2023/06/15 - AWS Audit Manager - 1 new 9 updated api methods
Changes This release introduces 2 Audit Manager features: CSV exports and new manual evidence options. You can now export your evidence finder results in CSV format. In addition, you can now add manual evidence to a control by entering free-form text or uploading a file from your browser.
Creates a presigned Amazon S3 URL that can be used to upload a file as manual evidence. For instructions on how to use this operation, see Upload a file from your browser in the Audit Manager User Guide .
The following restrictions apply to this operation:
Maximum size of an individual evidence file: 100 MB
Number of daily manual evidence uploads per control: 100
Supported file formats: See Supported file types for manual evidence in the Audit Manager User Guide
For more information about Audit Manager service restrictions, see Quotas and restrictions for Audit Manager .
See also: AWS API Documentation
Request Syntax
client.get_evidence_file_upload_url( fileName='string' )
string
[REQUIRED]
The file that you want to upload. For a list of supported file formats, see Supported file types for manual evidence in the Audit Manager User Guide .
dict
Response Syntax
{ 'evidenceFileName': 'string', 'uploadUrl': 'string' }
Response Structure
(dict) --
evidenceFileName (string) --
The name of the uploaded manual evidence file that the presigned URL was generated for.
uploadUrl (string) --
The presigned URL that was generated.
{'manualEvidence': {'evidenceFileName': 'string', 'textResponse': 'string'}}Response
{'errors': {'manualEvidence': {'evidenceFileName': 'string', 'textResponse': 'string'}}}
Adds one or more pieces of evidence to a control in an Audit Manager assessment.
You can import manual evidence from any S3 bucket by specifying the S3 URI of the object. You can also upload a file from your browser, or enter plain text in response to a risk assessment question.
The following restrictions apply to this action:
manualEvidence can be only one of the following: evidenceFileName , s3ResourcePath , or textResponse
Maximum size of an individual evidence file: 100 MB
Number of daily manual evidence uploads per control: 100
Supported file formats: See Supported file types for manual evidence in the Audit Manager User Guide
For more information about Audit Manager service restrictions, see Quotas and restrictions for Audit Manager .
See also: AWS API Documentation
Request Syntax
client.batch_import_evidence_to_assessment_control( assessmentId='string', controlSetId='string', controlId='string', manualEvidence=[ { 's3ResourcePath': 'string', 'textResponse': 'string', 'evidenceFileName': 'string' }, ] )
string
[REQUIRED]
The identifier for the assessment.
string
[REQUIRED]
The identifier for the control set.
string
[REQUIRED]
The identifier for the control.
list
[REQUIRED]
The list of manual evidence objects.
(dict) --
Evidence that's manually added to a control in Audit Manager. manualEvidence can be one of the following: evidenceFileName , s3ResourcePath , or textResponse .
s3ResourcePath (string) --
The S3 URL of the object that's imported as manual evidence.
textResponse (string) --
The plain text response that's entered and saved as manual evidence.
evidenceFileName (string) --
The name of the file that's uploaded as manual evidence. This name is populated using the evidenceFileName value from the ` GetEvidenceFileUploadUrl https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_GetEvidenceFileUploadUrl.html`__ API response.
dict
Response Syntax
{ 'errors': [ { 'manualEvidence': { 's3ResourcePath': 'string', 'textResponse': 'string', 'evidenceFileName': 'string' }, 'errorCode': 'string', 'errorMessage': 'string' }, ] }
Response Structure
(dict) --
errors (list) --
A list of errors that the BatchImportEvidenceToAssessmentControl API returned.
(dict) --
An error entity for the BatchImportEvidenceToAssessmentControl API. This is used to provide more meaningful errors than a simple string message.
manualEvidence (dict) --
Manual evidence that can't be collected automatically by Audit Manager.
s3ResourcePath (string) --
The S3 URL of the object that's imported as manual evidence.
textResponse (string) --
The plain text response that's entered and saved as manual evidence.
evidenceFileName (string) --
The name of the file that's uploaded as manual evidence. This name is populated using the evidenceFileName value from the ` GetEvidenceFileUploadUrl https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_GetEvidenceFileUploadUrl.html`__ API response.
errorCode (string) --
The error code that the BatchImportEvidenceToAssessmentControl API returned.
errorMessage (string) --
The error message that the BatchImportEvidenceToAssessmentControl API returned.
{'framework': {'controlSets': {'controls': {'controlMappingSources': {'sourceKeyword': {'keywordInputType': {'INPUT_TEXT', 'UPLOAD_FILE'}}}}}}}
Creates a custom framework in Audit Manager.
See also: AWS API Documentation
Request Syntax
client.create_assessment_framework( name='string', description='string', complianceType='string', controlSets=[ { 'name': 'string', 'controls': [ { 'id': 'string' }, ] }, ], tags={ 'string': 'string' } )
string
[REQUIRED]
The name of the new custom framework.
string
An optional description for the new custom framework.
string
The compliance type that the new custom framework supports, such as CIS or HIPAA.
list
[REQUIRED]
The control sets that are associated with the framework.
(dict) --
A controlSet entity that represents a collection of controls in Audit Manager. This doesn't contain the control set ID.
name (string) -- [REQUIRED]
The name of the control set.
controls (list) --
The list of controls within the control set. This doesn't contain the control set ID.
(dict) --
The control entity attributes that uniquely identify an existing control to be added to a framework in Audit Manager.
id (string) -- [REQUIRED]
The unique identifier of the control.
dict
The tags that are associated with the framework.
(string) --
(string) --
dict
Response Syntax
{ 'framework': { 'arn': 'string', 'id': 'string', 'name': 'string', 'type': 'Standard'|'Custom', 'complianceType': 'string', 'description': 'string', 'logo': 'string', 'controlSources': 'string', 'controlSets': [ { 'id': 'string', 'name': 'string', 'controls': [ { 'arn': 'string', 'id': 'string', 'type': 'Standard'|'Custom', 'name': 'string', 'description': 'string', 'testingInformation': 'string', 'actionPlanTitle': 'string', 'actionPlanInstructions': 'string', 'controlSources': 'string', 'controlMappingSources': [ { 'sourceId': 'string', 'sourceName': 'string', 'sourceDescription': 'string', 'sourceSetUpOption': 'System_Controls_Mapping'|'Procedural_Controls_Mapping', 'sourceType': 'AWS_Cloudtrail'|'AWS_Config'|'AWS_Security_Hub'|'AWS_API_Call'|'MANUAL', 'sourceKeyword': { 'keywordInputType': 'SELECT_FROM_LIST'|'UPLOAD_FILE'|'INPUT_TEXT', 'keywordValue': 'string' }, 'sourceFrequency': 'DAILY'|'WEEKLY'|'MONTHLY', 'troubleshootingText': 'string' }, ], 'createdAt': datetime(2015, 1, 1), 'lastUpdatedAt': datetime(2015, 1, 1), 'createdBy': 'string', 'lastUpdatedBy': 'string', 'tags': { 'string': 'string' } }, ] }, ], 'createdAt': datetime(2015, 1, 1), 'lastUpdatedAt': datetime(2015, 1, 1), 'createdBy': 'string', 'lastUpdatedBy': 'string', 'tags': { 'string': 'string' } } }
Response Structure
(dict) --
framework (dict) --
The name of the new framework that the CreateAssessmentFramework API returned.
arn (string) --
The Amazon Resource Name (ARN) of the framework.
id (string) --
The unique identifier for the framework.
name (string) --
The name of the framework.
type (string) --
Specifies whether the framework is a standard framework or a custom framework.
complianceType (string) --
The compliance type that the framework supports, such as CIS or HIPAA.
description (string) --
The description of the framework.
logo (string) --
The logo that's associated with the framework.
controlSources (string) --
The control data sources where Audit Manager collects evidence from.
controlSets (list) --
The control sets that are associated with the framework.
(dict) --
A set of controls in Audit Manager.
id (string) --
The identifier of the control set in the assessment. This is the control set name in a plain string format.
name (string) --
The name of the control set.
controls (list) --
The list of controls within the control set.
(dict) --
A control in Audit Manager.
arn (string) --
The Amazon Resource Name (ARN) of the control.
id (string) --
The unique identifier for the control.
type (string) --
Specifies whether the control is a standard control or a custom control.
name (string) --
The name of the control.
description (string) --
The description of the control.
testingInformation (string) --
The steps that you should follow to determine if the control has been satisfied.
actionPlanTitle (string) --
The title of the action plan for remediating the control.
actionPlanInstructions (string) --
The recommended actions to carry out if the control isn't fulfilled.
controlSources (string) --
The data source types that determine where Audit Manager collects evidence from for the control.
controlMappingSources (list) --
The data mapping sources for the control.
(dict) --
The data source that determines where Audit Manager collects evidence from for the control.
sourceId (string) --
The unique identifier for the source.
sourceName (string) --
The name of the source.
sourceDescription (string) --
The description of the source.
sourceSetUpOption (string) --
The setup option for the data source. This option reflects if the evidence collection is automated or manual.
sourceType (string) --
Specifies one of the five data source types for evidence collection.
sourceKeyword (dict) --
A keyword that relates to the control data source.
