AuditManager

Table of Contents

Client

class AuditManager.Client

A low-level client representing AWS Audit Manager

Welcome to the Audit Manager API reference. This guide is for developers who need detailed information about the Audit Manager API operations, data types, and errors.

Audit Manager is a service that provides automated evidence collection so that you can continually audit your Amazon Web Services usage. You can use it to assess the effectiveness of your controls, manage risk, and simplify compliance.

Audit Manager provides prebuilt frameworks that structure and automate assessments for a given compliance standard. Frameworks include a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped according to the requirements of the specified compliance standard or regulation. You can also customize frameworks and controls to support internal audits with specific requirements.

Use the following links to get started with the Audit Manager API:

  • Actions : An alphabetical list of all Audit Manager API operations.
  • Data types : An alphabetical list of all Audit Manager data types.
  • Common parameters : Parameters that all Query operations can use.
  • Common errors : Client and server errors that all operations can return.

If you're new to Audit Manager, we recommend that you review the Audit Manager User Guide .

import boto3

client = boto3.client('auditmanager')

These are the available methods:

associate_assessment_report_evidence_folder(**kwargs)

Associates an evidence folder to an assessment report in a Audit Manager assessment.

See also: AWS API Documentation

Request Syntax

response = client.associate_assessment_report_evidence_folder(
    assessmentId='string',
    evidenceFolderId='string'
)
Parameters
  • assessmentId (string) --

    [REQUIRED]

    The identifier for the assessment.

  • evidenceFolderId (string) --

    [REQUIRED]

    The identifier for the folder that the evidence is stored in.

Return type

dict

Returns

Response Syntax

{}

Response Structure

  • (dict) --

Exceptions

  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
  • AuditManager.Client.exceptions.ResourceNotFoundException
batch_associate_assessment_report_evidence(**kwargs)

Associates a list of evidence to an assessment report in an Audit Manager assessment.

See also: AWS API Documentation

Request Syntax

response = client.batch_associate_assessment_report_evidence(
    assessmentId='string',
    evidenceFolderId='string',
    evidenceIds=[
        'string',
    ]
)
Parameters
  • assessmentId (string) --

    [REQUIRED]

    The identifier for the assessment.

  • evidenceFolderId (string) --

    [REQUIRED]

    The identifier for the folder that the evidence is stored in.

  • evidenceIds (list) --

    [REQUIRED]

    The list of evidence identifiers.

    • (string) --
Return type

dict

Returns

Response Syntax

{
    'evidenceIds': [
        'string',
    ],
    'errors': [
        {
            'evidenceId': 'string',
            'errorCode': 'string',
            'errorMessage': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • evidenceIds (list) --

      The list of evidence identifiers.

      • (string) --
    • errors (list) --

      A list of errors that the BatchAssociateAssessmentReportEvidence API returned.

      • (dict) --

        An error entity for the AssessmentReportEvidence API. This is used to provide more meaningful errors than a simple string message.

        • evidenceId (string) --

          The identifier for the evidence.

        • errorCode (string) --

          The error code that the AssessmentReportEvidence API returned.

        • errorMessage (string) --

          The error message that the AssessmentReportEvidence API returned.

Exceptions

  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
  • AuditManager.Client.exceptions.ResourceNotFoundException
batch_create_delegation_by_assessment(**kwargs)

Creates a batch of delegations for an assessment in Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.batch_create_delegation_by_assessment(
    createDelegationRequests=[
        {
            'comment': 'string',
            'controlSetId': 'string',
            'roleArn': 'string',
            'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER'
        },
    ],
    assessmentId='string'
)
Parameters
  • createDelegationRequests (list) --

    [REQUIRED]

    The API request to batch create delegations in Audit Manager.

    • (dict) --

      A collection of attributes that's used to create a delegation for an assessment in Audit Manager.

      • comment (string) --

        A comment that's related to the delegation request.

      • controlSetId (string) --

        The unique identifier for the control set.

      • roleArn (string) --

        The Amazon Resource Name (ARN) of the IAM role.

      • roleType (string) --

        The type of customer persona.

        Note

        In CreateAssessment , roleType can only be PROCESS_OWNER .

        In UpdateSettings , roleType can only be PROCESS_OWNER .

        In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .

  • assessmentId (string) --

    [REQUIRED]

    The identifier for the assessment.

Return type

dict

Returns

Response Syntax

{
    'delegations': [
        {
            'id': 'string',
            'assessmentName': 'string',
            'assessmentId': 'string',
            'status': 'IN_PROGRESS'|'UNDER_REVIEW'|'COMPLETE',
            'roleArn': 'string',
            'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER',
            'creationTime': datetime(2015, 1, 1),
            'lastUpdated': datetime(2015, 1, 1),
            'controlSetId': 'string',
            'comment': 'string',
            'createdBy': 'string'
        },
    ],
    'errors': [
        {
            'createDelegationRequest': {
                'comment': 'string',
                'controlSetId': 'string',
                'roleArn': 'string',
                'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER'
            },
            'errorCode': 'string',
            'errorMessage': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • delegations (list) --

      The delegations that are associated with the assessment.

      • (dict) --

        The assignment of a control set to a delegate for review.

        • id (string) --

          The unique identifier for the delegation.

        • assessmentName (string) --

          The name of the assessment that's associated with the delegation.

        • assessmentId (string) --

          The identifier for the assessment that's associated with the delegation.

        • status (string) --

          The status of the delegation.

        • roleArn (string) --

          The Amazon Resource Name (ARN) of the IAM role.

        • roleType (string) --

          The type of customer persona.

          Note

          In CreateAssessment , roleType can only be PROCESS_OWNER .

          In UpdateSettings , roleType can only be PROCESS_OWNER .

          In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .

        • creationTime (datetime) --

          Specifies when the delegation was created.

        • lastUpdated (datetime) --

          Specifies when the delegation was last updated.

        • controlSetId (string) --

          The identifier for the control set that's associated with the delegation.

        • comment (string) --

          The comment that's related to the delegation.

        • createdBy (string) --

          The IAM user or role that created the delegation.

    • errors (list) --

      A list of errors that the BatchCreateDelegationByAssessment API returned.

      • (dict) --

        An error entity for the BatchCreateDelegationByAssessment API. This is used to provide more meaningful errors than a simple string message.

        • createDelegationRequest (dict) --

          The API request to batch create delegations in Audit Manager.

          • comment (string) --

            A comment that's related to the delegation request.

          • controlSetId (string) --

            The unique identifier for the control set.

          • roleArn (string) --

            The Amazon Resource Name (ARN) of the IAM role.

          • roleType (string) --

            The type of customer persona.

            Note

            In CreateAssessment , roleType can only be PROCESS_OWNER .

            In UpdateSettings , roleType can only be PROCESS_OWNER .

            In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .

        • errorCode (string) --

          The error code that the BatchCreateDelegationByAssessment API returned.

        • errorMessage (string) --

          The error message that the BatchCreateDelegationByAssessment API returned.

Exceptions

  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.InternalServerException
batch_delete_delegation_by_assessment(**kwargs)

Deletes a batch of delegations for an assessment in Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.batch_delete_delegation_by_assessment(
    delegationIds=[
        'string',
    ],
    assessmentId='string'
)
Parameters
  • delegationIds (list) --

    [REQUIRED]

    The identifiers for the delegations.

    • (string) --
  • assessmentId (string) --

    [REQUIRED]

    The identifier for the assessment.

Return type

dict

Returns

Response Syntax

{
    'errors': [
        {
            'delegationId': 'string',
            'errorCode': 'string',
            'errorMessage': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • errors (list) --

      A list of errors that the BatchDeleteDelegationByAssessment API returned.

