A feature that I was really excited about when I saw the release of AWS Audit Manager was the fact that they included the ability to manually upload evidence to address controls.
This is huge because every security and audit professional understands you cannot automate everything with respect to compliance assessments. There are governance controls in certain sections of the report that don't lend themselves to automation, CC1.0 and CC5.0 come to mind in a SOC 2 examination. Allowing administrators the ability to upload evidence will ensure AWS Audit Manager can be used for an entire assessment, not just the cloud security controls.
In the SOC 2 Framework in AWS Audit Manager, they identify 35 Manual controls and 21 Automated Controls:
While the number of automated controls seems a lot lower than what we have found at ByteChek for SOC 2 automated controls. You can see why it is important to have the ability to upload evidence directly to a framework, over 60% of the controls in SOC 2 are identified as being manual (by AWS).
The problem with the manual upload on AWS Audit Manager
The current way to upload evidence into AWS Audit Manager is not intuitive and will require compliance managers to understand how to navigate the AWS console. We will take a look at this from a SOC 2 perspective. Here are the steps for uploading manual evidence:
Once you're in your assessment (follow the steps here to kick off an assessment), navigate to your assessment:
2. Now it gets tricky, you have to open up each criterion to identify the individual controls that either is automated or require manual uploads.
3. Once you're into the control area, you can click on "data source" which is a really cool feature that I am excited about. Under data source you will see whether this is a manual or automated control.
Example of automated data sources:
4. Now, if you would like to upload evidence to address this control. You would assume it's as simple as uploading evidence to any web application right?
4a: Click upload manual evidence:
4b: Paste in S3 URL ????
Look I get it, the evidence will live in S3 and the auditors can access a central folder where all this evidence will live. But isn't it possible to allow an administrator to upload evidence directly to the audit manager console in this window?
Since this functionality does not exist, continue to follow the below steps:
5. Navigate to S3 and upload the document or evidence to the S3 bucket you configured during the setup process:
6. Copy the S3 object URL, navigate back to Audit Manager, and paste the URL in the window:
7. There you go, you've uploaded evidence to a control in AWS Audit Manager, now what? Great question, unfortunately within AWS Audit Manager you cannot review the evidence uploaded (gotta go back to S3 for that). You can mark this control as "Reviewed" which could be valuable for internal use but not sure how this will help auditors.
The idea behind manually uploading evidence to the audit manager service is great - in theory. The individual managing the overall compliance assessment typically is not an AWS expert who will be comfortable navigating the AWS Management Console to use S3, find object URLs, and set this up effectively. This could cause issues with this functionality being adopted.
I am excited to see the improvement of the manual evidence upload functionality of AWS Audit Manager.
In the meantime, if you need an assessment tool that allows you to upload evidence directly to controls without needing to be an AWS expert, contact ByteChek.
For each control in our platform, you can upload evidence directly to the ByteChek platform and your auditors can review that evidence, perform testing, and collaborate with you - all within the ByteChek platform.