This chapter covers AWS Audit Manager, a service that automates evidence collection for audits, helping you assess compliance with frameworks like SOC 2, PCI DSS, and HIPAA. For the SOA-C02 exam, Audit Manager appears in Domain 4 (Security) under Objective 4.2, which focuses on implementing and managing security and compliance controls. Expect 1–2 questions on this topic, typically asking how to automate evidence collection or integrate with other AWS services. Understanding Audit Manager's data sources, assessment templates, and report generation is crucial for the exam.
Jump to a section
Imagine a company that must prove to regulators that every financial transaction is handled correctly. Instead of hiring an army of auditors to manually check each process, they install a smart auditing system. This system automatically watches every step: it knows the company's internal policies (like 'all purchases over $10,000 need two approvals'), and it continuously records evidence—screenshots, logs, timestamps—showing that each policy was followed. When a regulator asks for proof, the system instantly assembles a report with all the evidence neatly organized. It doesn't change how the company operates; it just observes and documents. If a policy is violated, the system flags it immediately, so the company can fix the issue before the regulator's visit. This is exactly how AWS Audit Manager works: it continuously collects evidence from AWS services, maps it to compliance frameworks (like SOC 2 or PCI DSS), and generates audit-ready reports. It automates the evidence collection that auditors require, reducing manual effort and ensuring nothing is missed.
What is AWS Audit Manager?
AWS Audit Manager is a fully managed service that helps you continuously audit your AWS usage to assess compliance with internal policies and industry standards. It automates the collection of evidence—such as configuration snapshots, API call logs, and resource metadata—and maps it to controls from frameworks like SOC 2, PCI DSS, HIPAA, and GDPR. The service reduces the manual effort of preparing for audits by providing a single place to view compliance status and generate audit-ready reports.
How It Works Internally
Audit Manager works by creating an assessment, which is a container for a specific compliance framework and scope of resources. The assessment defines which AWS accounts and Regions to include, which framework controls to evaluate, and how often to collect evidence. Behind the scenes, Audit Manager uses AWS Config rules, AWS CloudTrail logs, and other service APIs to gather evidence. It also supports custom data sources via AWS Lambda functions.
Here is the step-by-step mechanism: 1. Framework Selection: You choose a pre-built framework (e.g., SOC 2) or create a custom one. The framework defines controls—each control has a set of data source mappings that tell Audit Manager where to get evidence. 2. Assessment Creation: You create an assessment, specifying the framework, AWS accounts (via AWS Organizations), Regions, and the evidence collection frequency (daily, weekly, or manual). 3. Evidence Collection: Audit Manager runs automated evidence collectors (called assessments) on the schedule you set. It collects evidence from: - AWS Config: Configuration history and compliance snapshots of resources. - AWS CloudTrail: API activity logs. - AWS Security Hub: Security findings. - Custom data sources: Lambda functions you write to collect evidence from third-party tools or on-premises systems. 4. Evidence Storage: Collected evidence is stored in an S3 bucket managed by Audit Manager (or a customer-specified bucket). The evidence is organized by control and time period. 5. Report Generation: When you need to produce an audit report, Audit Manager compiles the evidence into a structured report that includes the control status (pass/fail), evidence details, and remediation suggestions. 6. Review and Approval: Audit owners and reviewers can manually review evidence, add comments, and approve or reject evidence items. This creates a human-in-the-loop validation before finalizing the report.
Key Components, Values, Defaults, and Timers
Framework: A collection of controls. Pre-built frameworks include:
- SOC 2 (Type II) - PCI DSS v3.2.1 - HIPAA - GDPR - AWS Foundational Security Best Practices - Control: A specific requirement (e.g., 'Enable encryption at rest'). Each control has a set of data source mappings that define where to get evidence. Default mappings use AWS Config rules or CloudTrail events. - Assessment: An instance of a framework applied to a specific scope (accounts, Regions). You can have multiple assessments for the same framework (e.g., one for production, one for development). - Evidence: The raw data collected for a control. Evidence can be: - Automated: Collected by Audit Manager without human intervention. - Manual: Uploaded by a user (e.g., a PDF of a policy document). - Evidence Finder: A feature to search across all evidence using keywords or filters. - Evidence collection frequency: Default is daily. You can set it to weekly or manual (on-demand). - Delegation: You can delegate audit management to another AWS account via AWS Organizations, allowing a central audit team to manage assessments across multiple accounts. - Retention: Evidence is retained for the duration of the assessment. You can export evidence to an S3 bucket for long-term retention.