For manual evidence, this keyword indicates if the manual evidence is a file or text.
For automated evidence, this keyword identifies a specific CloudTrail event, Config rule, Security Hub control, or Amazon Web Services API name.
To learn more about the supported keywords that you can use when mapping a control data source, see the following pages in the Audit Manager User Guide :
keywordInputType (string) --
The input method for the keyword.
SELECT_FROM_LIST is used when mapping a data source for automated evidence.
When keywordInputType is SELECT_FROM_LIST , a keyword must be selected to collect automated evidence. For example, this keyword can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
UPLOAD_FILE and INPUT_TEXT are only used when mapping a data source for manual evidence.
When keywordInputType is UPLOAD_FILE , a file must be uploaded as manual evidence.
When keywordInputType is INPUT_TEXT , text must be entered as manual evidence.
keywordValue (string) --
The value of the keyword that's used when mapping a control data source. For example, this can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
If you’re mapping a data source to a rule in Config, the keywordValue that you specify depends on the type of rule:
For managed rules , you can use the rule identifier as the keywordValue . You can find the rule identifier from the list of Config managed rules . For some rules, the rule identifier is different from the rule name. For example, the rule name restricted-ssh has the following rule identifier: INCOMING_SSH_DISABLED . Make sure to use the rule identifier, not the rule name. Keyword example for managed rules:
Managed rule name: s3-bucket-acl-prohibited keywordValue : S3_BUCKET_ACL_PROHIBITED
For custom rules , you form the keywordValue by adding the Custom_ prefix to the rule name. This prefix distinguishes the custom rule from a managed rule. Keyword example for custom rules:
Custom rule name: my-custom-config-rule keywordValue : Custom_my-custom-config-rule
For service-linked rules , you form the keywordValue by adding the Custom_ prefix to the rule name. In addition, you remove the suffix ID that appears at the end of the rule name. Keyword examples for service-linked rules:
Service-linked rule name: CustomRuleForAccount-conformance-pack-szsm1uv0w keywordValue : Custom_CustomRuleForAccount-conformance-pack
Service-linked rule name: OrgConfigRule-s3-bucket-versioning-enabled-dbgzf8ba keywordValue : Custom_OrgConfigRule-s3-bucket-versioning-enabled
Warning
The keywordValue is case sensitive. If you enter a value incorrectly, Audit Manager might not recognize the data source mapping. As a result, you might not successfully collect evidence from that data source as intended.
Keep in mind the following requirements, depending on the data source type that you're using.
For Config:
For managed rules, make sure that the keywordValue is the rule identifier in ALL_CAPS_WITH_UNDERSCORES . For example, CLOUDWATCH_LOG_GROUP_ENCRYPTED . For accuracy, we recommend that you reference the list of supported Config managed rules .
For custom rules, make sure that the keywordValue has the Custom_ prefix followed by the custom rule name. The format of the custom rule name itself may vary. For accuracy, we recommend that you visit the Config console to verify your custom rule name.
For Security Hub: The format varies for Security Hub control names. For accuracy, we recommend that you reference the list of supported Security Hub controls .
For Amazon Web Services API calls: Make sure that the keywordValue is written as serviceprefix_ActionName . For example, iam_ListGroups . For accuracy, we recommend that you reference the list of supported API calls .
For CloudTrail: Make sure that the keywordValue is written as serviceprefix_ActionName . For example, cloudtrail_StartLogging . For accuracy, we recommend that you review the Amazon Web Service prefix and action names in the Service Authorization Reference .
sourceFrequency (string) --
Specifies how often evidence is collected from the control mapping source.
troubleshootingText (string) --
The instructions for troubleshooting the control.
createdAt (datetime) --
The time when the control was created.
lastUpdatedAt (datetime) --
The time when the control was most recently updated.
createdBy (string) --
The user or role that created the control.
lastUpdatedBy (string) --
The user or role that most recently updated the control.
tags (dict) --
The tags associated with the control.
(string) --
(string) --
createdAt (datetime) --
The time when the framework was created.
lastUpdatedAt (datetime) --
The time when the framework was most recently updated.
createdBy (string) --
The user or role that created the framework.
lastUpdatedBy (string) --
The user or role that most recently updated the framework.
tags (dict) --
The tags that are associated with the framework.
(string) --
(string) --
{'controlMappingSources': {'sourceKeyword': {'keywordInputType': {'INPUT_TEXT', 'UPLOAD_FILE'}}}}Response
{'control': {'controlMappingSources': {'sourceKeyword': {'keywordInputType': {'INPUT_TEXT', 'UPLOAD_FILE'}}}}}
Creates a new custom control in Audit Manager.
See also: AWS API Documentation
Request Syntax
client.create_control( name='string', description='string', testingInformation='string', actionPlanTitle='string', actionPlanInstructions='string', controlMappingSources=[ { 'sourceName': 'string', 'sourceDescription': 'string', 'sourceSetUpOption': 'System_Controls_Mapping'|'Procedural_Controls_Mapping', 'sourceType': 'AWS_Cloudtrail'|'AWS_Config'|'AWS_Security_Hub'|'AWS_API_Call'|'MANUAL', 'sourceKeyword': { 'keywordInputType': 'SELECT_FROM_LIST'|'UPLOAD_FILE'|'INPUT_TEXT', 'keywordValue': 'string' }, 'sourceFrequency': 'DAILY'|'WEEKLY'|'MONTHLY', 'troubleshootingText': 'string' }, ], tags={ 'string': 'string' } )
string
[REQUIRED]
The name of the control.
string
The description of the control.
string
The steps to follow to determine if the control is satisfied.
string
The title of the action plan for remediating the control.
string
The recommended actions to carry out if the control isn't fulfilled.
list
[REQUIRED]
The data mapping sources for the control.
(dict) --
The control mapping fields that represent the source for evidence collection, along with related parameters and metadata. This doesn't contain mappingID .
sourceName (string) --
The name of the control mapping data source.
sourceDescription (string) --
The description of the data source that determines where Audit Manager collects evidence from for the control.
sourceSetUpOption (string) --
The setup option for the data source, which reflects if the evidence collection is automated or manual.
sourceType (string) --
Specifies one of the five types of data sources for evidence collection.
sourceKeyword (dict) --
A keyword that relates to the control data source.
For manual evidence, this keyword indicates if the manual evidence is a file or text.
For automated evidence, this keyword identifies a specific CloudTrail event, Config rule, Security Hub control, or Amazon Web Services API name.
To learn more about the supported keywords that you can use when mapping a control data source, see the following pages in the Audit Manager User Guide :
keywordInputType (string) --
The input method for the keyword.
SELECT_FROM_LIST is used when mapping a data source for automated evidence.
When keywordInputType is SELECT_FROM_LIST , a keyword must be selected to collect automated evidence. For example, this keyword can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
UPLOAD_FILE and INPUT_TEXT are only used when mapping a data source for manual evidence.
When keywordInputType is UPLOAD_FILE , a file must be uploaded as manual evidence.
When keywordInputType is INPUT_TEXT , text must be entered as manual evidence.
keywordValue (string) --
The value of the keyword that's used when mapping a control data source. For example, this can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
If you’re mapping a data source to a rule in Config, the keywordValue that you specify depends on the type of rule:
For managed rules , you can use the rule identifier as the keywordValue . You can find the rule identifier from the list of Config managed rules . For some rules, the rule identifier is different from the rule name. For example, the rule name restricted-ssh has the following rule identifier: INCOMING_SSH_DISABLED . Make sure to use the rule identifier, not the rule name. Keyword example for managed rules:
Managed rule name: s3-bucket-acl-prohibited keywordValue : S3_BUCKET_ACL_PROHIBITED
For custom rules , you form the keywordValue by adding the Custom_ prefix to the rule name. This prefix distinguishes the custom rule from a managed rule. Keyword example for custom rules:
Custom rule name: my-custom-config-rule keywordValue : Custom_my-custom-config-rule
For service-linked rules , you form the keywordValue by adding the Custom_ prefix to the rule name. In addition, you remove the suffix ID that appears at the end of the rule name. Keyword examples for service-linked rules:
Service-linked rule name: CustomRuleForAccount-conformance-pack-szsm1uv0w keywordValue : Custom_CustomRuleForAccount-conformance-pack
Service-linked rule name: OrgConfigRule-s3-bucket-versioning-enabled-dbgzf8ba keywordValue : Custom_OrgConfigRule-s3-bucket-versioning-enabled
Warning
The keywordValue is case sensitive. If you enter a value incorrectly, Audit Manager might not recognize the data source mapping. As a result, you might not successfully collect evidence from that data source as intended.
Keep in mind the following requirements, depending on the data source type that you're using.
For Config:
For managed rules, make sure that the keywordValue is the rule identifier in ALL_CAPS_WITH_UNDERSCORES . For example, CLOUDWATCH_LOG_GROUP_ENCRYPTED . For accuracy, we recommend that you reference the list of supported Config managed rules .