      • (dict) --

        An error entity for the BatchDeleteDelegationByAssessment API. This is used to provide more meaningful errors than a simple string message.

        • delegationId (string) --

          The identifier for the delegation.

        • errorCode (string) --

          The error code that the BatchDeleteDelegationByAssessment API returned.

        • errorMessage (string) --

          The error message that the BatchDeleteDelegationByAssessment API returned.

Exceptions

  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.InternalServerException
batch_disassociate_assessment_report_evidence(**kwargs)

Disassociates a list of evidence from an assessment report in Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.batch_disassociate_assessment_report_evidence(
    assessmentId='string',
    evidenceFolderId='string',
    evidenceIds=[
        'string',
    ]
)
Parameters
  • assessmentId (string) --

    [REQUIRED]

    The identifier for the assessment.

  • evidenceFolderId (string) --

    [REQUIRED]

    The identifier for the folder that the evidence is stored in.

  • evidenceIds (list) --

    [REQUIRED]

    The list of evidence identifiers.

    • (string) --
Return type

dict

Returns

Response Syntax

{
    'evidenceIds': [
        'string',
    ],
    'errors': [
        {
            'evidenceId': 'string',
            'errorCode': 'string',
            'errorMessage': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • evidenceIds (list) --

      The identifier for the evidence.

      • (string) --
    • errors (list) --

      A list of errors that the BatchDisassociateAssessmentReportEvidence API returned.

      • (dict) --

        An error entity for the AssessmentReportEvidence API. This is used to provide more meaningful errors than a simple string message.

        • evidenceId (string) --

          The identifier for the evidence.

        • errorCode (string) --

          The error code that the AssessmentReportEvidence API returned.

        • errorMessage (string) --

          The error message that the AssessmentReportEvidence API returned.

Exceptions

  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
  • AuditManager.Client.exceptions.ResourceNotFoundException
batch_import_evidence_to_assessment_control(**kwargs)

Uploads one or more pieces of evidence to a control in an Audit Manager assessment.

See also: AWS API Documentation

Request Syntax

response = client.batch_import_evidence_to_assessment_control(
    assessmentId='string',
    controlSetId='string',
    controlId='string',
    manualEvidence=[
        {
            's3ResourcePath': 'string'
        },
    ]
)
Parameters
  • assessmentId (string) --

    [REQUIRED]

    The identifier for the assessment.

  • controlSetId (string) --

    [REQUIRED]

    The identifier for the control set.

  • controlId (string) --

    [REQUIRED]

    The identifier for the control.

  • manualEvidence (list) --

    [REQUIRED]

    The list of manual evidence objects.

    • (dict) --

      Evidence that's uploaded to Audit Manager manually.

      • s3ResourcePath (string) --

        The Amazon S3 URL that points to a manual evidence object.

Return type

dict

Returns

Response Syntax

{
    'errors': [
        {
            'manualEvidence': {
                's3ResourcePath': 'string'
            },
            'errorCode': 'string',
            'errorMessage': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • errors (list) --

      A list of errors that the BatchImportEvidenceToAssessmentControl API returned.

      • (dict) --

        An error entity for the BatchImportEvidenceToAssessmentControl API. This is used to provide more meaningful errors than a simple string message.

        • manualEvidence (dict) --

          Manual evidence that can't be collected automatically by Audit Manager.

          • s3ResourcePath (string) --

            The Amazon S3 URL that points to a manual evidence object.

        • errorCode (string) --

          The error code that the BatchImportEvidenceToAssessmentControl API returned.

        • errorMessage (string) --

          The error message that the BatchImportEvidenceToAssessmentControl API returned.

Exceptions

  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.InternalServerException
can_paginate(operation_name)

Check if an operation can be paginated.

Parameters
operation_name (string) -- The operation name. This is the same name as the method name on the client. For example, if the method name is create_foo, and you'd normally invoke the operation as client.create_foo(**kwargs), if the create_foo operation can be paginated, you can use the call client.get_paginator("create_foo").
Returns
True if the operation can be paginated, False otherwise.
close()

Closes underlying endpoint connections.

create_assessment(**kwargs)

Creates an assessment in Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.create_assessment(
    name='string',
    description='string',
    assessmentReportsDestination={
        'destinationType': 'S3',
        'destination': 'string'
    },
    scope={
        'awsAccounts': [
            {
                'id': 'string',
                'emailAddress': 'string',
                'name': 'string'
            },
        ],
        'awsServices': [
            {
                'serviceName': 'string'
            },
        ]
    },
    roles=[
        {
            'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER',
            'roleArn': 'string'
        },
    ],
    frameworkId='string',
    tags={
        'string': 'string'
    }
)
Parameters
  • name (string) --

    [REQUIRED]

    The name of the assessment to be created.

  • description (string) -- The optional description of the assessment to be created.
  • assessmentReportsDestination (dict) --

    [REQUIRED]

    The assessment report storage destination for the assessment that's being created.

    • destinationType (string) --

      The destination type, such as Amazon S3.

    • destination (string) --

      The destination of the assessment report.

  • scope (dict) --

    [REQUIRED]

    The wrapper that contains the Amazon Web Services accounts and services that are in scope for the assessment.

    • awsAccounts (list) --

      The Amazon Web Services accounts that are included in the scope of the assessment.

      • (dict) --

        The wrapper of Amazon Web Services account details, such as account ID or email address.

        • id (string) --

          The identifier for the Amazon Web Services account.

        • emailAddress (string) --

          The email address that's associated with the Amazon Web Services account.

        • name (string) --

          The name of the Amazon Web Services account.

    • awsServices (list) --

      The Amazon Web Services services that are included in the scope of the assessment.

      • (dict) --

        An Amazon Web Service such as Amazon S3 or CloudTrail.

        • serviceName (string) --

          The name of the Amazon Web Service.

  • roles (list) --

    [REQUIRED]

    The list of roles for the assessment.

    • (dict) --

      The wrapper that contains the Audit Manager role information of the current user. This includes the role type and IAM Amazon Resource Name (ARN).

      • roleType (string) -- [REQUIRED]

        The type of customer persona.

        Note

        In CreateAssessment , roleType can only be PROCESS_OWNER .

        In UpdateSettings , roleType can only be PROCESS_OWNER .

        In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .

      • roleArn (string) -- [REQUIRED]

        The Amazon Resource Name (ARN) of the IAM role.

  • frameworkId (string) --

    [REQUIRED]

    The identifier for the framework that the assessment will be created from.

  • tags (dict) --

    The tags that are associated with the assessment.

