-update.html#turn-on-consolidated-control-findings) - This setting is turned *on* by default if you enable Security Hub CSPM on or after February 23, 2023.
**Note**
When you enable consolidated findings, Security Hub CSPM produces a single finding for each security check (even when the same check is used across multiple standards). Each Security Hub CSPM finding is collected as one unique resource assessment in Audit Manager. As a result, consolidated findings results in a decrease of the total unique resource assessments that Audit Manager performs for Security Hub CSPM findings. For this reason, using consolidated findings can often result in a reduction in your Audit Manager usages costs. For more information about using Security Hub CSPM as a data source type, see [AWS Security Hub CSPM controls supported by AWS Audit Manager](control-data-sources-ash.md). For more information about Audit Manager pricing, see [AWS Audit Manager Pricing](https://aws.amazon.com/audit-manager/pricing/).
#### Step 3: Configure the Organizations settings for your organization
If you use AWS Organizations and you want to collect Security Hub CSPM evidence from your member accounts, you must also perform the following steps in Security Hub CSPM.
**To set up your organization's Security Hub CSPM settings**
1. Sign in to the AWS Management Console and open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).
1. Using your AWS Organizations management account, designate an account as the delegated administrator for Security Hub CSPM. For more information, see [Designating a Security Hub CSPM administrator account](https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html#designate-admin-console) in the *AWS Security Hub CSPM User Guide*.
**Note**
Make sure that the delegated administrator account that you designate in Security Hub CSPM is the same one that you use in Audit Manager.
1. Using your Organizations delegated administrator account, go to **Settings, Accounts**, select all accounts, and then add them as members by selecting **Auto-enroll**. For more information, see [Enabling member accounts from your organization](https://docs.aws.amazon.com/securityhub/latest/userguide/orgs-accounts-enable.html) in the *AWS Security Hub CSPM User Guide*.
1. Enable AWS Config for every member account of the organization. For more information, see [Enabling member accounts from your organization](https://docs.aws.amazon.com/securityhub/latest/userguide/orgs-accounts-enable.html) in the *AWS Security Hub CSPM User Guide*.
1. Enable the PCI DSS security standard for every member account of the organization. The AWS CIS Foundations Benchmark standard and the AWS Foundational Best Practices standard are already enabled by default. For more information, see [Enabling a security standard](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html#securityhub-standard-enable-console) in the *AWS Security Hub CSPM User Guide*.
### Enable and set up AWS Organizations
Audit Manager supports multiple accounts via integration with AWS Organizations. Audit Manager can run assessments over multiple accounts and consolidate evidence into a delegated administrator account. The delegated administrator has permissions to create and manage Audit Manager resources with the organization as the zone of trust. Only the management account can designate a delegated administrator.
**Important**
Enabling AWS Organizations is an optional recommendation. However, if you do enable AWS Organizations, the following settings are required.
**Tasks to integrate AWS Organizations with Audit Manager**
+ [Step 1: Create or join an organization](#enabling-orgs-create)
+ [Step 2: Enable all features in your organization](#enabling-orgs-enable-all-features)
+ [Step 3: Specify a delegated administrator for Audit Manager](#enabling-orgs-designate)
#### Step 1: Create or join an organization
If your AWS account isn't part of an organization, you can create or join an organization. For instructions, see [Creating and managing an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org.html) in the *AWS Organizations User Guide*.
#### Step 2: Enable all features in your organization
Next, you must enable all features in your organization. For instructions, see [Enabling all features in your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html) in the *AWS Organizations User Guide*.
#### Step 3: Specify a delegated administrator for Audit Manager
We recommend that you enable Audit Manager using an Organizations management account, and then specify a delegated administrator. After that, you can use the delegated administrator account to log in and run assessments. As a best practice, we recommend that you only create assessments using the delegated administrator account instead of the management account.
To add or change a delegated administrator after you enable Audit Manager, see [Adding a delegated administrator](add-delegated-admin.md) and [Changing a delegated administrator](change-delegated-admin.md).
## Next steps
Now that you have set up Audit Manager with the recommended settings, you're ready to get started with using the service.
+ To get started with your first assessment, see [Tutorial for Audit Owners: Creating an assessment](tutorial-for-audit-owners.md).
+ To update your settings in the future, see [Reviewing and configuring your AWS Audit Manager settings](console-settings.md).