For custom rules, make sure that the keywordValue has the Custom_ prefix followed by the custom rule name. The format of the custom rule name itself may vary. For accuracy, we recommend that you visit the Config console to verify your custom rule name.
For Security Hub: The format varies for Security Hub control names. For accuracy, we recommend that you reference the list of supported Security Hub controls .
For Amazon Web Services API calls: Make sure that the keywordValue is written as serviceprefix_ActionName . For example, iam_ListGroups . For accuracy, we recommend that you reference the list of supported API calls .
For CloudTrail: Make sure that the keywordValue is written as serviceprefix_ActionName . For example, cloudtrail_StartLogging . For accuracy, we recommend that you review the Amazon Web Service prefix and action names in the Service Authorization Reference .
sourceFrequency (string) --
Specifies how often evidence is collected from the control mapping source.
troubleshootingText (string) --
The instructions for troubleshooting the control.
dict
The tags that are associated with the control.
(string) --
(string) --
dict
Response Syntax
{ 'control': { 'arn': 'string', 'id': 'string', 'type': 'Standard'|'Custom', 'name': 'string', 'description': 'string', 'testingInformation': 'string', 'actionPlanTitle': 'string', 'actionPlanInstructions': 'string', 'controlSources': 'string', 'controlMappingSources': [ { 'sourceId': 'string', 'sourceName': 'string', 'sourceDescription': 'string', 'sourceSetUpOption': 'System_Controls_Mapping'|'Procedural_Controls_Mapping', 'sourceType': 'AWS_Cloudtrail'|'AWS_Config'|'AWS_Security_Hub'|'AWS_API_Call'|'MANUAL', 'sourceKeyword': { 'keywordInputType': 'SELECT_FROM_LIST'|'UPLOAD_FILE'|'INPUT_TEXT', 'keywordValue': 'string' }, 'sourceFrequency': 'DAILY'|'WEEKLY'|'MONTHLY', 'troubleshootingText': 'string' }, ], 'createdAt': datetime(2015, 1, 1), 'lastUpdatedAt': datetime(2015, 1, 1), 'createdBy': 'string', 'lastUpdatedBy': 'string', 'tags': { 'string': 'string' } } }
Response Structure
(dict) --
control (dict) --
The new control that the CreateControl API returned.
arn (string) --
The Amazon Resource Name (ARN) of the control.
id (string) --
The unique identifier for the control.
type (string) --
Specifies whether the control is a standard control or a custom control.
name (string) --
The name of the control.
description (string) --
The description of the control.
testingInformation (string) --
The steps that you should follow to determine if the control has been satisfied.
actionPlanTitle (string) --
The title of the action plan for remediating the control.
actionPlanInstructions (string) --
The recommended actions to carry out if the control isn't fulfilled.
controlSources (string) --
The data source types that determine where Audit Manager collects evidence from for the control.
controlMappingSources (list) --
The data mapping sources for the control.
(dict) --
The data source that determines where Audit Manager collects evidence from for the control.
sourceId (string) --
The unique identifier for the source.
sourceName (string) --
The name of the source.
sourceDescription (string) --
The description of the source.
sourceSetUpOption (string) --
The setup option for the data source. This option reflects if the evidence collection is automated or manual.
sourceType (string) --
Specifies one of the five data source types for evidence collection.
sourceKeyword (dict) --
A keyword that relates to the control data source.
For manual evidence, this keyword indicates if the manual evidence is a file or text.
For automated evidence, this keyword identifies a specific CloudTrail event, Config rule, Security Hub control, or Amazon Web Services API name.
To learn more about the supported keywords that you can use when mapping a control data source, see the following pages in the Audit Manager User Guide :
keywordInputType (string) --
The input method for the keyword.
SELECT_FROM_LIST is used when mapping a data source for automated evidence.
When keywordInputType is SELECT_FROM_LIST , a keyword must be selected to collect automated evidence. For example, this keyword can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
UPLOAD_FILE and INPUT_TEXT are only used when mapping a data source for manual evidence.
When keywordInputType is UPLOAD_FILE , a file must be uploaded as manual evidence.
When keywordInputType is INPUT_TEXT , text must be entered as manual evidence.
keywordValue (string) --
The value of the keyword that's used when mapping a control data source. For example, this can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
If you’re mapping a data source to a rule in Config, the keywordValue that you specify depends on the type of rule:
For managed rules , you can use the rule identifier as the keywordValue . You can find the rule identifier from the list of Config managed rules . For some rules, the rule identifier is different from the rule name. For example, the rule name restricted-ssh has the following rule identifier: INCOMING_SSH_DISABLED . Make sure to use the rule identifier, not the rule name. Keyword example for managed rules:
Managed rule name: s3-bucket-acl-prohibited keywordValue : S3_BUCKET_ACL_PROHIBITED
For custom rules , you form the keywordValue by adding the Custom_ prefix to the rule name. This prefix distinguishes the custom rule from a managed rule. Keyword example for custom rules:
Custom rule name: my-custom-config-rule keywordValue : Custom_my-custom-config-rule
For service-linked rules , you form the keywordValue by adding the Custom_ prefix to the rule name. In addition, you remove the suffix ID that appears at the end of the rule name. Keyword examples for service-linked rules:
Service-linked rule name: CustomRuleForAccount-conformance-pack-szsm1uv0w keywordValue : Custom_CustomRuleForAccount-conformance-pack
Service-linked rule name: OrgConfigRule-s3-bucket-versioning-enabled-dbgzf8ba keywordValue : Custom_OrgConfigRule-s3-bucket-versioning-enabled
Warning
The keywordValue is case sensitive. If you enter a value incorrectly, Audit Manager might not recognize the data source mapping. As a result, you might not successfully collect evidence from that data source as intended.
Keep in mind the following requirements, depending on the data source type that you're using.
For Config:
For managed rules, make sure that the keywordValue is the rule identifier in ALL_CAPS_WITH_UNDERSCORES . For example, CLOUDWATCH_LOG_GROUP_ENCRYPTED . For accuracy, we recommend that you reference the list of supported Config managed rules .
For custom rules, make sure that the keywordValue has the Custom_ prefix followed by the custom rule name. The format of the custom rule name itself may vary. For accuracy, we recommend that you visit the Config console to verify your custom rule name.
For Security Hub: The format varies for Security Hub control names. For accuracy, we recommend that you reference the list of supported Security Hub controls .
For Amazon Web Services API calls: Make sure that the keywordValue is written as serviceprefix_ActionName . For example, iam_ListGroups . For accuracy, we recommend that you reference the list of supported API calls .
For CloudTrail: Make sure that the keywordValue is written as serviceprefix_ActionName . For example, cloudtrail_StartLogging . For accuracy, we recommend that you review the Amazon Web Service prefix and action names in the Service Authorization Reference .
sourceFrequency (string) --
Specifies how often evidence is collected from the control mapping source.
troubleshootingText (string) --
The instructions for troubleshooting the control.
createdAt (datetime) --
The time when the control was created.
lastUpdatedAt (datetime) --
The time when the control was most recently updated.
createdBy (string) --
The user or role that created the control.
lastUpdatedBy (string) --
The user or role that most recently updated the control.
tags (dict) --
The tags associated with the control.
(string) --
(string) --
{'framework': {'controlSets': {'controls': {'controlMappingSources': {'sourceKeyword': {'keywordInputType': {'INPUT_TEXT', 'UPLOAD_FILE'}}}}}}}
Gets information about a specified framework.
See also: AWS API Documentation
Request Syntax
client.get_assessment_framework( frameworkId='string' )
string
[REQUIRED]
The identifier for the framework.
dict
Response Syntax
{ 'framework': { 'arn': 'string', 'id': 'string', 'name': 'string', 'type': 'Standard'|'Custom', 'complianceType': 'string', 'description': 'string', 'logo': 'string', 'controlSources': 'string', 'controlSets': [ { 'id': 'string', 'name': 'string', 'controls': [ { 'arn': 'string', 'id': 'string', 'type': 'Standard'|'Custom', 'name': 'string', 'description': 'string', 'testingInformation': 'string', 'actionPlanTitle': 'string', 'actionPlanInstructions': 'string', 'controlSources': 'string', 'controlMappingSources': [ { 'sourceId': 'string', 'sourceName': 'string', 'sourceDescription': 'string', 'sourceSetUpOption': 'System_Controls_Mapping'|'Procedural_Controls_Mapping', 'sourceType': 'AWS_Cloudtrail'|'AWS_Config'|'AWS_Security_Hub'|'AWS_API_Call'|'MANUAL', 'sourceKeyword': { 'keywordInputType': 'SELECT_FROM_LIST'|'UPLOAD_FILE'|'INPUT_TEXT', 'keywordValue': 'string' }, 'sourceFrequency': 'DAILY'|'WEEKLY'|'MONTHLY', 'troubleshootingText': 'string' }, ], 'createdAt': datetime(2015, 1, 1), 'lastUpdatedAt': datetime(2015, 1, 1), 'createdBy': 'string', 'lastUpdatedBy': 'string', 'tags': { 'string': 'string' } }, ] }, ], 'createdAt': datetime(2015, 1, 1), 'lastUpdatedAt': datetime(2015, 1, 1), 'createdBy': 'string', 'lastUpdatedBy': 'string', 'tags': { 'string': 'string' } } }
Response Structure
(dict) --
framework (dict) --
The framework that the GetAssessmentFramework API returned.
arn (string) --
The Amazon Resource Name (ARN) of the framework.
id (string) --
The unique identifier for the framework.
name (string) --
The name of the framework.
type (string) --
Specifies whether the framework is a standard framework or a custom framework.
complianceType (string) --
The compliance type that the framework supports, such as CIS or HIPAA.
description (string) --
The description of the framework.
logo (string) --
The logo that's associated with the framework.
controlSources (string) --
The control data sources where Audit Manager collects evidence from.
controlSets (list) --
The control sets that are associated with the framework.