Configuration and Verification Commands
Audit Manager is primarily managed via the AWS Management Console, AWS CLI, or SDK. Here are key CLI commands:
# Create a new assessment
aws auditmanager create-assessment \
--name "MySOC2Assessment" \
--framework-id <framework-id> \
--aws-account <account-id> \
--scope accounts=<account-id>,regions=<region> \
--assessment-reports-destination destination-type=S3,bucket=<bucket-name>
# List assessments
aws auditmanager list-assessments
# Get assessment details
aws auditmanager get-assessment --assessment-id <assessment-id>
# Start evidence collection manually
aws auditmanager start-assessment-framework-share --assessment-id <assessment-id>
# Generate report (export evidence)
aws auditmanager get-evidence-by-evidence-folder --assessment-id <assessment-id> --control-set-id <control-set-id> --evidence-folder-id <folder-id>To verify that evidence is being collected, you can check the assessment dashboard in the console, which shows the number of evidence items collected and the status of each control (compliant, non-compliant, or not assessed).
Interaction with Related Technologies
Audit Manager integrates deeply with: - AWS Config: Provides configuration snapshots and compliance rules. Audit Manager uses Config rules as data sources for many controls. - AWS CloudTrail: Supplies API call history. Audit Manager uses CloudTrail events to verify that actions were taken (e.g., 'Was an IAM policy attached to a user?'). - AWS Security Hub: Provides security findings that can be used as evidence for controls related to security best practices. - AWS Organizations: Allows Audit Manager to collect evidence from multiple accounts in an organization, enabling centralized audit management. - Amazon S3: Stores evidence and reports. You can specify a customer-managed S3 bucket for evidence storage. - AWS Lambda: You can write custom Lambda functions to collect evidence from sources not natively supported, such as on-premises databases or third-party tools.
Audit Manager does not enforce controls; it only collects evidence. If a control fails (e.g., encryption is not enabled), Audit Manager reports it as non-compliant but does not automatically remediate. You must use other services (e.g., AWS Config remediation actions, Systems Manager Automation) to fix issues.
Select or Create a Framework
Choose a pre-built framework like SOC 2 or PCI DSS, or create a custom framework by defining controls and their data source mappings. Pre-built frameworks contain controls mapped to AWS Config rules and CloudTrail events. For custom frameworks, you specify which AWS resources to check and how to collect evidence. This step sets the compliance standard against which your environment will be measured.
Create an Assessment
Define the scope of the audit by specifying the AWS accounts (via Organizations) and Regions to include. Set the evidence collection frequency (daily, weekly, or manual). The assessment ties the framework to your actual resources. You can have multiple assessments for different environments (e.g., production vs. development) using the same framework.
Automated Evidence Collection
Audit Manager runs evidence collectors on the defined schedule. It gathers data from AWS Config (configuration snapshots), CloudTrail (API logs), Security Hub (findings), and custom Lambda functions. For each control, it checks if the collected evidence meets the control's requirements. The evidence is timestamped and stored in an S3 bucket. If a control has multiple data sources, evidence from each source is collected separately.
Review and Validate Evidence
Auditors or audit owners can log into the Audit Manager console to review evidence for each control. They can see the raw data (e.g., a Config rule compliance snapshot) and decide whether it satisfies the control. They can add comments, mark evidence as approved or rejected, and request additional manual evidence. This step introduces human judgment to ensure accuracy before reporting.
Generate Audit Report
Once evidence is reviewed, you can generate a report that compiles all evidence for the assessment. The report includes a summary of control statuses (compliant, non-compliant, not assessed) and detailed evidence for each control. The report can be exported as a PDF or CSV for submission to external auditors. Audit Manager also provides a 'Readiness Report' that highlights gaps before a formal audit.
