2022/11/18 - AWS Audit Manager - 5 updated api methods
Changes This release introduces a new feature for Audit Manager: Evidence finder. You can now use evidence finder to quickly query your evidence, and add the matching evidence results to an assessment report.
{'queryStatement': 'string'}
Creates an assessment report for the specified assessment.
See also: AWS API Documentation
Request Syntax
client.create_assessment_report( name='string', description='string', assessmentId='string', queryStatement='string' )
string
[REQUIRED]
The name of the new assessment report.
string
The description of the assessment report.
string
[REQUIRED]
The identifier for the assessment.
string
A SQL statement that represents an evidence finder query.
Provide this parameter when you want to generate an assessment report from the results of an evidence finder search query. When you use this parameter, Audit Manager generates a one-time report using only the evidence from the query output. This report does not include any assessment evidence that was manually added to a report using the console , or associated with a report using the API .
To use this parameter, the enablementStatus of evidence finder must be ENABLED .
For examples and help resolving queryStatement validation exceptions, see Troubleshooting evidence finder issues in the AWS Audit Manager User Guide.
dict
Response Syntax
{ 'assessmentReport': { 'id': 'string', 'name': 'string', 'description': 'string', 'awsAccountId': 'string', 'assessmentId': 'string', 'assessmentName': 'string', 'author': 'string', 'status': 'COMPLETE'|'IN_PROGRESS'|'FAILED', 'creationTime': datetime(2015, 1, 1) } }
Response Structure
(dict) --
assessmentReport (dict) --
The new assessment report that the CreateAssessmentReport API returned.
id (string) --
The unique identifier for the assessment report.
name (string) --
The name that's given to the assessment report.
description (string) --
The description of the specified assessment report.
awsAccountId (string) --
The identifier for the specified Amazon Web Services account.
assessmentId (string) --
The identifier for the specified assessment.
assessmentName (string) --
The name of the associated assessment.
author (string) --
The name of the user who created the assessment report.
status (string) --
The current status of the specified assessment report.
creationTime (datetime) --
Specifies when the assessment report was created.
{'evidence': {'resourcesIncluded': {'complianceCheck': 'string'}}}
Returns evidence from Audit Manager.
See also: AWS API Documentation
Request Syntax
client.get_evidence( assessmentId='string', controlSetId='string', evidenceFolderId='string', evidenceId='string' )
string
[REQUIRED]
The unique identifier for the assessment.
string
[REQUIRED]
The unique identifier for the control set.
string
[REQUIRED]
The unique identifier for the folder that the evidence is stored in.
string
[REQUIRED]
The unique identifier for the evidence.
dict
Response Syntax
{ 'evidence': { 'dataSource': 'string', 'evidenceAwsAccountId': 'string', 'time': datetime(2015, 1, 1), 'eventSource': 'string', 'eventName': 'string', 'evidenceByType': 'string', 'resourcesIncluded': [ { 'arn': 'string', 'value': 'string', 'complianceCheck': 'string' }, ], 'attributes': { 'string': 'string' }, 'iamId': 'string', 'complianceCheck': 'string', 'awsOrganization': 'string', 'awsAccountId': 'string', 'evidenceFolderId': 'string', 'id': 'string', 'assessmentReportSelection': 'string' } }
Response Structure
(dict) --
evidence (dict) --
The evidence that the GetEvidenceResponse API returned.
dataSource (string) --
The data source where the evidence was collected from.
evidenceAwsAccountId (string) --
The identifier for the Amazon Web Services account.
time (datetime) --
The timestamp that represents when the evidence was collected.
eventSource (string) --
The Amazon Web Service that the evidence is collected from.
eventName (string) --
The name of the evidence event.
evidenceByType (string) --
The type of automated evidence.
resourcesIncluded (list) --
The list of resources that are assessed to generate the evidence.