(dict) --
A set of controls in Audit Manager.
id (string) --
The identifier of the control set in the assessment. This is the control set name in a plain string format.
name (string) --
The name of the control set.
controls (list) --
The list of controls within the control set.
(dict) --
A control in Audit Manager.
arn (string) --
The Amazon Resource Name (ARN) of the control.
id (string) --
The unique identifier for the control.
type (string) --
Specifies whether the control is a standard control or a custom control.
name (string) --
The name of the control.
description (string) --
The description of the control.
testingInformation (string) --
The steps that you should follow to determine if the control has been satisfied.
actionPlanTitle (string) --
The title of the action plan for remediating the control.
actionPlanInstructions (string) --
The recommended actions to carry out if the control isn't fulfilled.
controlSources (string) --
The data source types that determine where Audit Manager collects evidence from for the control.
controlMappingSources (list) --
The data mapping sources for the control.
(dict) --
The data source that determines where Audit Manager collects evidence from for the control.
sourceId (string) --
The unique identifier for the source.
sourceName (string) --
The name of the source.
sourceDescription (string) --
The description of the source.
sourceSetUpOption (string) --
The setup option for the data source. This option reflects if the evidence collection is automated or manual.
sourceType (string) --
Specifies one of the five data source types for evidence collection.
sourceKeyword (dict) --
A keyword that relates to the control data source.
For manual evidence, this keyword indicates if the manual evidence is a file or text.
For automated evidence, this keyword identifies a specific CloudTrail event, Config rule, Security Hub control, or Amazon Web Services API name.
To learn more about the supported keywords that you can use when mapping a control data source, see the following pages in the Audit Manager User Guide :
keywordInputType (string) --
The input method for the keyword.
SELECT_FROM_LIST is used when mapping a data source for automated evidence.
When keywordInputType is SELECT_FROM_LIST , a keyword must be selected to collect automated evidence. For example, this keyword can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
UPLOAD_FILE and INPUT_TEXT are only used when mapping a data source for manual evidence.
When keywordInputType is UPLOAD_FILE , a file must be uploaded as manual evidence.
When keywordInputType is INPUT_TEXT , text must be entered as manual evidence.
keywordValue (string) --
The value of the keyword that's used when mapping a control data source. For example, this can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
If you’re mapping a data source to a rule in Config, the keywordValue that you specify depends on the type of rule:
For managed rules , you can use the rule identifier as the keywordValue . You can find the rule identifier from the list of Config managed rules . For some rules, the rule identifier is different from the rule name. For example, the rule name restricted-ssh has the following rule identifier: INCOMING_SSH_DISABLED . Make sure to use the rule identifier, not the rule name. Keyword example for managed rules:
Managed rule name: s3-bucket-acl-prohibited keywordValue : S3_BUCKET_ACL_PROHIBITED
For custom rules , you form the keywordValue by adding the Custom_ prefix to the rule name. This prefix distinguishes the custom rule from a managed rule. Keyword example for custom rules:
Custom rule name: my-custom-config-rule keywordValue : Custom_my-custom-config-rule
For service-linked rules , you form the keywordValue by adding the Custom_ prefix to the rule name. In addition, you remove the suffix ID that appears at the end of the rule name. Keyword examples for service-linked rules:
Service-linked rule name: CustomRuleForAccount-conformance-pack-szsm1uv0w keywordValue : Custom_CustomRuleForAccount-conformance-pack
Service-linked rule name: OrgConfigRule-s3-bucket-versioning-enabled-dbgzf8ba keywordValue : Custom_OrgConfigRule-s3-bucket-versioning-enabled
Warning
The keywordValue is case sensitive. If you enter a value incorrectly, Audit Manager might not recognize the data source mapping. As a result, you might not successfully collect evidence from that data source as intended.
Keep in mind the following requirements, depending on the data source type that you're using.
For Config:
For managed rules, make sure that the keywordValue is the rule identifier in ALL_CAPS_WITH_UNDERSCORES . For example, CLOUDWATCH_LOG_GROUP_ENCRYPTED . For accuracy, we recommend that you reference the list of supported Config managed rules .
For custom rules, make sure that the keywordValue has the Custom_ prefix followed by the custom rule name. The format of the custom rule name itself may vary. For accuracy, we recommend that you visit the Config console to verify your custom rule name.
For Security Hub: The format varies for Security Hub control names. For accuracy, we recommend that you reference the list of supported Security Hub controls .
For Amazon Web Services API calls: Make sure that the keywordValue is written as serviceprefix_ActionName . For example, iam_ListGroups . For accuracy, we recommend that you reference the list of supported API calls .
For CloudTrail: Make sure that the keywordValue is written as serviceprefix_ActionName . For example, cloudtrail_StartLogging . For accuracy, we recommend that you review the Amazon Web Service prefix and action names in the Service Authorization Reference .
sourceFrequency (string) --
Specifies how often evidence is collected from the control mapping source.
troubleshootingText (string) --
The instructions for troubleshooting the control.
createdAt (datetime) --
The time when the control was created.
lastUpdatedAt (datetime) --
The time when the control was most recently updated.
createdBy (string) --
The user or role that created the control.
lastUpdatedBy (string) --
The user or role that most recently updated the control.
tags (dict) --
The tags associated with the control.
(string) --
(string) --
createdAt (datetime) --
The time when the framework was created.
lastUpdatedAt (datetime) --
The time when the framework was most recently updated.
createdBy (string) --
The user or role that created the framework.
lastUpdatedBy (string) --
The user or role that most recently updated the framework.
tags (dict) --
The tags that are associated with the framework.
(string) --
(string) --
{'control': {'controlMappingSources': {'sourceKeyword': {'keywordInputType': {'INPUT_TEXT', 'UPLOAD_FILE'}}}}}
Gets information about a specified control.
See also: AWS API Documentation
Request Syntax
client.get_control( controlId='string' )
string
[REQUIRED]
The identifier for the control.
dict
Response Syntax
{ 'control': { 'arn': 'string', 'id': 'string', 'type': 'Standard'|'Custom', 'name': 'string', 'description': 'string', 'testingInformation': 'string', 'actionPlanTitle': 'string', 'actionPlanInstructions': 'string', 'controlSources': 'string', 'controlMappingSources': [ { 'sourceId': 'string', 'sourceName': 'string', 'sourceDescription': 'string', 'sourceSetUpOption': 'System_Controls_Mapping'|'Procedural_Controls_Mapping', 'sourceType': 'AWS_Cloudtrail'|'AWS_Config'|'AWS_Security_Hub'|'AWS_API_Call'|'MANUAL', 'sourceKeyword': { 'keywordInputType': 'SELECT_FROM_LIST'|'UPLOAD_FILE'|'INPUT_TEXT', 'keywordValue': 'string' }, 'sourceFrequency': 'DAILY'|'WEEKLY'|'MONTHLY', 'troubleshootingText': 'string' }, ], 'createdAt': datetime(2015, 1, 1), 'lastUpdatedAt': datetime(2015, 1, 1), 'createdBy': 'string', 'lastUpdatedBy': 'string', 'tags': { 'string': 'string' } } }
Response Structure
(dict) --
control (dict) --
The details of the control that the GetControl API returned.
arn (string) --
The Amazon Resource Name (ARN) of the control.
id (string) --
The unique identifier for the control.
type (string) --
Specifies whether the control is a standard control or a custom control.
name (string) --
The name of the control.
description (string) --
The description of the control.
testingInformation (string) --
The steps that you should follow to determine if the control has been satisfied.
actionPlanTitle (string) --
The title of the action plan for remediating the control.
actionPlanInstructions (string) --
The recommended actions to carry out if the control isn't fulfilled.
controlSources (string) --
The data source types that determine where Audit Manager collects evidence from for the control.
controlMappingSources (list) --
The data mapping sources for the control.
(dict) --
The data source that determines where Audit Manager collects evidence from for the control.
sourceId (string) --
The unique identifier for the source.
sourceName (string) --
The name of the source.
sourceDescription (string) --
The description of the source.
sourceSetUpOption (string) --
The setup option for the data source. This option reflects if the evidence collection is automated or manual.
sourceType (string) --
Specifies one of the five data source types for evidence collection.
sourceKeyword (dict) --
A keyword that relates to the control data source.
For manual evidence, this keyword indicates if the manual evidence is a file or text.
