How Does AWS Audit Manager Streamline Cloud Security Audits?

by Hannah Grace Holladay / October 10th, 2022

Audits are essential for businesses that need to demonstrate compliance with regulatory frameworks and standards, but they are often time-consuming and disruptive. Businesses must ensure relevant controls are implemented and gather evidence to demonstrate implementation to auditors. Evidence gathering is among the most time-consuming and error-prone aspects of auditing, but it is, fortunately, an aspect that can be automated to some degree. 

AWS Audit Manager is an evidence collection automation tool for the Amazon Web Services cloud platform. In this article, we’ll explore how AWS Audit Manager can streamline your audit process. We’ll also consider what it can’t do and why you should consider using a CPA-backed audit management solution like the KirkpatrickPrice Online Audit Manager

What is an Audit Manager?

Audit management aims to organize, simplify,  and streamline the auditing process. Traditionally, an audit manager was a professional who facilitated audits within a company. Today, the term is increasingly used for software services that perform some of the same roles. 

Audit manager software helps businesses to gather and organize audit evidence. It also tracks the evidence-gathering process so stakeholders can monitor progress and prioritize audit-related work. The software is typically aware of the processes and procedures a business must implement to comply with various regulatory requirements and therefore provides a framework that guides evidence gathering. 

Once the evidence has been gathered, it can then be supplied to the CPA firm carrying out the audit. It is worth noting that CPA-operated audit managers like the KirkpatrickPrice Online Audit Manager allow auditees to communicate directly with their auditor. They can ask the auditor questions and receive advice and guidance. The auditor can review materials as they are gathered. A platform-specific audit management tool like Amazon Audit Manager lacks this facility. However, it can be useful as one platform-specific stage of an end-to-end evidence-gathering process. 

How Does AWS Audit Manager Streamline Compliance Audits?

Amazon Audit Manager is a cloud service that automates the collection of compliance evidence. The business informs the Audit Manager of the relevant controls, where a control is a “rule” from a regulatory framework or standard. Audit Manager pulls relevant data from other AWS services, including AWS Security Hub, AWS Config, and AWS CloudTrail. That data is used as evidence of the control’s implementation and is converted to an auditor-friendly format.  

Continuous Compliance

Continuous compliance is one of the most significant advantages of automated evidence gathering. When evidence gathering is manual, it tends to be carried out periodically. Evidence is gathered for “the big audit,” and because that’s an expensive process, it isn’t repeated until the next audit period rolls around. 

Automated evidence gathering helps businesses to maintain continuous compliance. Evidence gathering becomes a much lower effort, so keeping audit evidence up-to-date makes sense. Because the evidence is always fresh, it’s possible to maintain continuous compliance, and there’s much less evidence gathering overhead when a new audit is required. 

Automatic Evidence Collection

After initial configuration, which we’ll discuss in the next section, Amazon Audit Manager is almost entirely automated. It supports several automated data sources with varying data collection frequencies:

  • Amazon CloudTrail is used to track user activity. Data is collected continuously. 
  • AWS Config provides snapshots of resource security. Data is collected when triggered by an AWS Config rule.
  • AWS Security Hub provides snapshots from security checks. Data is collected per Security Hub check schedules. 
  • AWS API calls collect resource configuration data snapshots from AWS resources daily, weekly, or monthly.
Simplified Audit Workflows

Evidence gathering can be complex and challenging to manage. It’s easy to make mistakes that extend the length and increase the cost of audits. Automatic data collection lifts a significant burden from auditees. The software completes most of the evidence gathering without human intervention, which is possible because AWS Audit Manager is deeply integrated into the AWS platform. 

The tradeoff is that it can only gather evidence from AWS, and you must find another solution for on-premise infrastructure or resources hosted on other cloud platforms. That’s where a platform agnostic audit management solution like the KirkpatrickPrice Online Audit Manager shines: it can be used to gather and manage evidence from all of your business’s infrastructure, including the evidence generated by AWS Audit Manager. 

Audit Evidence Access Controls

Audit evidence is confidential, and access must be controlled and managed. As you might expect, AWS Audit Manager works with AWS Identity and Access Management (IAM), a solution businesses with AWS-based infrastructure use already. Audit Manager can segregate individual assessments to ensure they are accessed only by authorized individuals and groups. 

AWS Audit Manager Frameworks Explained

Thus far, we’ve said little about how users select which evidence is to be gathered. That’s the role of Audit Manager frameworks. Frameworks structure and automate assessments, the Audit Manager function that gathers evidence relevant to an audit. 

Each framework provides groups of audit controls and mappings to AWS resources and data. These mappings are particularly useful: without them, it requires considerable expertise to link the controls in regulatory standards to resources and configurations on real-world infrastructure platforms.

AWS provides pre-built frameworks for a range of compliance standards, including:

  • ISO/IEC 27001:2013 Annex A
  • PCI DSS V3.2.1
  • SOC 2
  • CIS Benchmark for CIS Amazon Web Services Foundations Benchmark
  • General Data Protection Regulation (GDPR)
  • FedRAMP Moderate Baseline
  • Health Insurance Portability and Accountability Act (HIPAA)

In addition to pre-built frameworks, users can build custom frameworks. These allow businesses to deploy AWS Audit Manager assessments for which no pre-built option exists. They can also create assessments and gather evidence to meet other business needs, including internal audits. 

The Limitations of Audit Managers and Audit Automation

AWS Audit Manager is a valuable tool for businesses with AWS-hosted infrastructure and services. It performs well within the limited scope of its capabilities. But it is not a complete audit automation solution. Most importantly, no audit automation tool can complete an audit, assess compliance, and deliver a reputable audit report. For many regulatory standards, only a licensed CPA firm with information security expertise can do so. Amazon’s documentation makes this clear: 

“AWS Audit Manager assists in collecting evidence that’s relevant for verifying compliance with specific compliance standards and regulations. However, it doesn’t assess your compliance itself. “

Other limitations include:

  • Evidence-gathering is limited to AWS and the data sources the platform supports.
  • A lack of direct contact with auditors.
  • Limited project management capabilities.

AWS Audit Manager can be used in conjunction with a CPA-supported audit management tool that helps users to overcome these limitations. KirkpatrickPrice’s Online Audit Manager is used to gather evidence and streamline audits for many infrastructure platforms.  In addition to being an evidence-gathering tool, it is also a powerful communication, accountability, and project management platform that provides direct access to your auditor. Contact a senior audit specialist to learn more.