AWS Audit Manager is a managed service that helps you continuously audit your AWS usage to assess compliance with regulations and industry standards. For the SAA-C03 exam, this topic appears in Domain 1: Secure Architectures (Objective 1.4) and typically accounts for 5-8% of questions. This chapter covers the service's architecture, how it automates evidence collection, its integration with AWS Config and Security Hub, and the exam's focus on framework selection, custom controls, and delegation. You will learn to distinguish Audit Manager from similar services like AWS Config Rules and AWS Artifact, and understand when to use each.
Jump to a section
Imagine you own a large apartment building that must pass a fire safety inspection every year. You have dozens of units, each with smoke detectors, fire extinguishers, sprinklers, and emergency exit signs. The inspector wants to see that every device is tested monthly, batteries are replaced annually, and exit paths are clear. Instead of manually checking each unit, you hire a compliance foreman. The foreman first studies the building code (the control framework) to know exactly what the inspector requires. Then he installs sensors in every unit that automatically report device status (evidence collection). He sets up a dashboard that shows which units are compliant and which need attention (automated assessments). When the inspector arrives, the foreman presents a neatly organized binder with test logs, maintenance receipts, and photos of exit paths (audit report). If a smoke detector fails a test, the foreman alerts you immediately so you can fix it before it becomes a violation. The foreman never changes any devices himself—he only monitors and reports. Similarly, AWS Audit Manager is a tool that continuously collects evidence from your AWS accounts, assesses it against a chosen framework (like CIS or PCI DSS), and helps you prepare for audits. It does not remediate issues on its own; it provides the evidence and alerts you to gaps so you can take corrective action.
What is AWS Audit Manager and Why It Exists
AWS Audit Manager is a fully managed service that automates the collection of evidence from your AWS accounts and resources, making it easier to prepare for audits and demonstrate compliance. Before Audit Manager, organizations had to manually gather logs, configuration snapshots, and user activity records—a time-consuming and error-prone process. Audit Manager addresses this by continuously monitoring your environment against predefined or custom control frameworks, generating audit-ready reports.
The service supports over 100 prebuilt standard frameworks, including: - CIS AWS Foundations Benchmark - PCI DSS v3.2.1 - HIPAA - SOC 2 - NIST 800-53 - AWS Well-Architected Framework
You can also create custom frameworks to match your organization's internal policies or regulatory requirements.
How Audit Manager Works Internally
Audit Manager operates through a three-phase cycle: assessment creation, evidence collection, and report generation.
Phase 1: Assessment Creation You start by creating an *assessment*. An assessment defines: - Framework: The set of controls to evaluate (e.g., PCI DSS). - AWS Accounts: Which accounts to include (from AWS Organizations). - Resources: Specific resource types (e.g., S3 buckets, IAM roles, EC2 instances). - Delegation: Optionally delegate assessment management to another AWS account (e.g., a security team).
Phase 2: Evidence Collection Once the assessment is active, Audit Manager automatically collects evidence from multiple sources: - AWS Config: Configuration history and compliance snapshots. - AWS CloudTrail: API activity logs. - Amazon CloudWatch: Logs and metrics. - AWS Security Hub: Security findings. - AWS Organizations: Account structure. - Direct API calls: For resources not covered by Config.
Each control within the framework has one or more *data sources*. For example, a control that checks whether S3 buckets block public access might pull data from AWS Config rule s3-bucket-public-read-prohibited. Audit Manager runs these checks periodically (default every 24 hours) and collects the results as evidence.
Evidence is stored in an S3 bucket managed by Audit Manager (or a customer-managed KMS key if you enable encryption). The service retains evidence for the duration of the assessment plus a configurable retention period (default 365 days).
Phase 3: Report Generation When you need to present evidence to an auditor, you generate a *report*. The report compiles all evidence into a structured document organized by control. It includes: - Control status: Compliant, Non-compliant, or Not applicable. - Evidence details: Raw data from Config, CloudTrail, etc. - Remediation suggestions: Links to AWS documentation or automated remediation playbooks.
Reports can be exported as PDF or CSV files.
Key Components, Values, Defaults, and Timers
Assessment: A container for a specific audit scope. You can have multiple assessments running simultaneously (e.g., one for PCI DSS, one for SOC 2).