    • (string) --
      • (string) --
Return type

dict

Returns

Response Syntax

{
    'assessment': {
        'arn': 'string',
        'awsAccount': {
            'id': 'string',
            'emailAddress': 'string',
            'name': 'string'
        },
        'metadata': {
            'name': 'string',
            'id': 'string',
            'description': 'string',
            'complianceType': 'string',
            'status': 'ACTIVE'|'INACTIVE',
            'assessmentReportsDestination': {
                'destinationType': 'S3',
                'destination': 'string'
            },
            'scope': {
                'awsAccounts': [
                    {
                        'id': 'string',
                        'emailAddress': 'string',
                        'name': 'string'
                    },
                ],
                'awsServices': [
                    {
                        'serviceName': 'string'
                    },
                ]
            },
            'roles': [
                {
                    'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER',
                    'roleArn': 'string'
                },
            ],
            'delegations': [
                {
                    'id': 'string',
                    'assessmentName': 'string',
                    'assessmentId': 'string',
                    'status': 'IN_PROGRESS'|'UNDER_REVIEW'|'COMPLETE',
                    'roleArn': 'string',
                    'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER',
                    'creationTime': datetime(2015, 1, 1),
                    'lastUpdated': datetime(2015, 1, 1),
                    'controlSetId': 'string',
                    'comment': 'string',
                    'createdBy': 'string'
                },
            ],
            'creationTime': datetime(2015, 1, 1),
            'lastUpdated': datetime(2015, 1, 1)
        },
        'framework': {
            'id': 'string',
            'arn': 'string',
            'metadata': {
                'name': 'string',
                'description': 'string',
                'logo': 'string',
                'complianceType': 'string'
            },
            'controlSets': [
                {
                    'id': 'string',
                    'description': 'string',
                    'status': 'ACTIVE'|'UNDER_REVIEW'|'REVIEWED',
                    'roles': [
                        {
                            'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER',
                            'roleArn': 'string'
                        },
                    ],
                    'controls': [
                        {
                            'id': 'string',
                            'name': 'string',
                            'description': 'string',
                            'status': 'UNDER_REVIEW'|'REVIEWED'|'INACTIVE',
                            'response': 'MANUAL'|'AUTOMATE'|'DEFER'|'IGNORE',
                            'comments': [
                                {
                                    'authorName': 'string',
                                    'commentBody': 'string',
                                    'postedDate': datetime(2015, 1, 1)
                                },
                            ],
                            'evidenceSources': [
                                'string',
                            ],
                            'evidenceCount': 123,
                            'assessmentReportEvidenceCount': 123
                        },
                    ],
                    'delegations': [
                        {
                            'id': 'string',
                            'assessmentName': 'string',
                            'assessmentId': 'string',
                            'status': 'IN_PROGRESS'|'UNDER_REVIEW'|'COMPLETE',
                            'roleArn': 'string',
                            'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER',
                            'creationTime': datetime(2015, 1, 1),
                            'lastUpdated': datetime(2015, 1, 1),
                            'controlSetId': 'string',
                            'comment': 'string',
                            'createdBy': 'string'
                        },
                    ],
                    'systemEvidenceCount': 123,
                    'manualEvidenceCount': 123
                },
            ]
        },
        'tags': {
            'string': 'string'
        }
    }
}

Response Structure

  • (dict) --

    • assessment (dict) --

      An entity that defines the scope of audit evidence collected by Audit Manager. An Audit Manager assessment is an implementation of an Audit Manager framework.

      • arn (string) --

        The Amazon Resource Name (ARN) of the assessment.

      • awsAccount (dict) --

        The Amazon Web Services account that's associated with the assessment.

        • id (string) --

          The identifier for the Amazon Web Services account.

        • emailAddress (string) --

          The email address that's associated with the Amazon Web Services account.

        • name (string) --

          The name of the Amazon Web Services account.

      • metadata (dict) --

        The metadata for the assessment.

        • name (string) --

          The name of the assessment.

        • id (string) --

          The unique identifier for the assessment.

        • description (string) --

          The description of the assessment.

        • complianceType (string) --

          The name of the compliance standard that's related to the assessment, such as PCI-DSS.

        • status (string) --

          The overall status of the assessment.

        • assessmentReportsDestination (dict) --

          The destination that evidence reports are stored in for the assessment.

          • destinationType (string) --

            The destination type, such as Amazon S3.

          • destination (string) --

            The destination of the assessment report.

        • scope (dict) --

          The wrapper of Amazon Web Services accounts and services that are in scope for the assessment.

          • awsAccounts (list) --

            The Amazon Web Services accounts that are included in the scope of the assessment.

            • (dict) --

              The wrapper of Amazon Web Services account details, such as account ID or email address.

              • id (string) --

                The identifier for the Amazon Web Services account.

              • emailAddress (string) --

                The email address that's associated with the Amazon Web Services account.

              • name (string) --

                The name of the Amazon Web Services account.

          • awsServices (list) --

            The Amazon Web Services services that are included in the scope of the assessment.

            • (dict) --

              An Amazon Web Service such as Amazon S3 or CloudTrail.

              • serviceName (string) --

                The name of the Amazon Web Service.

        • roles (list) --

          The roles that are associated with the assessment.

          • (dict) --

            The wrapper that contains the Audit Manager role information of the current user. This includes the role type and IAM Amazon Resource Name (ARN).

            • roleType (string) --

              The type of customer persona.

              Note

              In CreateAssessment , roleType can only be PROCESS_OWNER .

              In UpdateSettings , roleType can only be PROCESS_OWNER .

              In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .

            • roleArn (string) --

              The Amazon Resource Name (ARN) of the IAM role.

        • delegations (list) --

          The delegations that are associated with the assessment.

          • (dict) --

            The assignment of a control set to a delegate for review.

            • id (string) --

              The unique identifier for the delegation.

            • assessmentName (string) --

              The name of the assessment that's associated with the delegation.

            • assessmentId (string) --

              The identifier for the assessment that's associated with the delegation.

            • status (string) --

              The status of the delegation.

            • roleArn (string) --

              The Amazon Resource Name (ARN) of the IAM role.

            • roleType (string) --

              The type of customer persona.

              Note

              In CreateAssessment , roleType can only be PROCESS_OWNER .

              In UpdateSettings , roleType can only be PROCESS_OWNER .

              In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .

            • creationTime (datetime) --

              Specifies when the delegation was created.

            • lastUpdated (datetime) --

              Specifies when the delegation was last updated.

            • controlSetId (string) --

              The identifier for the control set that's associated with the delegation.

            • comment (string) --

              The comment that's related to the delegation.

            • createdBy (string) --

              The IAM user or role that created the delegation.

        • creationTime (datetime) --

          Specifies when the assessment was created.

        • lastUpdated (datetime) --

          The time of the most recent update.

      • framework (dict) --

        The framework that the assessment was created from.

        • id (string) --

          The unique identifier for the framework.

        • arn (string) --

          The Amazon Resource Name (ARN) of the framework.

        • metadata (dict) --

          The metadata of a framework, such as the name, ID, or description.

          • name (string) --

            The name of the framework.

          • description (string) --

            The description of the framework.

          • logo (string) --

            The logo that's associated with the framework.

          • complianceType (string) --

            The compliance standard that's associated with the framework. For example, this could be PCI DSS or HIPAA.

        • controlSets (list) --

          The control sets that are associated with the framework.

          • (dict) --

            Represents a set of controls in an Audit Manager assessment.

            • id (string) --

              The identifier of the control set in the assessment. This is the control set name in a plain string format.

            • description (string) --

              The description for the control set.

            • status (string) --

              Specifies the current status of the control set.

            • roles (list) --

              The roles that are associated with the control set.

              • (dict) --

                The wrapper that contains the Audit Manager role information of the current user. This includes the role type and IAM Amazon Resource Name (ARN).

                • roleType (string) --

                  The type of customer persona.

                  Note

                  In CreateAssessment , roleType can only be PROCESS_OWNER .

                  In UpdateSettings , roleType can only be PROCESS_OWNER .

                  In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .

                • roleArn (string) --

                  The Amazon Resource Name (ARN) of the IAM role.

            • controls (list) --

              The list of controls that's contained with the control set.

              • (dict) --

                The control entity that represents a standard control or a custom control in an Audit Manager assessment.

                • id (string) --

                  The identifier for the control.

                • name (string) --

                  The name of the control.

                • description (string) --

                  The description of the control.

                • status (string) --

                  The status of the control.