(dict) --
A system asset that's evaluated in an Audit Manager assessment.
arn (string) --
The Amazon Resource Name (ARN) for the resource.
value (string) --
The value of the resource.
complianceCheck (string) --
The evaluation status for a resource that was assessed when collecting compliance check evidence.
Audit Manager classes the resource as non-compliant if Security Hub reports a Fail result, or if Config reports a Non-compliant result.
Audit Manager classes the resource as compliant if Security Hub reports a Pass result, or if Config reports a Compliant result.
If a compliance check isn't available or applicable, then no compliance evaluation can be made for that resource. This is the case if a resource assessment uses Config or Security Hub as the underlying data source type, but those services aren't enabled. This is also the case if the resource assessment uses an underlying data source type that doesn't support compliance checks (such as manual evidence, Amazon Web Services API calls, or CloudTrail).
attributes (dict) --
The names and values that are used by the evidence event. This includes an attribute name (such as allowUsersToChangePassword ) and value (such as true or false ).
(string) --
(string) --
iamId (string) --
The unique identifier for the IAM user or role that's associated with the evidence.
complianceCheck (string) --
The evaluation status for automated evidence that falls under the compliance check category.
Audit Manager classes evidence as non-compliant if Security Hub reports a Fail result, or if Config reports a Non-compliant result.
Audit Manager classes evidence as compliant if Security Hub reports a Pass result, or if Config reports a Compliant result.
If a compliance check isn't available or applicable, then no compliance evaluation can be made for that evidence. This is the case if the evidence uses Config or Security Hub as the underlying data source type, but those services aren't enabled. This is also the case if the evidence uses an underlying data source type that doesn't support compliance checks (such as manual evidence, Amazon Web Services API calls, or CloudTrail).
awsOrganization (string) --
The Amazon Web Services account that the evidence is collected from, and its organization path.
awsAccountId (string) --
The identifier for the Amazon Web Services account.
evidenceFolderId (string) --
The identifier for the folder that the evidence is stored in.
id (string) --
The identifier for the evidence.
assessmentReportSelection (string) --
Specifies whether the evidence is included in the assessment report.
{'evidence': {'resourcesIncluded': {'complianceCheck': 'string'}}}
Returns all evidence from a specified evidence folder in Audit Manager.
See also: AWS API Documentation
Request Syntax
client.get_evidence_by_evidence_folder( assessmentId='string', controlSetId='string', evidenceFolderId='string', nextToken='string', maxResults=123 )
string
[REQUIRED]
The identifier for the assessment.
string
[REQUIRED]
The identifier for the control set.
string
[REQUIRED]
The unique identifier for the folder that the evidence is stored in.
string
The pagination token that's used to fetch the next set of results.
integer
Represents the maximum number of results on a page or for an API request call.
dict
Response Syntax
{ 'evidence': [ { 'dataSource': 'string', 'evidenceAwsAccountId': 'string', 'time': datetime(2015, 1, 1), 'eventSource': 'string', 'eventName': 'string', 'evidenceByType': 'string', 'resourcesIncluded': [ { 'arn': 'string', 'value': 'string', 'complianceCheck': 'string' }, ], 'attributes': { 'string': 'string' }, 'iamId': 'string', 'complianceCheck': 'string', 'awsOrganization': 'string', 'awsAccountId': 'string', 'evidenceFolderId': 'string', 'id': 'string', 'assessmentReportSelection': 'string' }, ], 'nextToken': 'string' }
Response Structure
(dict) --
evidence (list) --
The list of evidence that the GetEvidenceByEvidenceFolder API returned.
(dict) --
A record that contains the information needed to demonstrate compliance with the requirements specified by a control. Examples of evidence include change activity triggered by a user, or a system configuration snapshot.
dataSource (string) --
The data source where the evidence was collected from.
evidenceAwsAccountId (string) --
The identifier for the Amazon Web Services account.
time (datetime) --
The timestamp that represents when the evidence was collected.
eventSource (string) --
The Amazon Web Service that the evidence is collected from.
eventName (string) --
The name of the evidence event.
evidenceByType (string) --
The type of automated evidence.
resourcesIncluded (list) --
The list of resources that are assessed to generate the evidence.
