AWS Audit Evidence for Compliance Purposes
AWS Compliance Audit Evidence Collection
Overview
Compliance evidence refers to proof of control implementation and effectiveness—logs, configurations, reports, or monitoring records that demonstrate adherence to frameworks such as SOC 2, ISO 27001, HIPAA, or PCI DSS.
AWS supports two main categories of evidence:
- AWS-Managed Evidence (for AWS’s own controls)
- Customer-Managed Evidence (for your account and workloads)
1. AWS-Managed Evidence (AWS’s Shared Responsibility)
AWS provides attestation reports and certifications proving that AWS infrastructure and services meet global standards.
Where to Access:
- AWS Artifact – the centralized audit and compliance portal in the AWS Management Console.
Evidence Available in AWS Artifact:
| Type | Description |
|---|---|
| SOC Reports | SOC 1, SOC 2, SOC 3 reports (security, availability, confidentiality) |
| ISO Certifications | ISO 27001, 27017, 27018 certificates |
| PCI Attestations | PCI DSS Attestation of Compliance (AoC) |
| Other Reports | FedRAMP, HIPAA BAA, CSA STAR reports |
Purpose: Auditors can download these to verify that AWS’s underlying infrastructure is compliant.
2. Customer-Managed Evidence (Your Shared Responsibility)
You are responsible for collecting evidence for your AWS account, configurations, and applications.
Common AWS Sources of Customer Evidence
| AWS Service | Type of Evidence | Description |
|---|---|---|
| AWS Config | Configuration Snapshots, Compliance Reports | Tracks resource configurations and evaluates compliance against rules (CIS, PCI, custom). |
| AWS CloudTrail | API Activity Logs | Records all API activity for audit trails—key evidence of administrative actions. |
| AWS Security Hub | Compliance Scorecards | Aggregates findings from GuardDuty, Inspector, and Config mapped to standards like CIS, PCI DSS, and NIST. |
| AWS Audit Manager | Automated Evidence Collection | Continuously collects evidence (e.g., IAM password policy, encryption status) and maps it to compliance controls. |
| Amazon CloudWatch / Logs | Operational Evidence | System logs, alarms, and metrics for monitoring and uptime compliance. |
| AWS Backup / S3 / Glacier | Evidence Retention | Used to store compliance artifacts (reports, screenshots, or manual evidence). |
3. AWS Audit Manager – Automated Evidence Collection
AWS Audit Manager is purpose-built for audit preparation. It automates evidence collection and maps data to compliance frameworks.
How It Works
- Select a framework (e.g., CIS AWS Foundations, ISO 27001, PCI DSS, HIPAA).
- Audit Manager automatically collects evidence from multiple AWS services (CloudTrail, Config, IAM, Security Hub).
- Evidence is stored in Audit Manager’s evidence repository with metadata (timestamp, control mapping, source).
Examples of Automatically Collected Evidence
| Control | Evidence Collected | Source |
|---|---|---|
| Root account has MFA enabled | IAM configuration snapshot | IAM API |
| S3 buckets are not publicly accessible | S3 bucket policies | AWS Config |
| CloudTrail is enabled in all regions | CloudTrail API data | CloudTrail |
Exporting Evidence
- Export to S3 for auditors
- Share via Audit Manager assessment reports
- Retain per policy (e.g., 7 years for SOC audits)
4. Manual Evidence Storage Locations
Manual proof (screenshots, policies, reports) is stored and managed by the customer. Common storage options include:
- Amazon S3 (versioned bucket): Long-term, immutable audit repository.
- AWS Audit Manager Manual Upload: Attach manual files directly to controls.
- AWS WorkDocs / External GRC Systems: Used for collaborative evidence management.
Encryption (SSE-KMS) and versioning are recommended for integrity and retention.
5. Summary Table
| Evidence Type | Collection Method | Stored In | Example |
|---|---|---|---|
| AWS Infrastructure Certifications | Provided by AWS | AWS Artifact | SOC 2 report |
| Account Configuration Evidence | Automated | AWS Config | S3 bucket encryption enabled |
| Activity Logs | Automated | CloudTrail / CloudWatch | IAM policy updates |
| Security Findings | Automated | Security Hub | CIS benchmark non-compliance |
| Audit Control Mapping | Automated + Manual | Audit Manager | PCI DSS control evidence |
| Long-term Retention | Manual | S3 / Glacier | Archived compliance reports |
6. Best Practice Workflow
- Enable CloudTrail, Config, and Security Hub across all accounts.
- Set up AWS Audit Manager with a baseline framework (CIS or ISO 27001).
- Continuously collect and review evidence automatically.
- Store manual evidence in versioned S3 with lifecycle policies.
- Use AWS Artifact for AWS-provided compliance documentation.
- Provide evidence packages via Audit Manager or secure S3 export.
Leave a Reply