                • response (string) --

                  The response of the control.

                • comments (list) --

                  The list of comments that's attached to the control.

                  • (dict) --

                    A comment that's posted by a user on a control. This includes the author's name, the comment text, and a timestamp.

                    • authorName (string) --

                      The name of the user who authored the comment.

                    • commentBody (string) --

                      The body text of a control comment.

                    • postedDate (datetime) --

                      The time when the comment was posted.

                • evidenceSources (list) --

                  The list of data sources for the evidence.

                  • (string) --
                • evidenceCount (integer) --

                  The amount of evidence that's generated for the control.

                • assessmentReportEvidenceCount (integer) --

                  The amount of evidence in the assessment report.

            • delegations (list) --

              The delegations that are associated with the control set.

              • (dict) --

                The assignment of a control set to a delegate for review.

                • id (string) --

                  The unique identifier for the delegation.

                • assessmentName (string) --

                  The name of the assessment that's associated with the delegation.

                • assessmentId (string) --

                  The identifier for the assessment that's associated with the delegation.

                • status (string) --

                  The status of the delegation.

                • roleArn (string) --

                  The Amazon Resource Name (ARN) of the IAM role.

                • roleType (string) --

                  The type of customer persona.

                  Note

                  In CreateAssessment , roleType can only be PROCESS_OWNER .

                  In UpdateSettings , roleType can only be PROCESS_OWNER .

                  In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .

                • creationTime (datetime) --

                  Specifies when the delegation was created.

                • lastUpdated (datetime) --

                  Specifies when the delegation was last updated.

                • controlSetId (string) --

                  The identifier for the control set that's associated with the delegation.

                • comment (string) --

                  The comment that's related to the delegation.

                • createdBy (string) --

                  The IAM user or role that created the delegation.

            • systemEvidenceCount (integer) --

              The total number of evidence objects that are retrieved automatically for the control set.

            • manualEvidenceCount (integer) --

              The total number of evidence objects that are uploaded manually to the control set.

      • tags (dict) --

        The tags that are associated with the assessment.

        • (string) --
          • (string) --

Exceptions

  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
  • AuditManager.Client.exceptions.ServiceQuotaExceededException
create_assessment_framework(**kwargs)

Creates a custom framework in Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.create_assessment_framework(
    name='string',
    description='string',
    complianceType='string',
    controlSets=[
        {
            'name': 'string',
            'controls': [
                {
                    'id': 'string'
                },
            ]
        },
    ],
    tags={
        'string': 'string'
    }
)
Parameters
  • name (string) --

    [REQUIRED]

    The name of the new custom framework.

  • description (string) -- An optional description for the new custom framework.
  • complianceType (string) -- The compliance type that the new custom framework supports, such as CIS or HIPAA.
  • controlSets (list) --

    [REQUIRED]

    The control sets that are associated with the framework.

    • (dict) --

      A controlSet entity that represents a collection of controls in Audit Manager. This doesn't contain the control set ID.

      • name (string) -- [REQUIRED]

        The name of the control set.

      • controls (list) --

        The list of controls within the control set. This doesn't contain the control set ID.

        • (dict) --

          The control entity attributes that uniquely identify an existing control to be added to a framework in Audit Manager.

          • id (string) -- [REQUIRED]

            The unique identifier of the control.

  • tags (dict) --

    The tags that are associated with the framework.

    • (string) --
      • (string) --
Return type

dict

Returns

Response Syntax

{
    'framework': {
        'arn': 'string',
        'id': 'string',
        'name': 'string',
        'type': 'Standard'|'Custom',
        'complianceType': 'string',
        'description': 'string',
        'logo': 'string',
        'controlSources': 'string',
        'controlSets': [
            {
                'id': 'string',
                'name': 'string',
                'controls': [
                    {
                        'arn': 'string',
                        'id': 'string',
                        'type': 'Standard'|'Custom',
                        'name': 'string',
                        'description': 'string',
                        'testingInformation': 'string',
                        'actionPlanTitle': 'string',
                        'actionPlanInstructions': 'string',
                        'controlSources': 'string',
                        'controlMappingSources': [
                            {
                                'sourceId': 'string',
                                'sourceName': 'string',
                                'sourceDescription': 'string',
                                'sourceSetUpOption': 'System_Controls_Mapping'|'Procedural_Controls_Mapping',
                                'sourceType': 'AWS_Cloudtrail'|'AWS_Config'|'AWS_Security_Hub'|'AWS_API_Call'|'MANUAL',
                                'sourceKeyword': {
                                    'keywordInputType': 'SELECT_FROM_LIST',
                                    'keywordValue': 'string'
                                },
                                'sourceFrequency': 'DAILY'|'WEEKLY'|'MONTHLY',
                                'troubleshootingText': 'string'
                            },
                        ],
                        'createdAt': datetime(2015, 1, 1),
                        'lastUpdatedAt': datetime(2015, 1, 1),
                        'createdBy': 'string',
                        'lastUpdatedBy': 'string',
                        'tags': {
                            'string': 'string'
                        }
                    },
                ]
            },
        ],
        'createdAt': datetime(2015, 1, 1),
        'lastUpdatedAt': datetime(2015, 1, 1),
        'createdBy': 'string',
        'lastUpdatedBy': 'string',
        'tags': {
            'string': 'string'
        }
    }
}

Response Structure

  • (dict) --

    • framework (dict) --

      The name of the new framework that the CreateAssessmentFramework API returned.

      • arn (string) --

        The Amazon Resource Name (ARN) of the framework.

      • id (string) --

        The unique identifier for the framework.

      • name (string) --

        The name of the framework.

      • type (string) --

        The framework type, such as a custom framework or a standard framework.

      • complianceType (string) --

        The compliance type that the new custom framework supports, such as CIS or HIPAA.

      • description (string) --

        The description of the framework.

      • logo (string) --

        The logo that's associated with the framework.

      • controlSources (string) --

        The sources that Audit Manager collects evidence from for the control.

      • controlSets (list) --

        The control sets that are associated with the framework.

        • (dict) --

          A set of controls in Audit Manager.

          • id (string) --

            The identifier of the control set in the assessment. This is the control set name in a plain string format.

          • name (string) --

            The name of the control set.

          • controls (list) --

            The list of controls within the control set.

            • (dict) --

              A control in Audit Manager.

              • arn (string) --

                The Amazon Resource Name (ARN) of the control.

              • id (string) --

                The unique identifier for the control.

              • type (string) --

                The type of control, such as a custom control or a standard control.

              • name (string) --

                The name of the control.

              • description (string) --

                The description of the control.

              • testingInformation (string) --

                The steps that you should follow to determine if the control has been satisfied.

              • actionPlanTitle (string) --

                The title of the action plan for remediating the control.

              • actionPlanInstructions (string) --

                The recommended actions to carry out if the control isn't fulfilled.

              • controlSources (string) --

                The data source that determines where Audit Manager collects evidence from for the control.

              • controlMappingSources (list) --

                The data mapping sources for the control.

                • (dict) --

                  The data source that determines where Audit Manager collects evidence from for the control.

                  • sourceId (string) --

                    The unique identifier for the source.

                  • sourceName (string) --

                    The name of the source.

                  • sourceDescription (string) --

                    The description of the source.

                  • sourceSetUpOption (string) --

                    The setup option for the data source. This option reflects if the evidence collection is automated or manual.

                  • sourceType (string) --

                    Specifies one of the five types of data sources for evidence collection.

                  • sourceKeyword (dict) --

                    The keyword to search for in CloudTrail logs, Config rules, Security Hub checks, and Amazon Web Services API names.