(dict) --
A system asset that's evaluated in an Audit Manager assessment.
arn (string) --
The Amazon Resource Name (ARN) for the resource.
value (string) --
The value of the resource.
complianceCheck (string) --
The evaluation status for a resource that was assessed when collecting compliance check evidence.
Audit Manager classes the resource as non-compliant if Security Hub reports a Fail result, or if Config reports a Non-compliant result.
Audit Manager classes the resource as compliant if Security Hub reports a Pass result, or if Config reports a Compliant result.
If a compliance check isn't available or applicable, then no compliance evaluation can be made for that resource. This is the case if a resource assessment uses Config or Security Hub as the underlying data source type, but those services aren't enabled. This is also the case if the resource assessment uses an underlying data source type that doesn't support compliance checks (such as manual evidence, Amazon Web Services API calls, or CloudTrail).
attributes (dict) --
The names and values that are used by the evidence event. This includes an attribute name (such as allowUsersToChangePassword ) and value (such as true or false ).
(string) --
(string) --
iamId (string) --
The unique identifier for the IAM user or role that's associated with the evidence.
complianceCheck (string) --
The evaluation status for automated evidence that falls under the compliance check category.
Audit Manager classes evidence as non-compliant if Security Hub reports a Fail result, or if Config reports a Non-compliant result.
Audit Manager classes evidence as compliant if Security Hub reports a Pass result, or if Config reports a Compliant result.
If a compliance check isn't available or applicable, then no compliance evaluation can be made for that evidence. This is the case if the evidence uses Config or Security Hub as the underlying data source type, but those services aren't enabled. This is also the case if the evidence uses an underlying data source type that doesn't support compliance checks (such as manual evidence, Amazon Web Services API calls, or CloudTrail).
awsOrganization (string) --
The Amazon Web Services account that the evidence is collected from, and its organization path.
awsAccountId (string) --
The identifier for the Amazon Web Services account.
evidenceFolderId (string) --
The identifier for the folder that the evidence is stored in.
id (string) --
The identifier for the evidence.
assessmentReportSelection (string) --
Specifies whether the evidence is included in the assessment report.
nextToken (string) --
The pagination token that's used to fetch the next set of results.
{'attribute': {'EVIDENCE_FINDER_ENABLEMENT'}}Response
{'settings': {'evidenceFinderEnablement': {'backfillStatus': 'NOT_STARTED | ' 'IN_PROGRESS | ' 'COMPLETED', 'enablementStatus': 'ENABLED | ' 'DISABLED | ' 'ENABLE_IN_PROGRESS ' '| ' 'DISABLE_IN_PROGRESS', 'error': 'string', 'eventDataStoreArn': 'string'}}}
Returns the settings for the specified Amazon Web Services account.
See also: AWS API Documentation
Request Syntax
client.get_settings( attribute='ALL'|'IS_AWS_ORG_ENABLED'|'SNS_TOPIC'|'DEFAULT_ASSESSMENT_REPORTS_DESTINATION'|'DEFAULT_PROCESS_OWNERS'|'EVIDENCE_FINDER_ENABLEMENT' )
string
[REQUIRED]
The list of SettingAttribute enum values.
dict
Response Syntax
{ 'settings': { 'isAwsOrgEnabled': True|False, 'snsTopic': 'string', 'defaultAssessmentReportsDestination': { 'destinationType': 'S3', 'destination': 'string' }, 'defaultProcessOwners': [ { 'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER', 'roleArn': 'string' }, ], 'kmsKey': 'string', 'evidenceFinderEnablement': { 'eventDataStoreArn': 'string', 'enablementStatus': 'ENABLED'|'DISABLED'|'ENABLE_IN_PROGRESS'|'DISABLE_IN_PROGRESS', 'backfillStatus': 'NOT_STARTED'|'IN_PROGRESS'|'COMPLETED', 'error': 'string' } } }
Response Structure
(dict) --
settings (dict) --
The settings object that holds all supported Audit Manager settings.