For automated evidence, this keyword identifies a specific CloudTrail event, Config rule, Security Hub control, or Amazon Web Services API name.
To learn more about the supported keywords that you can use when mapping a control data source, see the following pages in the Audit Manager User Guide :
keywordInputType (string) --
The input method for the keyword.
SELECT_FROM_LIST is used when mapping a data source for automated evidence.
When keywordInputType is SELECT_FROM_LIST , a keyword must be selected to collect automated evidence. For example, this keyword can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
UPLOAD_FILE and INPUT_TEXT are only used when mapping a data source for manual evidence.
When keywordInputType is UPLOAD_FILE , a file must be uploaded as manual evidence.
When keywordInputType is INPUT_TEXT , text must be entered as manual evidence.
keywordValue (string) --
The value of the keyword that's used when mapping a control data source. For example, this can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
If you’re mapping a data source to a rule in Config, the keywordValue that you specify depends on the type of rule:
For managed rules , you can use the rule identifier as the keywordValue . You can find the rule identifier from the list of Config managed rules . For some rules, the rule identifier is different from the rule name. For example, the rule name restricted-ssh has the following rule identifier: INCOMING_SSH_DISABLED . Make sure to use the rule identifier, not the rule name. Keyword example for managed rules:
Managed rule name: s3-bucket-acl-prohibited keywordValue : S3_BUCKET_ACL_PROHIBITED
For custom rules , you form the keywordValue by adding the Custom_ prefix to the rule name. This prefix distinguishes the custom rule from a managed rule. Keyword example for custom rules:
Custom rule name: my-custom-config-rule keywordValue : Custom_my-custom-config-rule
For service-linked rules , you form the keywordValue by adding the Custom_ prefix to the rule name. In addition, you remove the suffix ID that appears at the end of the rule name. Keyword examples for service-linked rules:
Service-linked rule name: CustomRuleForAccount-conformance-pack-szsm1uv0w keywordValue : Custom_CustomRuleForAccount-conformance-pack
Service-linked rule name: OrgConfigRule-s3-bucket-versioning-enabled-dbgzf8ba keywordValue : Custom_OrgConfigRule-s3-bucket-versioning-enabled
Warning
The keywordValue is case sensitive. If you enter a value incorrectly, Audit Manager might not recognize the data source mapping. As a result, you might not successfully collect evidence from that data source as intended.
Keep in mind the following requirements, depending on the data source type that you're using.
For Config:
For managed rules, make sure that the keywordValue is the rule identifier in ALL_CAPS_WITH_UNDERSCORES . For example, CLOUDWATCH_LOG_GROUP_ENCRYPTED . For accuracy, we recommend that you reference the list of supported Config managed rules .
For custom rules, make sure that the keywordValue has the Custom_ prefix followed by the custom rule name. The format of the custom rule name itself may vary. For accuracy, we recommend that you visit the Config console to verify your custom rule name.
For Security Hub: The format varies for Security Hub control names. For accuracy, we recommend that you reference the list of supported Security Hub controls .
For Amazon Web Services API calls: Make sure that the keywordValue is written as serviceprefix_ActionName . For example, iam_ListGroups . For accuracy, we recommend that you reference the list of supported API calls .
For CloudTrail: Make sure that the keywordValue is written as serviceprefix_ActionName . For example, cloudtrail_StartLogging . For accuracy, we recommend that you review the Amazon Web Service prefix and action names in the Service Authorization Reference .
sourceFrequency (string) --
Specifies how often evidence is collected from the control mapping source.
troubleshootingText (string) --
The instructions for troubleshooting the control.
createdAt (datetime) --
The time when the control was created.
lastUpdatedAt (datetime) --
The time when the control was most recently updated.
createdBy (string) --
The user or role that created the control.
lastUpdatedBy (string) --
The user or role that most recently updated the control.
tags (dict) --
The tags associated with the control.
(string) --
(string) --
{'attribute': {'DEFAULT_EXPORT_DESTINATION'}}Response
{'settings': {'defaultExportDestination': {'destination': 'string', 'destinationType': 'S3'}}}
Gets the settings for a specified Amazon Web Services account.
See also: AWS API Documentation
Request Syntax
client.get_settings( attribute='ALL'|'IS_AWS_ORG_ENABLED'|'SNS_TOPIC'|'DEFAULT_ASSESSMENT_REPORTS_DESTINATION'|'DEFAULT_PROCESS_OWNERS'|'EVIDENCE_FINDER_ENABLEMENT'|'DEREGISTRATION_POLICY'|'DEFAULT_EXPORT_DESTINATION' )
string
[REQUIRED]
The list of setting attribute enum values.
dict
Response Syntax
{ 'settings': { 'isAwsOrgEnabled': True|False, 'snsTopic': 'string', 'defaultAssessmentReportsDestination': { 'destinationType': 'S3', 'destination': 'string' }, 'defaultProcessOwners': [ { 'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER', 'roleArn': 'string' }, ], 'kmsKey': 'string', 'evidenceFinderEnablement': { 'eventDataStoreArn': 'string', 'enablementStatus': 'ENABLED'|'DISABLED'|'ENABLE_IN_PROGRESS'|'DISABLE_IN_PROGRESS', 'backfillStatus': 'NOT_STARTED'|'IN_PROGRESS'|'COMPLETED', 'error': 'string' }, 'deregistrationPolicy': { 'deleteResources': 'ALL'|'DEFAULT' }, 'defaultExportDestination': { 'destinationType': 'S3', 'destination': 'string' } } }
Response Structure
(dict) --
settings (dict) --
The settings object that holds all supported Audit Manager settings.
isAwsOrgEnabled (boolean) --
Specifies whether Organizations is enabled.
snsTopic (string) --
The designated Amazon Simple Notification Service (Amazon SNS) topic.
defaultAssessmentReportsDestination (dict) --
The default S3 destination bucket for storing assessment reports.
destinationType (string) --
The destination type, such as Amazon S3.
destination (string) --
The destination bucket where Audit Manager stores assessment reports.
defaultProcessOwners (list) --
The designated default audit owners.
(dict) --
The wrapper that contains the Audit Manager role information of the current user. This includes the role type and IAM Amazon Resource Name (ARN).
roleType (string) --
The type of customer persona.
Note
In CreateAssessment , roleType can only be PROCESS_OWNER .
In UpdateSettings , roleType can only be PROCESS_OWNER .
In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .
roleArn (string) --
The Amazon Resource Name (ARN) of the IAM role.
kmsKey (string) --
The KMS key details.
evidenceFinderEnablement (dict) --
The current evidence finder status and event data store details.
eventDataStoreArn (string) --
The Amazon Resource Name (ARN) of the CloudTrail Lake event data store that’s used by evidence finder. The event data store is the lake of evidence data that evidence finder runs queries against.
enablementStatus (string) --
The current status of the evidence finder feature and the related event data store.
ENABLE_IN_PROGRESS means that you requested to enable evidence finder. An event data store is currently being created to support evidence finder queries.
ENABLED means that an event data store was successfully created and evidence finder is enabled. We recommend that you wait 7 days until the event data store is backfilled with your past two years’ worth of evidence data. You can use evidence finder in the meantime, but not all data might be available until the backfill is complete.
DISABLE_IN_PROGRESS means that you requested to disable evidence finder, and your request is pending the deletion of the event data store.
DISABLED means that you have permanently disabled evidence finder and the event data store has been deleted. You can't re-enable evidence finder after this point.
backfillStatus (string) --
The current status of the evidence data backfill process.
The backfill starts after you enable evidence finder. During this task, Audit Manager populates an event data store with your past two years’ worth of evidence data so that your evidence can be queried.
NOT_STARTED means that the backfill hasn’t started yet.
IN_PROGRESS means that the backfill is in progress. This can take up to 7 days to complete, depending on the amount of evidence data.
COMPLETED means that the backfill is complete. All of your past evidence is now queryable.
error (string) --
Represents any errors that occurred when enabling or disabling evidence finder.
deregistrationPolicy (dict) --
The deregistration policy for your Audit Manager data. You can use this attribute to determine how your data is handled when you deregister Audit Manager.
deleteResources (string) --
Specifies which Audit Manager data will be deleted when you deregister Audit Manager.
If you set the value to ALL , all of your data is deleted within seven days of deregistration.
If you set the value to DEFAULT , none of your data is deleted at the time of deregistration. However, keep in mind that the Audit Manager data retention policy still applies. As a result, any evidence data will be deleted two years after its creation date. Your other Audit Manager resources will continue to exist indefinitely.
defaultExportDestination (dict) --
The default S3 destination bucket for storing evidence finder exports.
destinationType (string) --
The destination type, such as Amazon S3.
destination (string) --
The destination bucket where Audit Manager stores exported files.
{'framework': {'controlSets': {'controls': {'controlMappingSources': {'sourceKeyword': {'keywordInputType': {'INPUT_TEXT', 'UPLOAD_FILE'}}}}}}}
Updates a custom framework in Audit Manager.