                    To learn more about the supported keywords that you can use when mapping a control data source, see the following pages in the Audit Manager User Guide :

                    • keywordInputType (string) --

                      The input method for the keyword.

                    • keywordValue (string) --

                      The value of the keyword that's used when mapping a control data source. For example, this can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.

                      If you’re mapping a data source to a rule in Config, the keywordValue that you specify depends on the type of rule:

                      • For managed rules , you can use the rule identifier as the keywordValue . You can find the rule identifier from the list of Config managed rules .
                      • For custom rules , you form the keywordValue by adding the Custom_ prefix to the rule name. This prefix distinguishes the rule from a managed rule.
                        • Custom rule name: my-custom-config-rule keywordValue : Custom_my-custom-config-rule
                      • For service-linked rules , you form the keywordValue by adding the Custom_ prefix to the rule name. In addition, you remove the suffix ID that appears at the end of the rule name.
                        • Service-linked rule name: CustomRuleForAccount-conformance-pack-szsm1uv0w keywordValue : Custom_CustomRuleForAccount-conformance-pack
                        • Service-linked rule name: securityhub-api-gw-cache-encrypted-101104e1 keywordValue : Custom_securityhub-api-gw-cache-encrypted
                        • Service-linked rule name: OrgConfigRule-s3-bucket-versioning-enabled-dbgzf8ba keywordValue : Custom_OrgConfigRule-s3-bucket-versioning-enabled
                  • sourceFrequency (string) --

                    The frequency of evidence collection for the control mapping source.

                  • troubleshootingText (string) --

                    The instructions for troubleshooting the control.

              • createdAt (datetime) --

                Specifies when the control was created.

              • lastUpdatedAt (datetime) --

                Specifies when the control was most recently updated.

              • createdBy (string) --

                The IAM user or role that created the control.

              • lastUpdatedBy (string) --

                The IAM user or role that most recently updated the control.

              • tags (dict) --

                The tags associated with the control.

                • (string) --
                  • (string) --
      • createdAt (datetime) --

        Specifies when the framework was created.

      • lastUpdatedAt (datetime) --

        Specifies when the framework was most recently updated.

      • createdBy (string) --

        The IAM user or role that created the framework.

      • lastUpdatedBy (string) --

        The IAM user or role that most recently updated the framework.

      • tags (dict) --

        The tags that are associated with the framework.

        • (string) --
          • (string) --

Exceptions

  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
  • AuditManager.Client.exceptions.ServiceQuotaExceededException
create_assessment_report(**kwargs)

Creates an assessment report for the specified assessment.

See also: AWS API Documentation

Request Syntax

response = client.create_assessment_report(
    name='string',
    description='string',
    assessmentId='string'
)
Parameters
  • name (string) --

    [REQUIRED]

    The name of the new assessment report.

  • description (string) -- The description of the assessment report.
  • assessmentId (string) --

    [REQUIRED]

    The identifier for the assessment.

Return type

dict

Returns

Response Syntax

{
    'assessmentReport': {
        'id': 'string',
        'name': 'string',
        'description': 'string',
        'awsAccountId': 'string',
        'assessmentId': 'string',
        'assessmentName': 'string',
        'author': 'string',
        'status': 'COMPLETE'|'IN_PROGRESS'|'FAILED',
        'creationTime': datetime(2015, 1, 1)
    }
}

Response Structure

  • (dict) --

    • assessmentReport (dict) --

      The new assessment report that the CreateAssessmentReport API returned.

      • id (string) --

        The unique identifier for the assessment report.

      • name (string) --

        The name that's given to the assessment report.

      • description (string) --

        The description of the specified assessment report.

      • awsAccountId (string) --

        The identifier for the specified Amazon Web Services account.

      • assessmentId (string) --

        The identifier for the specified assessment.

      • assessmentName (string) --

        The name of the associated assessment.

      • author (string) --

        The name of the user who created the assessment report.

      • status (string) --

        The current status of the specified assessment report.

      • creationTime (datetime) --

        Specifies when the assessment report was created.

Exceptions

  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
  • AuditManager.Client.exceptions.ResourceNotFoundException
create_control(**kwargs)

Creates a new custom control in Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.create_control(
    name='string',
    description='string',
    testingInformation='string',
    actionPlanTitle='string',
    actionPlanInstructions='string',
    controlMappingSources=[
        {
            'sourceName': 'string',
            'sourceDescription': 'string',
            'sourceSetUpOption': 'System_Controls_Mapping'|'Procedural_Controls_Mapping',
            'sourceType': 'AWS_Cloudtrail'|'AWS_Config'|'AWS_Security_Hub'|'AWS_API_Call'|'MANUAL',
            'sourceKeyword': {
                'keywordInputType': 'SELECT_FROM_LIST',
                'keywordValue': 'string'
            },
            'sourceFrequency': 'DAILY'|'WEEKLY'|'MONTHLY',
            'troubleshootingText': 'string'
        },
    ],
    tags={
        'string': 'string'
    }
)
Parameters
  • name (string) --

    [REQUIRED]

    The name of the control.

  • description (string) -- The description of the control.
  • testingInformation (string) -- The steps to follow to determine if the control is satisfied.
  • actionPlanTitle (string) -- The title of the action plan for remediating the control.
  • actionPlanInstructions (string) -- The recommended actions to carry out if the control isn't fulfilled.
  • controlMappingSources (list) --

    [REQUIRED]

    The data mapping sources for the control.

    • (dict) --

      The control mapping fields that represent the source for evidence collection, along with related parameters and metadata. This doesn't contain mappingID .

      • sourceName (string) --

        The name of the control mapping data source.

      • sourceDescription (string) --

        The description of the data source that determines where Audit Manager collects evidence from for the control.

      • sourceSetUpOption (string) --

        The setup option for the data source, which reflects if the evidence collection is automated or manual.

      • sourceType (string) --

        Specifies one of the five types of data sources for evidence collection.

      • sourceKeyword (dict) --

        The keyword to search for in CloudTrail logs, Config rules, Security Hub checks, and Amazon Web Services API names.

        To learn more about the supported keywords that you can use when mapping a control data source, see the following pages in the Audit Manager User Guide :

        • keywordInputType (string) --

          The input method for the keyword.

        • keywordValue (string) --

          The value of the keyword that's used when mapping a control data source. For example, this can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.

          If you’re mapping a data source to a rule in Config, the keywordValue that you specify depends on the type of rule:

          • For managed rules , you can use the rule identifier as the keywordValue . You can find the rule identifier from the list of Config managed rules .
          • For custom rules , you form the keywordValue by adding the Custom_ prefix to the rule name. This prefix distinguishes the rule from a managed rule.
            • Custom rule name: my-custom-config-rule keywordValue : Custom_my-custom-config-rule
          • For service-linked rules , you form the keywordValue by adding the Custom_ prefix to the rule name. In addition, you remove the suffix ID that appears at the end of the rule name.
            • Service-linked rule name: CustomRuleForAccount-conformance-pack-szsm1uv0w keywordValue : Custom_CustomRuleForAccount-conformance-pack
            • Service-linked rule name: securityhub-api-gw-cache-encrypted-101104e1 keywordValue : Custom_securityhub-api-gw-cache-encrypted
            • Service-linked rule name: OrgConfigRule-s3-bucket-versioning-enabled-dbgzf8ba keywordValue : Custom_OrgConfigRule-s3-bucket-versioning-enabled
      • sourceFrequency (string) --

        The frequency of evidence collection for the control mapping source.

      • troubleshootingText (string) --

        The instructions for troubleshooting the control.

