7.3.2. Audit Evidence Collection
First Principle: Audits require evidence — not assertions. Automated evidence collection ensures that compliance claims are backed by verifiable data, collected continuously, and available on demand.
AWS Audit Manager:
- Automates evidence collection for compliance frameworks
- Pre-built frameworks: SOC 2, PCI DSS, HIPAA, GDPR, ISO 27001
- Custom frameworks for organizational standards
- Evidence types:
- Automated: collected from Config, CloudTrail, Security Hub
- Manual: uploaded by operators (policies, procedures, screenshots)
- Generates assessment reports for auditors with all evidence organized by control
AWS Artifact:
- Portal for downloading AWS compliance reports and agreements
- Access SOC reports, PCI DSS attestation, ISO certifications, HIPAA BAA
- Proves AWS's side of the shared responsibility model
- Use alongside Audit Manager: Artifact for AWS compliance, Audit Manager for your compliance
⚠️ Exam Trap: Audit Manager collects evidence about YOUR environment's compliance. Artifact provides evidence about AWS's compliance. For a question asking "how to demonstrate your S3 encryption compliance to an auditor," the answer is Audit Manager. For "how to prove AWS data center physical security," the answer is Artifact.
Scenario: An SOC 2 audit requires evidence of encryption across all storage services. Audit Manager automatically collects Config evaluation results, KMS key usage from CloudTrail, and Security Hub encryption-related findings into an assessment report. The auditor receives organized evidence without manual collection.
Reflection Question: How does automated evidence collection reduce audit preparation time, and what types of evidence still require manual collection?