Enterprise Scenario 1: SOC 2 Compliance for a SaaS Company
A SaaS company hosts customer data on AWS and must achieve SOC 2 Type II certification. They use AWS Audit Manager with the pre-built SOC 2 framework. The assessment covers their production account and two Regions (us-east-1 and eu-west-1). Evidence is collected daily. The company configures custom Lambda functions to collect evidence from their RDS instance backups (encryption status) and IAM role usage. During the audit period, Audit Manager automatically flags that one S3 bucket has public read access (non-compliant with the 'Access Control' control). The security team remediates by applying a bucket policy and the next evidence collection shows compliance. The final report is generated and shared with the external auditor, who accepts the automated evidence, reducing the audit timeline by 40%.
Enterprise Scenario 2: PCI DSS for an E-commerce Platform
An e-commerce platform processing credit card payments must comply with PCI DSS v3.2.1. They use Audit Manager with the PCI DSS framework. The assessment includes multiple accounts: production, staging, and logging. Evidence collection is set to weekly to reduce costs. They use AWS Config rules to check for encryption at rest (requirement 3.4) and CloudTrail to log all access to cardholder data (requirement 10). Audit Manager's Evidence Finder helps the compliance team quickly locate evidence for a specific control during an audit. One misconfiguration: the team initially set evidence retention to 30 days, but PCI DSS requires 12 months. They updated the assessment to export evidence to a long-term S3 bucket with lifecycle policies.
Common Pitfalls in Production
Over-scoping assessments: Including too many accounts or Regions can increase costs and noise. Best practice is to scope assessments to the minimum necessary resources.
Incorrect evidence frequency: Daily collection may be overkill for stable environments; weekly is often sufficient. Manual collection is used only for ad-hoc checks.
Ignoring custom data sources: Many controls require evidence from custom sources (e.g., database audit logs). Failing to configure Lambda functions leads to incomplete evidence.
Not reviewing evidence regularly: Audit Manager collects evidence automatically, but if no one reviews it, non-compliant controls may go unnoticed until the audit report is generated. Regular review is critical.
What SOA-C02 Tests on Audit Manager
Objective 4.2 includes implementing and managing compliance controls. The exam tests your ability to:
Understand the purpose of Audit Manager: automate evidence collection, not enforce controls.
Identify which AWS services integrate with Audit Manager for evidence collection: AWS Config, CloudTrail, Security Hub, and Lambda.
Know the difference between automated and manual evidence.
Recognize that Audit Manager does NOT remediate non-compliance; it only reports.
Understand that assessments are scoped to specific accounts and Regions.
Common Wrong Answers and Why Candidates Choose Them
'Audit Manager enforces compliance policies.' This is false. Audit Manager only collects evidence; it does not block non-compliant actions. Candidates confuse it with AWS Config rules that can have remediation actions.
'Audit Manager replaces AWS Config.' No, Audit Manager relies on AWS Config for many data sources. It is not a replacement but an overlay.
'You can only use pre-built frameworks.' While pre-built frameworks exist, you can create custom frameworks. The exam may test this flexibility.
'Evidence is stored indefinitely by default.' Evidence retention is tied to the assessment lifecycle. For long-term retention, you must export to S3.
Specific Numbers and Terms on the Exam
Evidence collection frequency: Daily (default), weekly, or manual.
Frameworks: SOC 2, PCI DSS, HIPAA, GDPR, AWS Foundational Security Best Practices.
Data sources: AWS Config, CloudTrail, Security Hub, Lambda.
Assessment scope: accounts (via Organizations) and Regions.
Evidence Finder: search tool for evidence.
Readiness Report: a pre-audit gap analysis.
Edge Cases and Exceptions
Multi-account management: Audit Manager can delegate audit management to a central account. The exam may ask how to set this up via Organizations.
Custom evidence: If a control requires evidence from a source not natively supported, you must use a custom Lambda function. The exam may present a scenario where you need to collect evidence from an on-premises database.
Evidence approval workflow: Not all evidence is automatically accepted; reviewers can reject evidence, requiring manual upload. This is a common exam scenario.
How to Eliminate Wrong Answers
Focus on the core function: evidence collection and reporting, not enforcement. If an answer mentions 'blocking' or 'preventing' actions, it is likely wrong. Also, remember that Audit Manager is an audit tool, not a security tool like GuardDuty or Security Hub. Questions that mix these up are traps.
Audit Manager automates evidence collection for audits; it does not enforce compliance.
Pre-built frameworks include SOC 2, PCI DSS, HIPAA, GDPR, and AWS Foundational Security Best Practices.