  • tags (dict) --

    The tags that are associated with the control.

    • (string) --
      • (string) --
Return type

dict

Returns

Response Syntax

{
    'control': {
        'arn': 'string',
        'id': 'string',
        'type': 'Standard'|'Custom',
        'name': 'string',
        'description': 'string',
        'testingInformation': 'string',
        'actionPlanTitle': 'string',
        'actionPlanInstructions': 'string',
        'controlSources': 'string',
        'controlMappingSources': [
            {
                'sourceId': 'string',
                'sourceName': 'string',
                'sourceDescription': 'string',
                'sourceSetUpOption': 'System_Controls_Mapping'|'Procedural_Controls_Mapping',
                'sourceType': 'AWS_Cloudtrail'|'AWS_Config'|'AWS_Security_Hub'|'AWS_API_Call'|'MANUAL',
                'sourceKeyword': {
                    'keywordInputType': 'SELECT_FROM_LIST',
                    'keywordValue': 'string'
                },
                'sourceFrequency': 'DAILY'|'WEEKLY'|'MONTHLY',
                'troubleshootingText': 'string'
            },
        ],
        'createdAt': datetime(2015, 1, 1),
        'lastUpdatedAt': datetime(2015, 1, 1),
        'createdBy': 'string',
        'lastUpdatedBy': 'string',
        'tags': {
            'string': 'string'
        }
    }
}

Response Structure

  • (dict) --

    • control (dict) --

      The new control that the CreateControl API returned.

      • arn (string) --

        The Amazon Resource Name (ARN) of the control.

      • id (string) --

        The unique identifier for the control.

      • type (string) --

        The type of control, such as a custom control or a standard control.

      • name (string) --

        The name of the control.

      • description (string) --

        The description of the control.

      • testingInformation (string) --

        The steps that you should follow to determine if the control has been satisfied.

      • actionPlanTitle (string) --

        The title of the action plan for remediating the control.

      • actionPlanInstructions (string) --

        The recommended actions to carry out if the control isn't fulfilled.

      • controlSources (string) --

        The data source that determines where Audit Manager collects evidence from for the control.

      • controlMappingSources (list) --

        The data mapping sources for the control.

        • (dict) --

          The data source that determines where Audit Manager collects evidence from for the control.

          • sourceId (string) --

            The unique identifier for the source.

          • sourceName (string) --

            The name of the source.

          • sourceDescription (string) --

            The description of the source.

          • sourceSetUpOption (string) --

            The setup option for the data source. This option reflects if the evidence collection is automated or manual.

          • sourceType (string) --

            Specifies one of the five types of data sources for evidence collection.

          • sourceKeyword (dict) --

            The keyword to search for in CloudTrail logs, Config rules, Security Hub checks, and Amazon Web Services API names.

            To learn more about the supported keywords that you can use when mapping a control data source, see the following pages in the Audit Manager User Guide :

            • keywordInputType (string) --

              The input method for the keyword.

            • keywordValue (string) --

              The value of the keyword that's used when mapping a control data source. For example, this can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.

              If you’re mapping a data source to a rule in Config, the keywordValue that you specify depends on the type of rule:

              • For managed rules , you can use the rule identifier as the keywordValue . You can find the rule identifier from the list of Config managed rules .
              • For custom rules , you form the keywordValue by adding the Custom_ prefix to the rule name. This prefix distinguishes the rule from a managed rule.
                • Custom rule name: my-custom-config-rule keywordValue : Custom_my-custom-config-rule
              • For service-linked rules , you form the keywordValue by adding the Custom_ prefix to the rule name. In addition, you remove the suffix ID that appears at the end of the rule name.
                • Service-linked rule name: CustomRuleForAccount-conformance-pack-szsm1uv0w keywordValue : Custom_CustomRuleForAccount-conformance-pack
                • Service-linked rule name: securityhub-api-gw-cache-encrypted-101104e1 keywordValue : Custom_securityhub-api-gw-cache-encrypted
                • Service-linked rule name: OrgConfigRule-s3-bucket-versioning-enabled-dbgzf8ba keywordValue : Custom_OrgConfigRule-s3-bucket-versioning-enabled
          • sourceFrequency (string) --

            The frequency of evidence collection for the control mapping source.

          • troubleshootingText (string) --

            The instructions for troubleshooting the control.

      • createdAt (datetime) --

        Specifies when the control was created.

      • lastUpdatedAt (datetime) --

        Specifies when the control was most recently updated.

      • createdBy (string) --

        The IAM user or role that created the control.

      • lastUpdatedBy (string) --

        The IAM user or role that most recently updated the control.

      • tags (dict) --

        The tags associated with the control.

        • (string) --
          • (string) --

Exceptions

  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
  • AuditManager.Client.exceptions.ServiceQuotaExceededException
delete_assessment(**kwargs)

Deletes an assessment in Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.delete_assessment(
    assessmentId='string'
)
Parameters
assessmentId (string) --

[REQUIRED]

The identifier for the assessment.

Return type
dict
Returns
Response Syntax
{}

Response Structure

  • (dict) --

Exceptions

  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
delete_assessment_framework(**kwargs)

Deletes a custom framework in Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.delete_assessment_framework(
    frameworkId='string'
)
Parameters
frameworkId (string) --

[REQUIRED]

The identifier for the custom framework.

Return type
dict
Returns
Response Syntax
{}

Response Structure

  • (dict) --

Exceptions

  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
delete_assessment_framework_share(**kwargs)

Deletes a share request for a custom framework in Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.delete_assessment_framework_share(
    requestId='string',
    requestType='SENT'|'RECEIVED'
)
Parameters
  • requestId (string) --

    [REQUIRED]

    The unique identifier for the share request to be deleted.

  • requestType (string) --

    [REQUIRED]

    Specifies whether the share request is a sent request or a received request.

Return type

dict

Returns

Response Syntax

{}

Response Structure

  • (dict) --

Exceptions

  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
delete_assessment_report(**kwargs)

Deletes an assessment report in Audit Manager.

When you run the DeleteAssessmentReport operation, Audit Manager attempts to delete the following data:

  • The specified assessment report that’s stored in your S3 bucket
  • The associated metadata that’s stored in Audit Manager

If Audit Manager can’t access the assessment report in your S3 bucket, the report isn’t deleted. In this event, the DeleteAssessmentReport operation doesn’t fail. Instead, it proceeds to delete the associated metadata only. You must then delete the assessment report from the S3 bucket yourself.

This scenario happens when Audit Manager receives a 403 (Forbidden) or 404 (Not Found) error from Amazon S3. To avoid this, make sure that your S3 bucket is available, and that you configured the correct permissions for Audit Manager to delete resources in your S3 bucket. For an example permissions policy that you can use, see Assessment report destination permissions in the Audit Manager User Guide . For information about the issues that could cause a 403 (Forbidden) or 404 (Not Found ) error from Amazon S3, see List of Error Codes in the Amazon Simple Storage Service API Reference .

See also: AWS API Documentation

Request Syntax

response = client.delete_assessment_report(
    assessmentId='string',
    assessmentReportId='string'
)
Parameters
  • assessmentId (string) --

    [REQUIRED]

    The unique identifier for the assessment.

  • assessmentReportId (string) --

    [REQUIRED]

    The unique identifier for the assessment report.

Return type

dict

Returns

Response Syntax

{}

Response Structure

  • (dict) --

Exceptions

  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
  • AuditManager.Client.exceptions.ResourceNotFoundException
delete_control(**kwargs)

Deletes a custom control in Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.delete_control(
    controlId='string'
)
Parameters
controlId (string) --

[REQUIRED]

The unique identifier for the control.

