1. What is Audit Manager?

AWS Audit Manager helps you continuously audit your AWS usage to simplify how you assess risk and compliance with regulations and industry standards. It automates evidence collection and maps it to audit frameworks.

Core Concept

Audit Manager = automated evidence collection for audits. Instead of manually gathering screenshots, logs, and reports for auditors, Audit Manager automatically collects evidence from AWS Config, CloudTrail, Security Hub, and custom sources, then maps it to compliance frameworks (SOC 2, GDPR, HIPAA, PCI DSS, etc.).

2. Key Concepts


  1. Framework: A structured set of controls that map to a compliance standard. AWS provides pre-built frameworks (SOC 2, GDPR, HIPAA, PCI DSS, CIS, etc.) or you create custom frameworks.
  2. Assessment: An active audit engagement that collects evidence for a specific framework over a defined time period.
  3. Control: A specific requirement within a framework. Example (SOC 2): "Encryption at rest must be enabled on all data stores."
  4. Evidence: Proof that a control is met. Automatically collected from AWS services or manually uploaded.
  5. Delegation: Assign control owners (e.g., the DBA owns database encryption controls, the network team owns firewall controls).

3. Evidence Sources

4. Pre-Built Frameworks

5. Audit Manager Workflow

Audit Manager Workflow:
1. SELECT a compliance framework (e.g., SOC 2)2. CREATE an assessment (scope: specific accounts/resources)3. Audit Manager AUTOMATICALLY collects evidence - Config Rule evaluations - CloudTrail API logs - Security Hub findings - Resource configuration snapshots4. Evidence is MAPPED to specific controls5. Control owners REVIEW evidence6. GENERATE assessment report for auditors7. SHARE report with external auditors

6. Key Features

  1. Continuous evidence collection (not just point-in-time snapshots)
  2. Assessment reports: downloadable, auditor-ready PDF/CSV
  3. Evidence finder: search across all evidence by keyword, date, control
  4. Change logs: track all changes to assessments and evidence
  5. Delegation: assign controls to specific teams/individuals
  6. Multi-account via Organizations (centralized audit across accounts)
  7. Integrates with: Config, CloudTrail, Security Hub, custom evidence

7. Audit Manager vs Security Hub vs Config

Exam Tip

Audit Manager: "Prepare for SOC 2 / HIPAA / GDPR audit" = Audit Manager. "Automate evidence collection" = Audit Manager. "Assessment report for external auditors" = Audit Manager. Audit Manager does NOT remediate (Config and Security Hub do). It COLLECTS EVIDENCE from Config + CloudTrail + Security Hub. "Track who did what" = CloudTrail. "Is resource compliant?" = Config. "Audit-ready report" = Audit Manager.