See also: AWS API Documentation
Request Syntax
client.update_assessment_framework( frameworkId='string', name='string', description='string', complianceType='string', controlSets=[ { 'id': 'string', 'name': 'string', 'controls': [ { 'id': 'string' }, ] }, ] )
string
[REQUIRED]
The unique identifier for the framework.
string
[REQUIRED]
The name of the framework to be updated.
string
The description of the updated framework.
string
The compliance type that the new custom framework supports, such as CIS or HIPAA.
list
[REQUIRED]
The control sets that are associated with the framework.
(dict) --
A controlSet entity that represents a collection of controls in Audit Manager. This doesn't contain the control set ID.
id (string) --
The unique identifier for the control set.
name (string) -- [REQUIRED]
The name of the control set.
controls (list) -- [REQUIRED]
The list of controls that are contained within the control set.
(dict) --
The control entity attributes that uniquely identify an existing control to be added to a framework in Audit Manager.
id (string) -- [REQUIRED]
The unique identifier of the control.
dict
Response Syntax
{ 'framework': { 'arn': 'string', 'id': 'string', 'name': 'string', 'type': 'Standard'|'Custom', 'complianceType': 'string', 'description': 'string', 'logo': 'string', 'controlSources': 'string', 'controlSets': [ { 'id': 'string', 'name': 'string', 'controls': [ { 'arn': 'string', 'id': 'string', 'type': 'Standard'|'Custom', 'name': 'string', 'description': 'string', 'testingInformation': 'string', 'actionPlanTitle': 'string', 'actionPlanInstructions': 'string', 'controlSources': 'string', 'controlMappingSources': [ { 'sourceId': 'string', 'sourceName': 'string', 'sourceDescription': 'string', 'sourceSetUpOption': 'System_Controls_Mapping'|'Procedural_Controls_Mapping', 'sourceType': 'AWS_Cloudtrail'|'AWS_Config'|'AWS_Security_Hub'|'AWS_API_Call'|'MANUAL', 'sourceKeyword': { 'keywordInputType': 'SELECT_FROM_LIST'|'UPLOAD_FILE'|'INPUT_TEXT', 'keywordValue': 'string' }, 'sourceFrequency': 'DAILY'|'WEEKLY'|'MONTHLY', 'troubleshootingText': 'string' }, ], 'createdAt': datetime(2015, 1, 1), 'lastUpdatedAt': datetime(2015, 1, 1), 'createdBy': 'string', 'lastUpdatedBy': 'string', 'tags': { 'string': 'string' } }, ] }, ], 'createdAt': datetime(2015, 1, 1), 'lastUpdatedAt': datetime(2015, 1, 1), 'createdBy': 'string', 'lastUpdatedBy': 'string', 'tags': { 'string': 'string' } } }
Response Structure
(dict) --
framework (dict) --
The name of the framework.
arn (string) --
The Amazon Resource Name (ARN) of the framework.
id (string) --
The unique identifier for the framework.
name (string) --
The name of the framework.
type (string) --
Specifies whether the framework is a standard framework or a custom framework.
complianceType (string) --
The compliance type that the framework supports, such as CIS or HIPAA.
description (string) --
The description of the framework.
logo (string) --
The logo that's associated with the framework.
controlSources (string) --
The control data sources where Audit Manager collects evidence from.
controlSets (list) --
The control sets that are associated with the framework.
(dict) --
A set of controls in Audit Manager.
id (string) --
The identifier of the control set in the assessment. This is the control set name in a plain string format.
name (string) --
The name of the control set.
controls (list) --
The list of controls within the control set.
(dict) --
A control in Audit Manager.
arn (string) --
The Amazon Resource Name (ARN) of the control.
id (string) --
The unique identifier for the control.
type (string) --
Specifies whether the control is a standard control or a custom control.
name (string) --
The name of the control.
description (string) --
The description of the control.
testingInformation (string) --
The steps that you should follow to determine if the control has been satisfied.
actionPlanTitle (string) --
The title of the action plan for remediating the control.
actionPlanInstructions (string) --
The recommended actions to carry out if the control isn't fulfilled.
controlSources (string) --
The data source types that determine where Audit Manager collects evidence from for the control.
controlMappingSources (list) --
The data mapping sources for the control.
(dict) --
The data source that determines where Audit Manager collects evidence from for the control.
sourceId (string) --
The unique identifier for the source.
sourceName (string) --
The name of the source.
sourceDescription (string) --
The description of the source.
sourceSetUpOption (string) --
The setup option for the data source. This option reflects if the evidence collection is automated or manual.
sourceType (string) --
Specifies one of the five data source types for evidence collection.
sourceKeyword (dict) --
A keyword that relates to the control data source.
For manual evidence, this keyword indicates if the manual evidence is a file or text.
For automated evidence, this keyword identifies a specific CloudTrail event, Config rule, Security Hub control, or Amazon Web Services API name.
To learn more about the supported keywords that you can use when mapping a control data source, see the following pages in the Audit Manager User Guide :
keywordInputType (string) --
The input method for the keyword.
SELECT_FROM_LIST is used when mapping a data source for automated evidence.
When keywordInputType is SELECT_FROM_LIST , a keyword must be selected to collect automated evidence. For example, this keyword can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
UPLOAD_FILE and INPUT_TEXT are only used when mapping a data source for manual evidence.
When keywordInputType is UPLOAD_FILE , a file must be uploaded as manual evidence.
When keywordInputType is INPUT_TEXT , text must be entered as manual evidence.
keywordValue (string) --
The value of the keyword that's used when mapping a control data source. For example, this can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
If you’re mapping a data source to a rule in Config, the keywordValue that you specify depends on the type of rule:
For managed rules , you can use the rule identifier as the keywordValue . You can find the rule identifier from the list of Config managed rules . For some rules, the rule identifier is different from the rule name. For example, the rule name restricted-ssh has the following rule identifier: INCOMING_SSH_DISABLED . Make sure to use the rule identifier, not the rule name. Keyword example for managed rules:
Managed rule name: s3-bucket-acl-prohibited keywordValue : S3_BUCKET_ACL_PROHIBITED
For custom rules , you form the keywordValue by adding the Custom_ prefix to the rule name. This prefix distinguishes the custom rule from a managed rule. Keyword example for custom rules:
Custom rule name: my-custom-config-rule keywordValue : Custom_my-custom-config-rule
For service-linked rules , you form the keywordValue by adding the Custom_ prefix to the rule name. In addition, you remove the suffix ID that appears at the end of the rule name. Keyword examples for service-linked rules:
Service-linked rule name: CustomRuleForAccount-conformance-pack-szsm1uv0w keywordValue : Custom_CustomRuleForAccount-conformance-pack
Service-linked rule name: OrgConfigRule-s3-bucket-versioning-enabled-dbgzf8ba keywordValue : Custom_OrgConfigRule-s3-bucket-versioning-enabled
Warning
The keywordValue is case sensitive. If you enter a value incorrectly, Audit Manager might not recognize the data source mapping. As a result, you might not successfully collect evidence from that data source as intended.
Keep in mind the following requirements, depending on the data source type that you're using.
For Config:
For managed rules, make sure that the keywordValue is the rule identifier in ALL_CAPS_WITH_UNDERSCORES . For example, CLOUDWATCH_LOG_GROUP_ENCRYPTED . For accuracy, we recommend that you reference the list of supported Config managed rules .
For custom rules, make sure that the keywordValue has the Custom_ prefix followed by the custom rule name. The format of the custom rule name itself may vary. For accuracy, we recommend that you visit the Config console to verify your custom rule name.
For Security Hub: The format varies for Security Hub control names. For accuracy, we recommend that you reference the list of supported Security Hub controls .
For Amazon Web Services API calls: Make sure that the keywordValue is written as serviceprefix_ActionName . For example, iam_ListGroups . For accuracy, we recommend that you reference the list of supported API calls .
For CloudTrail: Make sure that the keywordValue is written as serviceprefix_ActionName . For example, cloudtrail_StartLogging . For accuracy, we recommend that you review the Amazon Web Service prefix and action names in the Service Authorization Reference .
sourceFrequency (string) --
Specifies how often evidence is collected from the control mapping source.
troubleshootingText (string) --
The instructions for troubleshooting the control.
createdAt (datetime) --
The time when the control was created.
lastUpdatedAt (datetime) --
The time when the control was most recently updated.
createdBy (string) --
The user or role that created the control.
lastUpdatedBy (string) --
The user or role that most recently updated the control.
tags (dict) --
The tags associated with the control.
(string) --
(string) --
createdAt (datetime) --
The time when the framework was created.
lastUpdatedAt (datetime) --
The time when the framework was most recently updated.
createdBy (string) --
The user or role that created the framework.
lastUpdatedBy (string) --
The user or role that most recently updated the framework.
tags (dict) --
The tags that are associated with the framework.
(string) --
(string) --
{'controlMappingSources': {'sourceKeyword': {'keywordInputType': {'INPUT_TEXT', 'UPLOAD_FILE'}}}}Response
{'control': {'controlMappingSources': {'sourceKeyword': {'keywordInputType': {'INPUT_TEXT', 'UPLOAD_FILE'}}}}}
Updates a custom control in Audit Manager.