Return type
dict
Returns
Response Syntax
{}

Response Structure

  • (dict) --

Exceptions

  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
deregister_account()

Deregisters an account in Audit Manager.

Note

When you deregister your account from Audit Manager, your data isn’t deleted. If you want to delete your resource data, you must perform that task separately before you deregister your account. Either, you can do this in the Audit Manager console. Or, you can use one of the delete API operations that are provided by Audit Manager.

To delete your Audit Manager resource data, see the following instructions:

At this time, Audit Manager doesn't provide an option to delete evidence. All available delete operations are listed above.

See also: AWS API Documentation

Request Syntax

response = client.deregister_account()
Return type
dict
Returns
Response Syntax
{
    'status': 'ACTIVE'|'INACTIVE'|'PENDING_ACTIVATION'
}

Response Structure

  • (dict) --
    • status (string) --

      The registration status of the account.

Exceptions

  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
  • AuditManager.Client.exceptions.ResourceNotFoundException
deregister_organization_admin_account(**kwargs)

Removes the specified Amazon Web Services account as a delegated administrator for Audit Manager.

Warning

When you remove a delegated administrator from your Audit Manager settings, you continue to have access to the evidence that you previously collected under that account. This is also the case when you deregister a delegated administrator from Organizations. However, Audit Manager will stop collecting and attaching evidence to that delegated administrator account moving forward.

Note

When you deregister a delegated administrator account for Audit Manager, the data for that account isn’t deleted. If you want to delete resource data for a delegated administrator account, you must perform that task separately before you deregister the account. Either, you can do this in the Audit Manager console. Or, you can use one of the delete API operations that are provided by Audit Manager.

To delete your Audit Manager resource data, see the following instructions:

At this time, Audit Manager doesn't provide an option to delete evidence. All available delete operations are listed above.

See also: AWS API Documentation

Request Syntax

response = client.deregister_organization_admin_account(
    adminAccountId='string'
)
Parameters
adminAccountId (string) -- The identifier for the administrator account.
Return type
dict
Returns
Response Syntax
{}

Response Structure

  • (dict) --

Exceptions

  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
  • AuditManager.Client.exceptions.ResourceNotFoundException
disassociate_assessment_report_evidence_folder(**kwargs)

Disassociates an evidence folder from the specified assessment report in Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.disassociate_assessment_report_evidence_folder(
    assessmentId='string',
    evidenceFolderId='string'
)
Parameters
  • assessmentId (string) --

    [REQUIRED]

    The unique identifier for the assessment.

  • evidenceFolderId (string) --

    [REQUIRED]

    The unique identifier for the folder that the evidence is stored in.

Return type

dict

Returns

Response Syntax

{}

Response Structure

  • (dict) --

Exceptions

  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
  • AuditManager.Client.exceptions.ResourceNotFoundException
get_account_status()

Returns the registration status of an account in Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.get_account_status()
Return type
dict
Returns
Response Syntax
{
    'status': 'ACTIVE'|'INACTIVE'|'PENDING_ACTIVATION'
}

Response Structure

  • (dict) --
    • status (string) --

      The status of the Amazon Web Services account.

Exceptions

  • AuditManager.Client.exceptions.InternalServerException
get_assessment(**kwargs)

Returns an assessment from Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.get_assessment(
    assessmentId='string'
)
Parameters
assessmentId (string) --

[REQUIRED]

The unique identifier for the assessment.

Return type
dict
Returns
Response Syntax
{
    'assessment': {
        'arn': 'string',
        'awsAccount': {
            'id': 'string',
            'emailAddress': 'string',
            'name': 'string'
        },
        'metadata': {
            'name': 'string',
            'id': 'string',
            'description': 'string',
            'complianceType': 'string',
            'status': 'ACTIVE'|'INACTIVE',
            'assessmentReportsDestination': {
                'destinationType': 'S3',
                'destination': 'string'
            },
            'scope': {
                'awsAccounts': [
                    {
                        'id': 'string',
                        'emailAddress': 'string',
                        'name': 'string'
                    },
                ],
                'awsServices': [
                    {
                        'serviceName': 'string'
                    },
                ]
            },
            'roles': [
                {
                    'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER',
                    'roleArn': 'string'
                },
            ],
            'delegations': [
                {
                    'id': 'string',
                    'assessmentName': 'string',
                    'assessmentId': 'string',
                    'status': 'IN_PROGRESS'|'UNDER_REVIEW'|'COMPLETE',
                    'roleArn': 'string',
                    'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER',
                    'creationTime': datetime(2015, 1, 1),
                    'lastUpdated': datetime(2015, 1, 1),
                    'controlSetId': 'string',
                    'comment': 'string',
                    'createdBy': 'string'
                },
            ],
            'creationTime': datetime(2015, 1, 1),
            'lastUpdated': datetime(2015, 1, 1)
        },
        'framework': {
            'id': 'string',
            'arn': 'string',
            'metadata': {
                'name': 'string',
                'description': 'string',
                'logo': 'string',
                'complianceType': 'string'
            },
            'controlSets': [
                {
                    'id': 'string',
                    'description': 'string',
                    'status': 'ACTIVE'|'UNDER_REVIEW'|'REVIEWED',
                    'roles': [
                        {
                            'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER',
                            'roleArn': 'string'
                        },
                    ],
                    'controls': [
                        {
                            'id': 'string',
                            'name': 'string',
                            'description': 'string',
                            'status': 'UNDER_REVIEW'|'REVIEWED'|'INACTIVE',
                            'response': 'MANUAL'|'AUTOMATE'|'DEFER'|'IGNORE',
                            'comments': [
                                {
                                    'authorName': 'string',
                                    'commentBody': 'string',
                                    'postedDate': datetime(2015, 1, 1)
                                },
                            ],
                            'evidenceSources': [
                                'string',
                            ],
                            'evidenceCount': 123,
                            'assessmentReportEvidenceCount': 123
                        },
                    ],
                    'delegations': [
                        {
                            'id': 'string',
                            'assessmentName': 'string',
                            'assessmentId': 'string',
                            'status': 'IN_PROGRESS'|'UNDER_REVIEW'|'COMPLETE',
                            'roleArn': 'string',
                            'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER',
                            'creationTime': datetime(2015, 1, 1),
                            'lastUpdated': datetime(2015, 1, 1),
                            'controlSetId': 'string',
                            'comment': 'string',
                            'createdBy': 'string'
                        },
                    ],
                    'systemEvidenceCount': 123,
                    'manualEvidenceCount': 123
                },
            ]
        },
        'tags': {
            'string': 'string'
        }
    },
    'userRole': {
        'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER',
        'roleArn': 'string'
    }
}

Response Structure

  • (dict) --
    • assessment (dict) --

      An entity that defines the scope of audit evidence collected by Audit Manager. An Audit Manager assessment is an implementation of an Audit Manager framework.

      • arn (string) --

        The Amazon Resource Name (ARN) of the assessment.

      • awsAccount (dict) --

        The Amazon Web Services account that's associated with the assessment.

        • id (string) --

          The identifier for the Amazon Web Services account.

        • emailAddress (string) --

          The email address that's associated with the Amazon Web Services account.

        • name (string) --

          The name of the Amazon Web Services account.

      • metadata (dict) --

        The metadata for the assessment.

        • name (string) --

          The name of the assessment.

        • id (string) --

          The unique identifier for the assessment.

        • description (string) --

          The description of the assessment.

        • complianceType (string) --

          The name of the compliance standard that's related to the assessment, such as PCI-DSS.

