Automate compliance with AWS Audit Manager: Stop doing it manually

Manual compliance audits are point-in-time snapshots. Someone exports a report, takes screenshots, and compiles a spreadsheet. By the time the auditor sees it, the evidence is weeks old and the configurations it documents may have changed. If a resource was non-compliant for three weeks and compliant on the day the evidence was captured, the manual process will not detect it.

AWS Audit Manager collects compliance evidence continuously. It monitors your AWS resources against the controls defined in compliance frameworks (GDPR, PCI DSS, ISO 27001, SOC 2, and others), accumulates evidence automatically, and surfaces non-compliant findings in near real-time. When the auditor asks for evidence, you pull from the continuous record rather than scrambling to compile a snapshot.

Step 1: Enable and configure Audit Manager

In the AWS console, navigate to Audit Manager > Get started. Audit Manager prompts you to choose the services it should use as evidence sources: AWS Config, AWS Security Hub, and AWS CloudTrail are the primary sources. Enable all three for complete coverage.

Set up the S3 bucket where Audit Manager will store evidence data. Audit Manager uses its own managed storage, but you can also specify a bucket in your own account for audit data that must remain under your control. For organisations with data residency requirements, specify a bucket in eu-west-2 (London) or eu-west-1 (Ireland).

Enable multi-account data collection if your organisation uses AWS Organisations. Audit Manager can collect evidence from all member accounts and aggregate it in the management account, providing a unified compliance view across the estate.

Step 2: Select and activate compliance frameworks

Audit Manager provides pre-built frameworks for common compliance standards. Navigate to Audit Manager > Frameworks and browse the available options.

For UK-based regulated businesses, the relevant pre-built frameworks include: - GDPR: Evidence collection covering data protection controls, access controls, and audit logging - PCI DSS: Comprehensive coverage for cardholder data environment controls - ISO/IEC 27001: Information security management controls - NIST Cybersecurity Framework: Broad security control coverage - CIS AWS Foundations Benchmark: AWS-specific security best practices

Activate an assessment for each relevant framework. An assessment defines the scope: which AWS accounts, which services, and which date range to evaluate. Name the assessment clearly (e.g., GDPR-Production-2026) so audit evidence is easy to locate.

Custom frameworks are available for organisations with bespoke compliance requirements. If your organisation has an internal control framework that does not map to a standard, you can build a custom framework with the specific controls you need to evidence.

Step 3: Connect evidence sources

Audit Manager collects evidence from three primary sources:

AWS Config rules: Config evaluates resource configurations continuously. When a Config rule assesses a resource as non-compliant (e.g., an S3 bucket with public access enabled), Audit Manager captures the finding as compliance evidence. Each Config rule maps to a specific control in the compliance framework.

AWS Security Hub: Security Hub aggregates security findings from multiple AWS services (GuardDuty, Inspector, Macie, Config) and from third-party integrations. Audit Manager imports Security Hub findings as evidence for applicable controls.

AWS CloudTrail: CloudTrail logs every API call made in your account. Audit Manager uses CloudTrail to evidence activity-based controls: who made a configuration change, when, and from which identity.

For controls that cannot be automatically evidenced (physical security controls, vendor agreements, policies and procedures), Audit Manager supports manual evidence upload. Attach a document to the relevant control to close the gap in the automated evidence record.

Step 4: Monitor compliance status and address findings

In the Audit Manager console, the Assessment dashboard shows the compliance status for each framework. Controls are categorised as Compliant, Non-compliant, or Insufficient evidence.

Insufficient evidence typically means the evidence source is not configured correctly or the relevant service is not enabled. Check whether AWS Config has the relevant rule enabled and whether it is collecting data for the resource types in scope.

Non-compliant findings require action. For each non-compliant control, review the evidence to understand what specific configuration or behaviour violated the control requirement. Address the finding, wait for Config to re-evaluate the resource, and confirm the control returns to Compliant status.

Set up CloudWatch Events to alert on new Audit Manager findings. A compliance violation that appears and remains unaddressed for weeks is worse than one that is caught and remediated quickly. Route alerts to the team responsible for the affected control area.

Step 5: Generate and share audit reports

When it is time to produce evidence for an auditor, Audit Manager exports an assessment report containing all collected evidence for the selected time range. Navigate to the assessment > Create report. Select the report period and the output format (PDF or a structured ZIP archive).

The report includes: evidence items per control, timestamps, resource identifiers, the Config rule or Security Hub finding that generated the evidence, and the compliance status at the time of collection.

Customise reports for UK regulatory requirements: - Adjust date format to DD/MM/YYYY in evidence exports where the format is configurable - Scope the report to the relevant accounts and time period specified by the regulatory or audit requirement - Redact any sensitive data that appears in resource metadata before sharing with external auditors

Store completed audit reports in an S3 bucket with versioning enabled. Apply an S3 Object Lock retention policy matching your data retention obligations: PCI DSS requires audit log retention for one year (three months online); FCA typically requires longer retention for certain records.

Where Critical Cloud comes in

Compliance automation is only as good as the control framework it implements and the findings response process that acts on its outputs. A tool that generates findings that nobody resolves is compliance theatre. We configure and operate AWS Audit Manager for regulated businesses, with evidence collection tuned to the specific framework requirements, alerts connected to operational processes, and findings worked as standing tasks rather than pre-audit scrambles. As the world's first Powered by Datadog accredited partner, we correlate compliance signals with operational events in a single view. See how Critical Support works.