See also: AWS API Documentation
Request Syntax
client.update_control( controlId='string', name='string', description='string', testingInformation='string', actionPlanTitle='string', actionPlanInstructions='string', controlMappingSources=[ { 'sourceId': 'string', 'sourceName': 'string', 'sourceDescription': 'string', 'sourceSetUpOption': 'System_Controls_Mapping'|'Procedural_Controls_Mapping', 'sourceType': 'AWS_Cloudtrail'|'AWS_Config'|'AWS_Security_Hub'|'AWS_API_Call'|'MANUAL', 'sourceKeyword': { 'keywordInputType': 'SELECT_FROM_LIST'|'UPLOAD_FILE'|'INPUT_TEXT', 'keywordValue': 'string' }, 'sourceFrequency': 'DAILY'|'WEEKLY'|'MONTHLY', 'troubleshootingText': 'string' }, ] )
string
[REQUIRED]
The identifier for the control.
string
[REQUIRED]
The name of the updated control.
string
The optional description of the control.
string
The steps that you should follow to determine if the control is met.
string
The title of the action plan for remediating the control.
string
The recommended actions to carry out if the control isn't fulfilled.
list
[REQUIRED]
The data mapping sources for the control.
(dict) --
The data source that determines where Audit Manager collects evidence from for the control.
sourceId (string) --
The unique identifier for the source.
sourceName (string) --
The name of the source.
sourceDescription (string) --
The description of the source.
sourceSetUpOption (string) --
The setup option for the data source. This option reflects if the evidence collection is automated or manual.
sourceType (string) --
Specifies one of the five data source types for evidence collection.
sourceKeyword (dict) --
A keyword that relates to the control data source.
For manual evidence, this keyword indicates if the manual evidence is a file or text.
For automated evidence, this keyword identifies a specific CloudTrail event, Config rule, Security Hub control, or Amazon Web Services API name.
To learn more about the supported keywords that you can use when mapping a control data source, see the following pages in the Audit Manager User Guide :
keywordInputType (string) --
The input method for the keyword.
SELECT_FROM_LIST is used when mapping a data source for automated evidence.
When keywordInputType is SELECT_FROM_LIST , a keyword must be selected to collect automated evidence. For example, this keyword can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
UPLOAD_FILE and INPUT_TEXT are only used when mapping a data source for manual evidence.
When keywordInputType is UPLOAD_FILE , a file must be uploaded as manual evidence.
When keywordInputType is INPUT_TEXT , text must be entered as manual evidence.
keywordValue (string) --
The value of the keyword that's used when mapping a control data source. For example, this can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
If you’re mapping a data source to a rule in Config, the keywordValue that you specify depends on the type of rule:
For managed rules , you can use the rule identifier as the keywordValue . You can find the rule identifier from the list of Config managed rules . For some rules, the rule identifier is different from the rule name. For example, the rule name restricted-ssh has the following rule identifier: INCOMING_SSH_DISABLED . Make sure to use the rule identifier, not the rule name. Keyword example for managed rules:
Managed rule name: s3-bucket-acl-prohibited keywordValue : S3_BUCKET_ACL_PROHIBITED
For custom rules , you form the keywordValue by adding the Custom_ prefix to the rule name. This prefix distinguishes the custom rule from a managed rule. Keyword example for custom rules:
Custom rule name: my-custom-config-rule keywordValue : Custom_my-custom-config-rule
For service-linked rules , you form the keywordValue by adding the Custom_ prefix to the rule name. In addition, you remove the suffix ID that appears at the end of the rule name. Keyword examples for service-linked rules:
Service-linked rule name: CustomRuleForAccount-conformance-pack-szsm1uv0w keywordValue : Custom_CustomRuleForAccount-conformance-pack
Service-linked rule name: OrgConfigRule-s3-bucket-versioning-enabled-dbgzf8ba keywordValue : Custom_OrgConfigRule-s3-bucket-versioning-enabled
Warning
The keywordValue is case sensitive. If you enter a value incorrectly, Audit Manager might not recognize the data source mapping. As a result, you might not successfully collect evidence from that data source as intended.
Keep in mind the following requirements, depending on the data source type that you're using.
For Config:
For managed rules, make sure that the keywordValue is the rule identifier in ALL_CAPS_WITH_UNDERSCORES . For example, CLOUDWATCH_LOG_GROUP_ENCRYPTED . For accuracy, we recommend that you reference the list of supported Config managed rules .
For custom rules, make sure that the keywordValue has the Custom_ prefix followed by the custom rule name. The format of the custom rule name itself may vary. For accuracy, we recommend that you visit the Config console to verify your custom rule name.
For Security Hub: The format varies for Security Hub control names. For accuracy, we recommend that you reference the list of supported Security Hub controls .
For Amazon Web Services API calls: Make sure that the keywordValue is written as serviceprefix_ActionName . For example, iam_ListGroups . For accuracy, we recommend that you reference the list of supported API calls .
For CloudTrail: Make sure that the keywordValue is written as serviceprefix_ActionName . For example, cloudtrail_StartLogging . For accuracy, we recommend that you review the Amazon Web Service prefix and action names in the Service Authorization Reference .
sourceFrequency (string) --
Specifies how often evidence is collected from the control mapping source.
troubleshootingText (string) --
The instructions for troubleshooting the control.
dict
Response Syntax
{ 'control': { 'arn': 'string', 'id': 'string', 'type': 'Standard'|'Custom', 'name': 'string', 'description': 'string', 'testingInformation': 'string', 'actionPlanTitle': 'string', 'actionPlanInstructions': 'string', 'controlSources': 'string', 'controlMappingSources': [ { 'sourceId': 'string', 'sourceName': 'string', 'sourceDescription': 'string', 'sourceSetUpOption': 'System_Controls_Mapping'|'Procedural_Controls_Mapping', 'sourceType': 'AWS_Cloudtrail'|'AWS_Config'|'AWS_Security_Hub'|'AWS_API_Call'|'MANUAL', 'sourceKeyword': { 'keywordInputType': 'SELECT_FROM_LIST'|'UPLOAD_FILE'|'INPUT_TEXT', 'keywordValue': 'string' }, 'sourceFrequency': 'DAILY'|'WEEKLY'|'MONTHLY', 'troubleshootingText': 'string' }, ], 'createdAt': datetime(2015, 1, 1), 'lastUpdatedAt': datetime(2015, 1, 1), 'createdBy': 'string', 'lastUpdatedBy': 'string', 'tags': { 'string': 'string' } } }
Response Structure
(dict) --
control (dict) --
The name of the updated control set that the UpdateControl API returned.
arn (string) --
The Amazon Resource Name (ARN) of the control.
id (string) --
The unique identifier for the control.
type (string) --
Specifies whether the control is a standard control or a custom control.
name (string) --
The name of the control.
description (string) --
The description of the control.
testingInformation (string) --
The steps that you should follow to determine if the control has been satisfied.
actionPlanTitle (string) --
The title of the action plan for remediating the control.
actionPlanInstructions (string) --
The recommended actions to carry out if the control isn't fulfilled.
controlSources (string) --
The data source types that determine where Audit Manager collects evidence from for the control.
controlMappingSources (list) --
The data mapping sources for the control.
(dict) --
The data source that determines where Audit Manager collects evidence from for the control.
sourceId (string) --
The unique identifier for the source.
sourceName (string) --
The name of the source.
sourceDescription (string) --
The description of the source.
sourceSetUpOption (string) --
The setup option for the data source. This option reflects if the evidence collection is automated or manual.
sourceType (string) --
Specifies one of the five data source types for evidence collection.
sourceKeyword (dict) --
A keyword that relates to the control data source.
For manual evidence, this keyword indicates if the manual evidence is a file or text.
For automated evidence, this keyword identifies a specific CloudTrail event, Config rule, Security Hub control, or Amazon Web Services API name.
To learn more about the supported keywords that you can use when mapping a control data source, see the following pages in the Audit Manager User Guide :
keywordInputType (string) --
The input method for the keyword.
SELECT_FROM_LIST is used when mapping a data source for automated evidence.
When keywordInputType is SELECT_FROM_LIST , a keyword must be selected to collect automated evidence. For example, this keyword can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
UPLOAD_FILE and INPUT_TEXT are only used when mapping a data source for manual evidence.
When keywordInputType is UPLOAD_FILE , a file must be uploaded as manual evidence.