isAwsOrgEnabled (boolean) --
Specifies whether Organizations is enabled.
snsTopic (string) --
The designated Amazon Simple Notification Service (Amazon SNS) topic.
defaultAssessmentReportsDestination (dict) --
The default storage destination for assessment reports.
destinationType (string) --
The destination type, such as Amazon S3.
destination (string) --
The destination of the assessment report.
defaultProcessOwners (list) --
The designated default audit owners.
(dict) --
The wrapper that contains the Audit Manager role information of the current user. This includes the role type and IAM Amazon Resource Name (ARN).
roleType (string) --
The type of customer persona.
Note
In CreateAssessment , roleType can only be PROCESS_OWNER .
In UpdateSettings , roleType can only be PROCESS_OWNER .
In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .
roleArn (string) --
The Amazon Resource Name (ARN) of the IAM role.
kmsKey (string) --
The KMS key details.
evidenceFinderEnablement (dict) --
The current evidence finder status and event data store details.
eventDataStoreArn (string) --
The Amazon Resource Name (ARN) of the CloudTrail Lake event data store that’s used by evidence finder. The event data store is the lake of evidence data that evidence finder runs queries against.
enablementStatus (string) --
The current status of the evidence finder feature and the related event data store.
ENABLE_IN_PROGRESS means that you requested to enable evidence finder. An event data store is currently being created to support evidence finder queries.
ENABLED means that an event data store was successfully created and evidence finder is enabled. We recommend that you wait 24 hours until the event data store is backfilled with your past evidence data. You can use evidence finder in the meantime, but not all data might be available until the backfill is complete.
DISABLE_IN_PROGRESS means that you requested to disable evidence finder, and your request is pending the deletion of the event data store.
DISABLED means that you have permanently disabled evidence finder and the event data store has been deleted. You can't re-enable evidence finder after this point.
backfillStatus (string) --
The current status of the evidence data backfill process.
The backfill starts after you enable evidence finder. During this task, Audit Manager populates an event data store with your past evidence data so that your evidence can be queried.
NOT_STARTED means that the backfill hasn’t started yet.
IN_PROGRESS means that the backfill is in progress. This can take up to 24 hours to complete, depending on the amount of evidence data.
COMPLETED means that the backfill is complete. All of your past evidence is now queryable.
error (string) --
Represents any errors that occurred when enabling or disabling evidence finder.
{'evidenceFinderEnabled': 'boolean'}Response
{'settings': {'evidenceFinderEnablement': {'backfillStatus': 'NOT_STARTED | ' 'IN_PROGRESS | ' 'COMPLETED', 'enablementStatus': 'ENABLED | ' 'DISABLED | ' 'ENABLE_IN_PROGRESS ' '| ' 'DISABLE_IN_PROGRESS', 'error': 'string', 'eventDataStoreArn': 'string'}}}
Updates Audit Manager settings for the current user account.
See also: AWS API Documentation
Request Syntax
client.update_settings( snsTopic='string', defaultAssessmentReportsDestination={ 'destinationType': 'S3', 'destination': 'string' }, defaultProcessOwners=[ { 'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER', 'roleArn': 'string' }, ], kmsKey='string', evidenceFinderEnabled=True|False )
string
The Amazon Simple Notification Service (Amazon SNS) topic that Audit Manager sends notifications to.
dict
The default storage destination for assessment reports.
destinationType (string) --
The destination type, such as Amazon S3.
destination (string) --
The destination of the assessment report.
list
A list of the default audit owners.
(dict) --
The wrapper that contains the Audit Manager role information of the current user. This includes the role type and IAM Amazon Resource Name (ARN).
roleType (string) -- [REQUIRED]
The type of customer persona.
