Amazon Web Services (AWS) - Audit Manager
AWS Audit Manager
Overview
AWS Audit Manager integration - regscale aws sync_compliance - syncs compliance assessments, control evaluations, and audit evidence from AWS Audit Manager to RegScale. This integration supports automated compliance monitoring, POAM generation, and evidence collection for FedRAMP, NIST 800-53, and custom frameworks.
Command Syntax
regscale aws sync_compliance [OPTIONS]
Basic Usage
Sync All Active Assessments
regscale aws sync_compliance --regscale_id 123
Sync Specific Assessment
regscale aws sync_compliance \
--regscale_id 123 \
--assessment-id abc-123-def-456
Sync with Compliance Framework
regscale aws sync_compliance \
--regscale_id 123 \
--framework NIST800-53R5
Custom Framework Support
AWS Audit Manager supports custom compliance frameworks. Use the --framework Custom flag with --custom-framework-name to sync custom assessments:
regscale aws sync_compliance \
--regscale_id 19 \
--force-refresh \
--collect-evidence \
--use-assessment-evidence-folders \
--framework Custom \
--custom-framework-name "USPTO cATO" \
--create-poams
Custom Framework Options:
--framework Custom- Indicates a custom framework (required)--custom-framework-name- Name of the custom framework in AWS Audit Manager--use-assessment-evidence-folders- Organize evidence by assessment folder structure
Supported Standard Frameworks:
NIST800-53R5NIST800-53R4PCI-DSSSOC2HIPAAGDPR- And others available in AWS Audit Manager
Filtering Options
By Assessment ID
Target a specific assessment:
regscale aws sync_compliance \
--regscale_id 123 \
--assessment-id abc-123-def-456
By AWS Account ID
Filter by account (useful for multi-account organizations):
regscale aws sync_compliance \
--regscale_id 123 \
--account-id 123456789012
By Tags
Filter assessments by AWS resource tags:
regscale aws sync_compliance \
--regscale_id 123 \
--tags Environment=production,Compliance=FedRAMP
Issue & POAM Creation
Create Issues for Failed Controls
regscale aws sync_compliance \
--regscale_id 123 \
--create-issues
Create POAMs (Plan of Action & Milestones)
regscale aws sync_compliance \
--regscale_id 123 \
--create-issues \
--create-poams
POAM Features:
- Automatic due date calculation per FedRAMP requirements
- Linked to failed control assessments
- Remediation tracking and milestone management
- Compliance requirement mapping
Skip Issue Creation
regscale aws sync_compliance \
--regscale_id 123 \
--no-create-issues
Evidence Collection
Collect All Evidence
regscale aws sync_compliance \
--regscale_id 123 \
--collect-evidence
Collect Evidence for Specific Controls
regscale aws sync_compliance \
--regscale_id 123 \
--collect-evidence \
--evidence-control-ids AU-2,AU-3,AU-6,AC-2,AC-3
Set Evidence Collection Timeframe
regscale aws sync_compliance \
--regscale_id 123 \
--collect-evidence \
--evidence-frequency 30
Evidence Frequency:
7- Last 7 days (daily monitoring)30- Last 30 days (monthly assessments)90- Last 90 days (quarterly audits)
Limit Evidence Volume
regscale aws sync_compliance \
--regscale_id 123 \
--collect-evidence \
--max-evidence-per-control 500
Evidence Storage Options
Evidence as Attachments (Default)
Evidence is stored as compressed JSONL.GZ attachments:
regscale aws sync_compliance \
--regscale_id 123 \
--collect-evidence
Benefits:
- Reduced storage footprint
- Single file per control assessment
- Easy download and sharing
- Preserves complete evidence set
Evidence as Individual Records
regscale aws sync_compliance \
--regscale_id 123 \
--collect-evidence \
--evidence-as-records
Benefits:
- Searchable in RegScale
- Individual evidence review
- Granular evidence management
Evidence Folder Organization
regscale aws sync_compliance \
--regscale_id 123 \
--collect-evidence \
--use-assessment-evidence-folders
Benefits:
- Preserves AWS Audit Manager folder structure
- Organized by assessment controls
- Easier navigation for auditors
What Gets Created in RegScale
1. Control Assessments
- Status: PASS or FAIL
- Assessment Date: Timestamp of evaluation
- Linked to SSP Controls: Automatic mapping to Security Plan controls
- Assessment Metadata: Assessment ID, framework, evaluator
2. Issues (if --create-issues enabled)
--create-issues enabled)- Created for: Failed control assessments
- Includes: Remediation guidance, control description
- Severity: Based on control criticality
- Linked to: Control implementations in SSP
3. POAMs (if --create-poams enabled)
--create-poams enabled)- Due Dates: Calculated per FedRAMP requirements
- Milestone Tracking: Remediation progress
- Status Management: Open, In Progress, Closed
- Compliance Mapping: Linked to specific controls
4. Evidence Records (if --collect-evidence enabled)
--collect-evidence enabled)- CloudTrail Events: API calls and user activity
- AWS Config Snapshots: Resource configuration history
