Customizing AWS Audit Manager - Build a custom Audit Manager Assessment

In this lab, we will customize Audit Manager by building custom controls, frameworks and assessments with AWS Audit Manager.

Prerequisites

  1. Setup AWS Audit Manager. In the AWS Audit Manager console, configure an assessment reports destination in your AWS Audit Manager settings. The bucket must be in the same AWS Region as your assessment. Create a folder in the bucket for evidence and then create a directory. Your assessment reports destination will then be the Amazon S3 URI (for example, s3://s3-customauditmanagerframework--/evidences/) and AWS Audit Manager will save your assessment reports to this bucket.
  2. Create an IAM user with Audit owner permissions. You can use the AWSAuditManagerAdministratorAccess policy as a starting point for this lab, but scope down these permissions as appropriate for your requirements.

Create a custom control

We will configure a custom control that is comprised of 3 data sources. Each data source collects evidence based on the evaluation of a specific AWS Config rule.

  1. Navigate to the AWS Audit Manager console and from the left navigation pane, select Control library, and then select Create custom control.

  2. Under Control name, enter a name (for example, Custom Control) and an optional description and then select Next.

  3. Add a data source. In Configure data sources for this control, choose Automated evidence. Under Select an evidence type by mapping to a data source, select Compliance checks for resource configurations from AWS Config. In Specify an AWS Config rule, select CLOUD_TRAIL_ENCRYPTION_ENABLED. Select Add data source to add the data source

  4. Add additional data sources. Follow Step 3 above to additional data sources. Add the CLOUD_TRAIL_ENABLED and S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS AWS Config Rules as data sources. Select Next

  5. On the Review and create screen, skip defining the action plan and choose Create custom control.

  6. Figure below shows the Custom control displayed in the Control library:

Create a custom framework

Custom frameworks allow you to organize controls into control sets in a way that suits your unique requirements. Follow these steps to create a custom framework using the custom control you created in the previous section.

  1. From the left panel, select Framework library, and then select Create custom framework.

  2. In the Specify framework details, enter a name for the framework (for example, Record Custom Control). Enter an optional compliance type and description, and then select Next.

  3. In Specify the controls in the control set, and under Control set name, provide a name for the control set (for example, Custom Control Set). Under Select control type, select Custom controls, and then select Add to control set. The custom control you created earlier should be displayed under Selected controls.

    1. On the Review and create screen, select Create custom framework.

The figure below shows the custom framework, which consists of the custom control that we had configured earlier.

Create a custom assessment

An Audit Manager assessment is an implementation of the AWS Audit Manager framework. It collects the evidence related to the AWS Config Rules that you created and converts it into an auditor-friendly format, and attaches the evidence to the custom control in the framework.

  1. From the left navigation pane, select Assessments, and then select Create assessment.

  2. In Specify assessment details, under Assessment Details enter a name for the assessment (for example, Record Custom Control) and an optional description. Under Assessments reports destination, provide the Amazon S3 from Step 5 in the prerequisites section . Under Frameworks, select the Record Custom Control framework and then select Next.

  3. In Edit AWS accounts in scope select your current account in scope for the assessment and then select Next

  4. Under AWS services, select all services in scope that are automatically detected by Audit Manager and then select Next.

  5. Under Specify audit owners, select the Audit owner user that you created in Step 4 in the prerequisites section. and then select Next

  6. On the Review and create screen, select Create assessment.

Review evidence

Once you create an assessment, it will automatically start collecting evidence for the custom controls that you had configured within the assessment. It may take 24 hours for the evidence to appear on the Audit Manager Console.

  1. On the AWS Audit Manager console, from the left paneL, select Assessments. Select the Record Custom Control assessment.

  2. In Control sets, select the custom control you created earlier.

  3. On the Evidence folders tab, you can review the evidence collection. Select an Evidence folder.

  4. In the Evidence list, check that AWS Audit Manager has recorded compliance status at different points in time. Under the Time column in Evidence if you select one of the time slots (such as 6:17:38 PM UTC), the evidence description is displayed. Select View JSON next to responseElements to view the evidence.

  5. You can also select evidence from your custom control to add to an assessment report. You can then generate the assessment report. From the AWS Audit Manager console, go back to the Evidence folder list. To add evidence to an assessment report, select the evidence, and then select Add to assessment report as shown

  6. From the AWS Audit Manager console select your custom assessment Record Custom Control. Select Assessment report selection in the bottom panel and select Generate assessment report. Provide the report with a name and description.

  7. On the AWS Audit Manager console, navigate to Assessment reports. You can now select and download the assessment report, which includes all your selected evidence.

  8. You can also navigate to the S3 bucket that you had configured as the assessment reports destination earlier and view the assessment report from there

Cleanup

To avoid incurring additional charges in your account or to be able to redeploy the solution:

  1. Follow the steps to delete the custom framework and then delete the custom controls that were created in Audit Manager.