When keywordInputType is INPUT_TEXT , text must be entered as manual evidence.
keywordValue (string) --
The value of the keyword that's used when mapping a control data source. For example, this can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
If you’re mapping a data source to a rule in Config, the keywordValue that you specify depends on the type of rule:
For managed rules , you can use the rule identifier as the keywordValue . You can find the rule identifier from the list of Config managed rules . For some rules, the rule identifier is different from the rule name. For example, the rule name restricted-ssh has the following rule identifier: INCOMING_SSH_DISABLED . Make sure to use the rule identifier, not the rule name. Keyword example for managed rules:
Managed rule name: s3-bucket-acl-prohibited keywordValue : S3_BUCKET_ACL_PROHIBITED
For custom rules , you form the keywordValue by adding the Custom_ prefix to the rule name. This prefix distinguishes the custom rule from a managed rule. Keyword example for custom rules:
Custom rule name: my-custom-config-rule keywordValue : Custom_my-custom-config-rule
For service-linked rules , you form the keywordValue by adding the Custom_ prefix to the rule name. In addition, you remove the suffix ID that appears at the end of the rule name. Keyword examples for service-linked rules:
Service-linked rule name: CustomRuleForAccount-conformance-pack-szsm1uv0w keywordValue : Custom_CustomRuleForAccount-conformance-pack
Service-linked rule name: OrgConfigRule-s3-bucket-versioning-enabled-dbgzf8ba keywordValue : Custom_OrgConfigRule-s3-bucket-versioning-enabled
Warning
The keywordValue is case sensitive. If you enter a value incorrectly, Audit Manager might not recognize the data source mapping. As a result, you might not successfully collect evidence from that data source as intended.
Keep in mind the following requirements, depending on the data source type that you're using.
For Config:
For managed rules, make sure that the keywordValue is the rule identifier in ALL_CAPS_WITH_UNDERSCORES . For example, CLOUDWATCH_LOG_GROUP_ENCRYPTED . For accuracy, we recommend that you reference the list of supported Config managed rules .
For custom rules, make sure that the keywordValue has the Custom_ prefix followed by the custom rule name. The format of the custom rule name itself may vary. For accuracy, we recommend that you visit the Config console to verify your custom rule name.
For Security Hub: The format varies for Security Hub control names. For accuracy, we recommend that you reference the list of supported Security Hub controls .
For Amazon Web Services API calls: Make sure that the keywordValue is written as serviceprefix_ActionName . For example, iam_ListGroups . For accuracy, we recommend that you reference the list of supported API calls .
For CloudTrail: Make sure that the keywordValue is written as serviceprefix_ActionName . For example, cloudtrail_StartLogging . For accuracy, we recommend that you review the Amazon Web Service prefix and action names in the Service Authorization Reference .
sourceFrequency (string) --
Specifies how often evidence is collected from the control mapping source.
troubleshootingText (string) --
The instructions for troubleshooting the control.
createdAt (datetime) --
The time when the control was created.
lastUpdatedAt (datetime) --
The time when the control was most recently updated.
createdBy (string) --
The user or role that created the control.
lastUpdatedBy (string) --
The user or role that most recently updated the control.
tags (dict) --
The tags associated with the control.
(string) --
(string) --
{'defaultExportDestination': {'destination': 'string', 'destinationType': 'S3'}}Response
{'settings': {'defaultExportDestination': {'destination': 'string', 'destinationType': 'S3'}}}
Updates Audit Manager settings for the current account.
See also: AWS API Documentation
Request Syntax
client.update_settings( snsTopic='string', defaultAssessmentReportsDestination={ 'destinationType': 'S3', 'destination': 'string' }, defaultProcessOwners=[ { 'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER', 'roleArn': 'string' }, ], kmsKey='string', evidenceFinderEnabled=True|False, deregistrationPolicy={ 'deleteResources': 'ALL'|'DEFAULT' }, defaultExportDestination={ 'destinationType': 'S3', 'destination': 'string' } )
string
The Amazon Simple Notification Service (Amazon SNS) topic that Audit Manager sends notifications to.
dict
The default S3 destination bucket for storing assessment reports.
destinationType (string) --
The destination type, such as Amazon S3.
destination (string) --
The destination bucket where Audit Manager stores assessment reports.
list
A list of the default audit owners.
(dict) --
The wrapper that contains the Audit Manager role information of the current user. This includes the role type and IAM Amazon Resource Name (ARN).
roleType (string) -- [REQUIRED]
The type of customer persona.
Note
In CreateAssessment , roleType can only be PROCESS_OWNER .
In UpdateSettings , roleType can only be PROCESS_OWNER .
In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .
roleArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the IAM role.
string
The KMS key details.
boolean
Specifies whether the evidence finder feature is enabled. Change this attribute to enable or disable evidence finder.
Warning
When you use this attribute to disable evidence finder, Audit Manager deletes the event data store that’s used to query your evidence data. As a result, you can’t re-enable evidence finder and use the feature again. Your only alternative is to deregister and then re-register Audit Manager.
dict
The deregistration policy for your Audit Manager data. You can use this attribute to determine how your data is handled when you deregister Audit Manager.
deleteResources (string) --
Specifies which Audit Manager data will be deleted when you deregister Audit Manager.
If you set the value to ALL , all of your data is deleted within seven days of deregistration.
If you set the value to DEFAULT , none of your data is deleted at the time of deregistration. However, keep in mind that the Audit Manager data retention policy still applies. As a result, any evidence data will be deleted two years after its creation date. Your other Audit Manager resources will continue to exist indefinitely.
dict
The default S3 destination bucket for storing evidence finder exports.
destinationType (string) --
The destination type, such as Amazon S3.
destination (string) --
The destination bucket where Audit Manager stores exported files.
dict
Response Syntax
{ 'settings': { 'isAwsOrgEnabled': True|False, 'snsTopic': 'string', 'defaultAssessmentReportsDestination': { 'destinationType': 'S3', 'destination': 'string' }, 'defaultProcessOwners': [ { 'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER', 'roleArn': 'string' }, ], 'kmsKey': 'string', 'evidenceFinderEnablement': { 'eventDataStoreArn': 'string', 'enablementStatus': 'ENABLED'|'DISABLED'|'ENABLE_IN_PROGRESS'|'DISABLE_IN_PROGRESS', 'backfillStatus': 'NOT_STARTED'|'IN_PROGRESS'|'COMPLETED', 'error': 'string' }, 'deregistrationPolicy': { 'deleteResources': 'ALL'|'DEFAULT' }, 'defaultExportDestination': { 'destinationType': 'S3', 'destination': 'string' } } }
Response Structure
(dict) --
settings (dict) --
The current list of settings.
isAwsOrgEnabled (boolean) --
Specifies whether Organizations is enabled.
snsTopic (string) --
The designated Amazon Simple Notification Service (Amazon SNS) topic.
defaultAssessmentReportsDestination (dict) --
The default S3 destination bucket for storing assessment reports.
destinationType (string) --
The destination type, such as Amazon S3.
destination (string) --
The destination bucket where Audit Manager stores assessment reports.
defaultProcessOwners (list) --
The designated default audit owners.
(dict) --
The wrapper that contains the Audit Manager role information of the current user. This includes the role type and IAM Amazon Resource Name (ARN).
roleType (string) --
The type of customer persona.
Note
In CreateAssessment , roleType can only be PROCESS_OWNER .
In UpdateSettings , roleType can only be PROCESS_OWNER .
In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .
roleArn (string) --
The Amazon Resource Name (ARN) of the IAM role.
kmsKey (string) --
The KMS key details.
evidenceFinderEnablement (dict) --
The current evidence finder status and event data store details.
eventDataStoreArn (string) --
The Amazon Resource Name (ARN) of the CloudTrail Lake event data store that’s used by evidence finder. The event data store is the lake of evidence data that evidence finder runs queries against.
enablementStatus (string) --
The current status of the evidence finder feature and the related event data store.
ENABLE_IN_PROGRESS means that you requested to enable evidence finder. An event data store is currently being created to support evidence finder queries.
ENABLED means that an event data store was successfully created and evidence finder is enabled. We recommend that you wait 7 days until the event data store is backfilled with your past two years’ worth of evidence data. You can use evidence finder in the meantime, but not all data might be available until the backfill is complete.
DISABLE_IN_PROGRESS means that you requested to disable evidence finder, and your request is pending the deletion of the event data store.
DISABLED means that you have permanently disabled evidence finder and the event data store has been deleted. You can't re-enable evidence finder after this point.
backfillStatus (string) --
The current status of the evidence data backfill process.
The backfill starts after you enable evidence finder. During this task, Audit Manager populates an event data store with your past two years’ worth of evidence data so that your evidence can be queried.
NOT_STARTED means that the backfill hasn’t started yet.
IN_PROGRESS means that the backfill is in progress. This can take up to 7 days to complete, depending on the amount of evidence data.
COMPLETED means that the backfill is complete. All of your past evidence is now queryable.
error (string) --
Represents any errors that occurred when enabling or disabling evidence finder.
deregistrationPolicy (dict) --
The deregistration policy for your Audit Manager data. You can use this attribute to determine how your data is handled when you deregister Audit Manager.
deleteResources (string) --
Specifies which Audit Manager data will be deleted when you deregister Audit Manager.
If you set the value to ALL , all of your data is deleted within seven days of deregistration.
If you set the value to DEFAULT , none of your data is deleted at the time of deregistration. However, keep in mind that the Audit Manager data retention policy still applies. As a result, any evidence data will be deleted two years after its creation date. Your other Audit Manager resources will continue to exist indefinitely.
defaultExportDestination (dict) --
The default S3 destination bucket for storing evidence finder exports.
destinationType (string) --
The destination type, such as Amazon S3.
destination (string) --
The destination bucket where Audit Manager stores exported files.