Control: A single compliance requirement (e.g., "IAM users should not have access keys older than 90 days"). Controls can be *automated* (evidence collected automatically) or *manual* (you upload evidence yourself).
Framework: A collection of controls. Prebuilt frameworks are maintained by AWS and updated periodically.
Evidence Finder: A search tool to locate specific evidence across all assessments.
Delegation: You can delegate administration of an assessment to another AWS account. The delegated account can view evidence, add manual evidence, and generate reports, but cannot delete the assessment.
Retention period: Default 365 days. Configurable from 1 to 3650 days.
Data encryption: Evidence is encrypted at rest using SSE-S3 by default, or you can specify a customer-managed KMS key.
Cost: Audit Manager charges based on the number of assessment resources evaluated per month. As of the exam objectives, the first 40,000 resource evaluations per month are free.
Configuration and Verification Commands
You can interact with Audit Manager using the AWS CLI, SDK, or Console.
Creating an assessment via CLI:
aws auditmanager create-assessment \
--name "PCI-DSS-2024" \
--framework-id "arn:aws:auditmanager:us-east-1::framework/PCI-DSS-v3.2.1" \
--aws-account "123456789012" \
--scope "{\"awsAccounts\":[{\"id\":\"123456789012\"}],\"awsServices\":[\"S3\",\"IAM\"]}"Listing assessments:
aws auditmanager list-assessmentsGenerating a report:
aws auditmanager get-assessment-report-url \
--assessment-id "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"Delegating an assessment:
aws auditmanager batch-associate-assessment-report-evidence \
--assessment-id "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" \
--evidence-folder-id "folder-id"How Audit Manager Interacts with Related Technologies
AWS Config: Audit Manager relies on Config rules for many automated controls. If Config is not enabled in the account, those controls will show as "Not applicable" or fail to collect evidence.
AWS Security Hub: Audit Manager can ingest security findings from Security Hub and map them to controls. This is useful for frameworks like CIS that align with Security Hub standards.
AWS Organizations: Audit Manager can collect evidence from multiple accounts in an organization. You must enable trusted access for Audit Manager in Organizations.
AWS Artifact: Artifact provides access to AWS compliance reports (e.g., SOC reports). Audit Manager is for your own compliance, while Artifact is for AWS's compliance.
AWS CloudTrail: Audit Manager uses CloudTrail logs to collect evidence of API calls, such as changes to security groups or IAM policies.
Exam-Relevant Details
Audit Manager does not enforce compliance; it only collects evidence. Remediation is your responsibility or can be automated via AWS Config remediation actions or Systems Manager Automation.
The service supports custom frameworks but not custom data sources beyond what AWS provides. You can define manual controls for anything not automated.
Evidence Finder allows you to search across all assessments for specific evidence (e.g., all S3 bucket policies). This is useful for ad-hoc auditor requests.
Audit Manager is available in most AWS regions, but some frameworks may be region-specific.
The service integrates with AWS License Manager for license compliance assessments.
Key Numbers for the Exam
Default evidence collection interval: 24 hours
Default evidence retention: 365 days
Minimum retention: 1 day, maximum: 3650 days
Free tier: 40,000 resource evaluations per month
Assessment delegation: only one delegated account per assessment
Number of prebuilt frameworks: 100+
Enable Required Services
Before creating an assessment, ensure AWS Config, AWS CloudTrail, and AWS Security Hub are enabled in all accounts you intend to audit. Audit Manager depends on these services to collect automated evidence. If a required service is disabled, controls that rely on it will show as 'Not applicable' or fail to collect evidence. Also, enable trusted access for Audit Manager in AWS Organizations if you plan to assess multiple accounts.
Create an Assessment
Navigate to the Audit Manager console and choose 'Create assessment'. Provide a name and description, then select a framework (e.g., CIS AWS Foundations Benchmark). Specify the AWS accounts and resources to include. You can scope the assessment to specific AWS services (e.g., S3, IAM, EC2). Optionally, delegate administration to another AWS account. The assessment will immediately begin collecting evidence.