Note
In CreateAssessment , roleType can only be PROCESS_OWNER .
In UpdateSettings , roleType can only be PROCESS_OWNER .
In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .
roleArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the IAM role.
string
The KMS key details.
boolean
Specifies whether the evidence finder feature is enabled. Change this attribute to enable or disable evidence finder.
Warning
When you use this attribute to disable evidence finder, Audit Manager deletes the event data store that’s used to query your evidence data. As a result, you can’t re-enable evidence finder and use the feature again. Your only alternative is to deregister and then re-register Audit Manager.
Disabling evidence finder is permanent, so consider this decision carefully before you proceed. If you’re using Audit Manager as a delegated administrator, keep in mind that this action applies to all member accounts in your organization.
dict
Response Syntax
{ 'settings': { 'isAwsOrgEnabled': True|False, 'snsTopic': 'string', 'defaultAssessmentReportsDestination': { 'destinationType': 'S3', 'destination': 'string' }, 'defaultProcessOwners': [ { 'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER', 'roleArn': 'string' }, ], 'kmsKey': 'string', 'evidenceFinderEnablement': { 'eventDataStoreArn': 'string', 'enablementStatus': 'ENABLED'|'DISABLED'|'ENABLE_IN_PROGRESS'|'DISABLE_IN_PROGRESS', 'backfillStatus': 'NOT_STARTED'|'IN_PROGRESS'|'COMPLETED', 'error': 'string' } } }
Response Structure
(dict) --
settings (dict) --
The current list of settings.
isAwsOrgEnabled (boolean) --
Specifies whether Organizations is enabled.
snsTopic (string) --
The designated Amazon Simple Notification Service (Amazon SNS) topic.
defaultAssessmentReportsDestination (dict) --
The default storage destination for assessment reports.
destinationType (string) --
The destination type, such as Amazon S3.
destination (string) --
The destination of the assessment report.
defaultProcessOwners (list) --
The designated default audit owners.
(dict) --
The wrapper that contains the Audit Manager role information of the current user. This includes the role type and IAM Amazon Resource Name (ARN).
roleType (string) --
The type of customer persona.
Note
In CreateAssessment , roleType can only be PROCESS_OWNER .
In UpdateSettings , roleType can only be PROCESS_OWNER .
In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .
roleArn (string) --
The Amazon Resource Name (ARN) of the IAM role.
kmsKey (string) --
The KMS key details.
evidenceFinderEnablement (dict) --
The current evidence finder status and event data store details.
eventDataStoreArn (string) --
The Amazon Resource Name (ARN) of the CloudTrail Lake event data store that’s used by evidence finder. The event data store is the lake of evidence data that evidence finder runs queries against.
enablementStatus (string) --
The current status of the evidence finder feature and the related event data store.
ENABLE_IN_PROGRESS means that you requested to enable evidence finder. An event data store is currently being created to support evidence finder queries.
ENABLED means that an event data store was successfully created and evidence finder is enabled. We recommend that you wait 24 hours until the event data store is backfilled with your past evidence data. You can use evidence finder in the meantime, but not all data might be available until the backfill is complete.
DISABLE_IN_PROGRESS means that you requested to disable evidence finder, and your request is pending the deletion of the event data store.
DISABLED means that you have permanently disabled evidence finder and the event data store has been deleted. You can't re-enable evidence finder after this point.
backfillStatus (string) --
The current status of the evidence data backfill process.
The backfill starts after you enable evidence finder. During this task, Audit Manager populates an event data store with your past evidence data so that your evidence can be queried.
NOT_STARTED means that the backfill hasn’t started yet.
IN_PROGRESS means that the backfill is in progress. This can take up to 24 hours to complete, depending on the amount of evidence data.
COMPLETED means that the backfill is complete. All of your past evidence is now queryable.
error (string) --
Represents any errors that occurred when enabling or disabling evidence finder.