Customizing AWS Audit Manager - Automate building of custom AWS Audit Manager assessments - Transform an AWS Config Conformance Pack to an AWS Audit Manager Assessment

AWS Config conformance packs provide a sample mapping between a supported compliance standard and AWS Config Managed Rules. Conformance packs enable the grouping of multiple AWS Config rules to a specfic control id within the compliance standard. By transforming AWS Config conformance packs into custom Audit Manager assessments we can extend Audit Manager to provide custom assessments for dozens of compliance standards that are not supported out of the box by Audit Manager.

In this lab, we will deploy a solution that builds custom controls in AWS Audit Manager. The Audit Manager custom controls are organized into control sets. Each control set corresponds to a control id in the conformance pack. The Audit Manager control set comprises of the AWS Config rules mapped to the control id by the AWS Config conformance pack. Our solution then creates a custom framework and a custom assessment based on these custom controls.

Refer to Integrate across the Three Lines Model (Part 2): Transform AWS Config conformance packs into AWS Audit Manager assessments for a full description of this solution. This solution is also available from the AWS Cloud Compliance and Assurance Reference Solution

Prerequisites

  1. Ensure that you have completed all the prerequisites from the Customizing AWS Audit Manager - Build a custom Audit Manager Assessment lab
  2. Create a control mapping file. This is a CSV file where each row contains a control ID for the compliance standard as the first column. The remaining columns of that row each contain one AWS Config rule that maps to the control ID. A row can have any number of columns. You can use the sample mapping file for NERC-CIP here directly or create your own for any of the supported compliance standards. The mapping of these rules to the control ID of the compliance standard is created manually by the user from the compliance standard’s conformance pack documentation.
  3. Create an Amazon S3 bucket with the following name: s3-customauditmanagerframework-- where is your AWS account ID and is the AWS Region where you plan to deploy the CloudFormation templates. In this bucket, create a folder named CustomAuditManagerFramework_Lambda. Create a directory and then upload the CustomAuditManagerFramework_Lambda.zip file there.
  4. Upload the control mapping file to the top directory of the S3 bucket.
  5. Audit Manager works with the Boto3 1.7 libraries. AWS Lambda doesn’t ship with Boto3 1.7 by default. This implementation provides that version of Boto3 as a Lambda layer. Upload the auditmanagerlayer.zip to the top directory of the Amazon S3 bucket you created in step 3.

Install the solution

  1. In the AWS CloudFormation console, create a stack to launch the aws-auditmanager-confpack.yml template. In Parameters, enter the values for the parameters based on their descriptions in the template. The template takes the following parameters: SourceBucket: The name of the Amazon S3 bucket that contains the AWS Lambda source code. This is the bucket you created in step 3 of the prerequisites. Replace and with the AWS account ID and Region where you are deploying this template. ConfPackControlsMappingFile: This is the full name of the control mapping file, including the .csv extension (for example, nerc-cipmappingfile.csv) created in in step 2 of the prerequisites and uploaded to S3 in step 4 of the prerequisites.

  2. In the AWS Audit CloudFormation console, create a stack to launch the aws-auditmanager-customassessment.yml template. In Parameters, enter the values for the parameters based on their descriptions in the template. The template takes the following parameters: AssessmentDestination: The S3 URI in which AWS Audit Manager will save your assessment reports. This is the S3 URI from step 4 of the prerequisites from the Customizing AWS Audit Manager - Build a custom Audit Manager Assessment lab. Replace and with the AWS account ID and Region where you are deploying this template. AuditOwnerArn: The ARN for the IAM user that you created in step 3 of the prerequisites from the Customizing AWS Audit Manager - Build a custom Audit Manager Assessment lab

Review the Custom Audit Manager Controls, Framework and Assessment

  1. Navigate to the AWS Audit Manager console. From the left panel, select Control library and then select Custom Control on the right panel. You will see the list of custom controls that have been created for the NERC-CIP compliance standard.

  2. From the left panel, select Framework Library and then select Custom Framework on the right pane to view the custom Audit Manager framework Config Conformance Pack Custom Framework that was provisioned by the solution

  3. Select the custom framework from the previous step. Under the Control section, you will see that this framework incorporates custom NERC-CIP controls that you reviewed in the Custom Control tab from Step 1

  4. On the left hand panel, select Assessments and you will see that a custom assessment was provisioned by the solution. Select the custom assessment named CustomConfigCongPackAssessment and view the custom controls that correspond to the NERC-CIP compliance standard

Once you create an assessment, it will automatically start collecting evidence for the custom controls that you have configured within the assessment. It may take 24 hours for the evidence to appear on the Audit Manager Console.

Cleanup

To avoid incurring additional charges in your account or to be able to redeploy the solution:

  1. Follow the steps outlined here to delete the CloudFormation stacks for the templates you deployed. Delete the stack for aws-auditmanager-customassessment.yml first, and then delete the stack for aws-auditmanager-confpack.yml.

  2. Follow the steps to delete the custom framework and then delete the custom controls that were created in Audit Manager.

  3. From the AWS Systems Manager console, choose Parameter Store. On the My Parameters tab, delete the AWS Audit Manager framework ID.