- Security Hub Findings: Security and compliance findings
- Service Configurations: Service-specific compliance evidence
- Format: Compressed JSONL.GZ attachments or individual records
Common Use Cases
Use Case 1: FedRAMP ATO Assessment
regscale aws sync_compliance \
--regscale_id 123 \
--framework NIST800-53R5 \
--assessment-id fedramp-assessment \
--account-id 123456789012 \
--tags ATO=FedRAMP,Boundary=Moderate \
--create-issues \
--create-poams \
--collect-evidence \
--evidence-control-ids AU-2,AU-3,AU-6,AC-2,AC-3,AC-6,IA-2,IA-5,SC-12,SC-13 \
--evidence-frequency 30 \
--profile fedramp-prod
Use Case 2: Daily Compliance Monitoring
regscale aws sync_compliance \
--regscale_id 123 \
--framework NIST800-53R5 \
--tags Environment=production \
--create-issues \
--update-control-status
Use Case 3: Custom Framework Assessment
regscale aws sync_compliance \
--regscale_id 19 \
--framework Custom \
--custom-framework-name "Organization Security Framework" \
--collect-evidence \
--use-assessment-evidence-folders \
--create-issues \
--create-poams \
--force-refresh
Use Case 4: Evidence Collection for Audit
regscale aws sync_compliance \
--regscale_id 123 \
--assessment-id audit-assessment-2025 \
--collect-evidence \
--evidence-frequency 90 \
--max-evidence-per-control 1000 \
--evidence-as-records
Command Options Reference
| Option | Description | Example |
|---|---|---|
--regscale_id | RegScale Security Plan ID (required) | --regscale_id 123 |
--assessment-id | Specific AWS Audit Manager assessment ID | --assessment-id abc-123 |
--framework | Compliance framework name | --framework NIST800-53R5 or --framework Custom |
--custom-framework-name | Name of custom framework (use with --framework Custom) | --custom-framework-name "USPTO cATO" |
--account-id | Filter by AWS account ID | --account-id 123456789012 |
--tags | Filter by resource tags | --tags Env=prod,Team=security |
--create-issues | Create issues for failed controls | --create-issues |
--no-create-issues | Skip issue creation | --no-create-issues |
--create-poams | Mark issues as POAMs | --create-poams |
--collect-evidence | Collect audit evidence | --collect-evidence |
--evidence-control-ids | Specific controls for evidence | --evidence-control-ids AU-2,AU-3,AC-2 |
--evidence-frequency | Evidence timeframe in days | --evidence-frequency 30 |
--max-evidence-per-control | Evidence limit per control | --max-evidence-per-control 500 |
--evidence-as-records | Store evidence as individual records | --evidence-as-records |
--use-assessment-evidence-folders | Organize evidence by folder structure | --use-assessment-evidence-folders |
--force-refresh | Bypass cache | --force-refresh |
--region | AWS region | --region us-east-1 |
--profile | AWS profile name | --profile production |
Best Practices
1. Evidence Collection Strategy
- Daily Monitoring:
--evidence-frequency 7with key controls - Monthly Assessments:
--evidence-frequency 30with comprehensive controls - Quarterly Audits:
--evidence-frequency 90with full evidence collection
2. POAM Management
- Always use
--create-poamswith--create-issuesfor formal ATO processes - Review and update POAMs regularly in RegScale
- Link remediation activities to POAMs
3. Custom Frameworks
- Ensure framework name matches exactly in AWS Audit Manager
- Use
--use-assessment-evidence-foldersfor organized evidence - Test with
--force-refreshinitially to verify mapping
4. Performance Optimization
- Use
--assessment-idto target specific assessments - Filter by tags to reduce scope
- Cache is enabled by default (4 hours) - use
--force-refreshonly when needed - Limit evidence with
--max-evidence-per-control
5. Automation
Schedule regular syncs:
# Daily compliance sync (cron example)
0 2 * * * regscale aws sync_compliance --regscale_id 123 --create-issues
Troubleshooting
No Assessments Found
Cause: No active assessments in AWS Audit Manager or filters too restrictive.
Solution:
- Verify assessments exist in AWS Audit Manager console
- Check
--tagsfilter values match assessment tags - Try without filters:
regscale aws sync_compliance --regscale_id 123
Evidence Collection Timeout
Cause: Too much evidence or slow network.
Solution:
- Reduce
--evidence-frequencyto collect less data - Use
--max-evidence-per-controlto limit evidence per control - Target specific controls with
--evidence-control-ids
Custom Framework Not Found
Cause: Framework name doesn't match AWS Audit Manager.
Solution:
- Verify exact framework name in AWS Audit Manager console
- Check for typos (case-sensitive)
- Ensure
--framework Customis specified
Related Documentation
- AWS Authentication - Configure AWS credentials
- AWS Integration Overview - Learn about workflows
- AWS Security Hub - Complement with security findings
Support
For issues or questions, contact RegScale support at [email protected] or visit RegScale Documentation.
Updated about 7 hours ago