Review Evidence Collection
Audit Manager automatically collects evidence every 24 hours. You can view evidence in the console under 'Evidence' for each control. Evidence includes configuration snapshots, API call logs, and security findings. For manual controls, you must upload evidence yourself (e.g., policy documents, screenshots). Use the Evidence Finder to search across all assessments.
Generate Audit Report
When ready, generate a report by selecting 'Generate report' from the assessment detail page. The report compiles all evidence into a PDF or CSV organized by control. It includes control status (compliant/non-compliant), evidence details, and remediation guidance. Reports are available for download for the duration of the assessment retention period.
Delegate and Collaborate
If you delegated the assessment to another account, the delegated admin can view evidence, upload manual evidence, and generate reports. The original assessment owner retains full control and can revoke delegation at any time. This is useful for separating audit functions from operational teams.
Enterprise Scenario 1: PCI DSS Compliance for a Fintech Startup
A fintech startup processes credit card payments and must comply with PCI DSS. They have 50 AWS accounts managed via AWS Organizations. The compliance team uses Audit Manager with the prebuilt PCI DSS v3.2.1 framework. They create a single assessment covering all accounts and key services (S3, RDS, EC2, IAM). Evidence is collected automatically for controls like 'Encrypt cardholder data at rest' (using S3 bucket encryption settings) and 'Restrict access to cardholder data' (IAM policies). The team generates monthly reports for the acquiring bank. A common misconfiguration is forgetting to enable AWS Config in all accounts, causing controls to show 'No evidence'. The solution is to use AWS Config aggregator to centralize configuration data.
Enterprise Scenario 2: SOC 2 for a SaaS Provider
A SaaS company needs SOC 2 Type II report. They use Audit Manager with a custom framework based on SOC 2 trust principles. They define controls for availability (e.g., Auto Scaling group configuration) and security (e.g., VPC flow logs enabled). The security team delegates assessment management to an external auditor's AWS account, allowing the auditor to access evidence directly. Performance consideration: with thousands of resources, evidence collection can take up to 24 hours. The company sets up automated notifications via Amazon SNS when controls become non-compliant. A common pitfall is not defining manual controls correctly—for example, requiring a signed policy document but forgetting to upload it, causing the control to remain non-compliant.
Enterprise Scenario 3: Internal Policy Compliance for a Large Enterprise
A multinational corporation has internal security policies that go beyond standard frameworks. They create a custom framework in Audit Manager with 150 controls. They use AWS Config custom rules to map to some controls. Evidence is collected from 200 accounts across multiple regions. The enterprise uses Audit Manager's Evidence Finder to quickly respond to auditor requests, e.g., 'Show all IAM role trust policies that allow cross-account access'. A challenge is managing the cost: with millions of resource evaluations per month, the bill can exceed $10,000. They optimize by scoping assessments to only critical resources and using the free tier for smaller assessments.
SAA-C03 Objective Alignment
This topic maps to Domain 1: Secure Architectures, Objective 1.4: Design an auditing and compliance strategy. Exam questions test your ability to choose the right service (Audit Manager vs. Config vs. Artifact) and understand how Audit Manager automates evidence collection. Key objective codes: 1.4.1, 1.4.2.
Common Wrong Answers and Why Candidates Choose Them
Choosing AWS Config over Audit Manager: Many candidates select AWS Config because they know it tracks configuration changes. However, the question will ask for a service that 'automates evidence collection for compliance frameworks'. Audit Manager is the correct answer because it is purpose-built for audits, while Config is a building block. Config is a data source for Audit Manager, not a replacement.
Selecting AWS Artifact: Artifact provides access to AWS's compliance reports, not your own compliance evidence. Candidates confuse 'compliance reports' (AWS's) with 'audit evidence' (yours).
Thinking Audit Manager can remediate issues: Audit Manager only collects evidence and reports status. It does not fix non-compliant resources. Candidates may incorrectly think it can automatically remediate, but that is the job of AWS Config remediation or Systems Manager Automation.
Assuming all controls are automated: Some controls require manual evidence upload. Candidates forget that not everything can be automated, especially policy documents or physical security controls.
Specific Numbers and Terms That Appear on the Exam
40,000 resource evaluations per month (free tier)
365 days default retention
24 hours evidence collection interval
100+ prebuilt frameworks
Evidence Finder
Delegation (only one delegated account per assessment)
Custom framework vs. prebuilt framework
Edge Cases and Exceptions
If a resource is deleted after evidence collection, the evidence is still retained for the assessment duration.