Evidence collection frequency can be daily (default), weekly, or manual.
Data sources include AWS Config, CloudTrail, Security Hub, and custom Lambda functions.
Assessments are scoped to specific AWS accounts (via Organizations) and Regions.
Evidence is stored in S3 and retained for the assessment lifecycle; export to S3 for long-term retention.
Audit Manager supports both automated and manual evidence upload.
These come up on the exam all the time. Here's how to tell them apart.
AWS Audit Manager
Focuses on audit evidence collection for compliance frameworks.
Provides a centralized dashboard for multiple controls across accounts.
Supports pre-built frameworks like SOC 2 and PCI DSS.
Generates audit-ready reports with evidence.
Integrates with CloudTrail, Security Hub, and Lambda for evidence sources.
AWS Config
Focuses on resource configuration tracking and compliance rules.
Evaluates resources against individual rules (e.g., 's3-bucket-public-read-prohibited').
Does not provide pre-built audit frameworks; rules are custom or from AWS Managed Rules.
Generates compliance snapshots but not structured audit reports.
Can trigger remediation actions via AWS Config rules.
Mistake
Audit Manager automatically fixes non-compliant resources.
Correct
Audit Manager only collects evidence and reports compliance status. It does not perform any remediation actions. You must use AWS Config remediation or Systems Manager Automation to fix issues.
Mistake
Audit Manager replaces the need for manual evidence collection entirely.
Correct
While Audit Manager automates much of the evidence collection, some controls may require manual evidence (e.g., signed policy documents). The service supports uploading manual evidence as well.
Mistake
Audit Manager can only assess resources in a single AWS account.
Correct
Audit Manager supports multi-account assessments via AWS Organizations. You can include multiple accounts in a single assessment scope.
Mistake
Evidence collected by Audit Manager is stored indefinitely.
Correct
Evidence retention is tied to the assessment lifecycle. When an assessment is deleted, the evidence is also deleted unless you have exported it to an S3 bucket. For long-term retention, configure export to S3.
Mistake
Audit Manager frameworks are fixed and cannot be customized.
Correct
You can create custom frameworks by defining your own controls and data source mappings. This allows you to tailor assessments to your specific compliance needs.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
AWS Config tracks resource configurations and evaluates them against rules, providing compliance snapshots. AWS Audit Manager builds on that by organizing evidence into controls based on compliance frameworks (e.g., SOC 2). Audit Manager uses Config as one of its data sources but also pulls from CloudTrail and Security Hub. Config can trigger remediation, while Audit Manager only reports. For the exam, remember that Audit Manager is for audit evidence collection, not for real-time compliance enforcement.
Yes, Audit Manager supports multi-account assessments via AWS Organizations. You can specify which accounts to include in the assessment scope. The central audit account manages the assessment, and evidence is collected from member accounts. This is essential for enterprises with multiple accounts needing centralized compliance reporting.
You can create a custom framework by navigating to the Audit Manager console, selecting 'Frameworks', and clicking 'Create framework'. You define controls, each with a name, description, and data source mappings. Data sources can be AWS Config rules, CloudTrail events, Security Hub findings, or custom Lambda functions. You can also upload manual evidence. Custom frameworks allow you to tailor audits to your specific policies.
When you delete an assessment, all evidence associated with that assessment is also deleted unless you have exported it to an S3 bucket. Audit Manager does not retain evidence after assessment deletion. To preserve evidence for long-term retention or regulatory requirements, configure the assessment to export evidence to a customer-managed S3 bucket.
No, Audit Manager collects evidence on a schedule: daily (default), weekly, or manual. It is not real-time. For near-real-time monitoring, you would use AWS Config or Security Hub. Audit Manager is designed for periodic evidence collection to support audit cycles, not for continuous monitoring of live changes.
Yes, you can use Audit Manager with a single AWS account. You do not need AWS Organizations. However, to manage assessments across multiple accounts, you must use Organizations to link accounts. For the exam, know that Organizations is required for multi-account assessments.
Evidence Finder is a search tool within Audit Manager that allows you to search across all evidence collected for an assessment using keywords, control IDs, or time ranges. It helps auditors quickly locate specific evidence without manually browsing through folders. This is useful during audit preparation or when responding to auditor requests.
You've just covered AWS Audit Manager — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?