Audit Manager does not support cross-region evidence aggregation; you must create assessments in each region.
When using a customer-managed KMS key, the key policy must grant Audit Manager permissions to encrypt/decrypt.
If AWS Config is not enabled, automated controls will show 'No evidence'—not 'Non-compliant'.
How to Eliminate Wrong Answers
If the question mentions 'automated evidence collection' and 'compliance framework', eliminate Config and Artifact.
If the question says 'generate audit-ready reports', Audit Manager is the answer.
If the question says 'remediate non-compliant resources', look for Config rules with remediation actions, not Audit Manager.
If the question says 'view AWS compliance certifications', that's Artifact.
AWS Audit Manager automates evidence collection for compliance frameworks like PCI DSS, HIPAA, SOC 2, and CIS.
Audit Manager does not remediate issues; it only collects evidence and reports status.
You must enable AWS Config, CloudTrail, and Security Hub for automated evidence collection.
Default evidence collection interval is 24 hours; retention is 365 days.
Free tier includes 40,000 resource evaluations per month.
Each assessment can be delegated to only one AWS account.
Use Evidence Finder to search across all assessments for specific evidence.
These come up on the exam all the time. Here's how to tell them apart.
AWS Audit Manager
Purpose-built for audit evidence collection and reporting
Supports over 100 prebuilt compliance frameworks
Collects evidence from multiple sources (Config, CloudTrail, etc.)
Generates audit-ready reports (PDF/CSV)
Does not enforce compliance; only reports
AWS Config
Tracks configuration changes and resource relationships
Provides per-resource compliance via managed rules
Single data source: resource configurations
No built-in reporting for audits; use Config aggregator or third-party tools
Can trigger remediation actions via AWS Config rules
Mistake
AWS Audit Manager can automatically fix non-compliant resources.
Correct
Audit Manager only collects evidence and reports status. It does not perform remediation. To automatically fix issues, you must use AWS Config remediation actions or AWS Systems Manager Automation.
Mistake
Audit Manager replaces AWS Config.
Correct
Audit Manager relies on AWS Config as a primary data source. Config must be enabled for Audit Manager to collect evidence for many controls. They are complementary, not interchangeable.
Mistake
All evidence is collected in real-time.
Correct
Evidence collection runs every 24 hours by default. You can trigger on-demand evidence collection for specific controls, but the interval is not real-time.
Mistake
Audit Manager can assess any AWS resource.
Correct
Audit Manager supports evidence collection for a specific set of AWS services (e.g., S3, IAM, EC2, RDS). For unsupported services, you must use manual evidence.
Mistake
You can delegate an assessment to multiple accounts.
Correct
Each assessment can be delegated to only one AWS account. If you need multiple delegations, create separate assessments.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
AWS Config tracks configuration changes and evaluates resources against rules. AWS Audit Manager is a higher-level service that collects evidence from multiple sources (including Config) and organizes it into audit reports aligned with compliance frameworks. For the exam, if the question asks for automated audit evidence collection, choose Audit Manager.
Yes, you can create custom frameworks in Audit Manager. You define controls and map them to automated data sources or manual evidence uploads. This is useful for internal policies that go beyond standard frameworks.
Audit Manager integrates with AWS Organizations. You enable trusted access, and then you can select which accounts to include in an assessment. Evidence is collected from each account using the same data sources (Config, CloudTrail, etc.).
Yes, Audit Manager generates reports in PDF or CSV format that you can share with auditors. You can also delegate assessment management to an external account so they can access evidence directly.
Controls that rely on AWS Config will stop collecting evidence and show as 'No evidence' or 'Not applicable'. You must keep Config enabled for the duration of the assessment to maintain continuous evidence collection.
Audit Manager is available in most commercial regions, but some frameworks may be region-restricted. Check the AWS Regional Services List for the latest availability.
By default, evidence is encrypted at rest using SSE-S3. You can optionally specify a customer-managed KMS key for additional control. The key policy must grant Audit Manager permissions to use the key.
You've just covered AWS Audit Manager — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?