        • status (string) --

          The overall status of the assessment.

        • assessmentReportsDestination (dict) --

          The destination that evidence reports are stored in for the assessment.

          • destinationType (string) --

            The destination type, such as Amazon S3.

          • destination (string) --

            The destination of the assessment report.

        • scope (dict) --

          The wrapper of Amazon Web Services accounts and services that are in scope for the assessment.

          • awsAccounts (list) --

            The Amazon Web Services accounts that are included in the scope of the assessment.

            • (dict) --

              The wrapper of Amazon Web Services account details, such as account ID or email address.

              • id (string) --

                The identifier for the Amazon Web Services account.

              • emailAddress (string) --

                The email address that's associated with the Amazon Web Services account.

              • name (string) --

                The name of the Amazon Web Services account.

          • awsServices (list) --

            The Amazon Web Services services that are included in the scope of the assessment.

            • (dict) --

              An Amazon Web Service such as Amazon S3 or CloudTrail.

              • serviceName (string) --

                The name of the Amazon Web Service.

        • roles (list) --

          The roles that are associated with the assessment.

          • (dict) --

            The wrapper that contains the Audit Manager role information of the current user. This includes the role type and IAM Amazon Resource Name (ARN).

            • roleType (string) --

              The type of customer persona.

              Note

              In CreateAssessment , roleType can only be PROCESS_OWNER .

              In UpdateSettings , roleType can only be PROCESS_OWNER .

              In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .

            • roleArn (string) --

              The Amazon Resource Name (ARN) of the IAM role.

        • delegations (list) --

          The delegations that are associated with the assessment.

          • (dict) --

            The assignment of a control set to a delegate for review.

            • id (string) --

              The unique identifier for the delegation.

            • assessmentName (string) --

              The name of the assessment that's associated with the delegation.

            • assessmentId (string) --

              The identifier for the assessment that's associated with the delegation.

            • status (string) --

              The status of the delegation.

            • roleArn (string) --

              The Amazon Resource Name (ARN) of the IAM role.

            • roleType (string) --

              The type of customer persona.

              Note

              In CreateAssessment , roleType can only be PROCESS_OWNER .

              In UpdateSettings , roleType can only be PROCESS_OWNER .

              In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .

            • creationTime (datetime) --

              Specifies when the delegation was created.

            • lastUpdated (datetime) --

              Specifies when the delegation was last updated.

            • controlSetId (string) --

              The identifier for the control set that's associated with the delegation.

            • comment (string) --

              The comment that's related to the delegation.

            • createdBy (string) --

              The IAM user or role that created the delegation.

        • creationTime (datetime) --

          Specifies when the assessment was created.

        • lastUpdated (datetime) --

          The time of the most recent update.

      • framework (dict) --

        The framework that the assessment was created from.

        • id (string) --

          The unique identifier for the framework.

        • arn (string) --

          The Amazon Resource Name (ARN) of the framework.

        • metadata (dict) --

          The metadata of a framework, such as the name, ID, or description.

          • name (string) --

            The name of the framework.

          • description (string) --

            The description of the framework.

          • logo (string) --

            The logo that's associated with the framework.

          • complianceType (string) --

            The compliance standard that's associated with the framework. For example, this could be PCI DSS or HIPAA.

        • controlSets (list) --

          The control sets that are associated with the framework.

          • (dict) --

            Represents a set of controls in an Audit Manager assessment.

            • id (string) --

              The identifier of the control set in the assessment. This is the control set name in a plain string format.

            • description (string) --

              The description for the control set.

            • status (string) --

              Specifies the current status of the control set.

            • roles (list) --

              The roles that are associated with the control set.

              • (dict) --

                The wrapper that contains the Audit Manager role information of the current user. This includes the role type and IAM Amazon Resource Name (ARN).

                • roleType (string) --

                  The type of customer persona.

                  Note

                  In CreateAssessment , roleType can only be PROCESS_OWNER .

                  In UpdateSettings , roleType can only be PROCESS_OWNER .

                  In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .

                • roleArn (string) --

                  The Amazon Resource Name (ARN) of the IAM role.

            • controls (list) --

              The list of controls that's contained with the control set.

              • (dict) --

                The control entity that represents a standard control or a custom control in an Audit Manager assessment.

                • id (string) --

                  The identifier for the control.

                • name (string) --

                  The name of the control.

                • description (string) --

                  The description of the control.

                • status (string) --

                  The status of the control.

                • response (string) --

                  The response of the control.

                • comments (list) --

                  The list of comments that's attached to the control.

                  • (dict) --

                    A comment that's posted by a user on a control. This includes the author's name, the comment text, and a timestamp.

                    • authorName (string) --

                      The name of the user who authored the comment.

                    • commentBody (string) --

                      The body text of a control comment.

                    • postedDate (datetime) --

                      The time when the comment was posted.

                • evidenceSources (list) --

                  The list of data sources for the evidence.

                  • (string) --
                • evidenceCount (integer) --

                  The amount of evidence that's generated for the control.

                • assessmentReportEvidenceCount (integer) --

                  The amount of evidence in the assessment report.

            • delegations (list) --

              The delegations that are associated with the control set.

              • (dict) --

                The assignment of a control set to a delegate for review.

                • id (string) --

                  The unique identifier for the delegation.

                • assessmentName (string) --

                  The name of the assessment that's associated with the delegation.

                • assessmentId (string) --

                  The identifier for the assessment that's associated with the delegation.

                • status (string) --

                  The status of the delegation.

                • roleArn (string) --

                  The Amazon Resource Name (ARN) of the IAM role.

                • roleType (string) --

                  The type of customer persona.

                  Note

                  In CreateAssessment , roleType can only be PROCESS_OWNER .

                  In UpdateSettings , roleType can only be PROCESS_OWNER .

                  In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .

                • creationTime (datetime) --

                  Specifies when the delegation was created.

                • lastUpdated (datetime) --

                  Specifies when the delegation was last updated.

                • controlSetId (string) --

                  The identifier for the control set that's associated with the delegation.

                • comment (string) --

                  The comment that's related to the delegation.

                • createdBy (string) --

                  The IAM user or role that created the delegation.

            • systemEvidenceCount (integer) --

              The total number of evidence objects that are retrieved automatically for the control set.

            • manualEvidenceCount (integer) --

              The total number of evidence objects that are uploaded manually to the control set.

      • tags (dict) --

        The tags that are associated with the assessment.

        • (string) --
          • (string) --
    • userRole (dict) --

      The wrapper that contains the Audit Manager role information of the current user. This includes the role type and IAM Amazon Resource Name (ARN).

      • roleType (string) --

        The type of customer persona.

        Note

        In CreateAssessment , roleType can only be PROCESS_OWNER .

        In UpdateSettings , roleType can only be PROCESS_OWNER .

        In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .

      • roleArn (string) --

        The Amazon Resource Name (ARN) of the IAM role.

Exceptions

  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
get_assessment_framework(**kwargs)

Returns a framework from Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.get_assessment_framework(
    frameworkId='string'
)
Parameters
frameworkId (string) --

[REQUIRED]

The identifier for the framework.

Return type
dict
Returns
Response Syntax
{
    'framework': {
        'arn': 'string',
        'id': 'string',
        'name': 'string',
        'type': 'Standard'|'Custom',
        'complianceType': 'string',
        'description': 'string',
        'logo': 'string',
        'controlSources': 'string',
        'controlSets': [
            {
                'id': 'string',
                'name': 'string',
                'controls': [
                    {
                        'arn': 'string',
                        'id': 'string',
                        'type': 'Standard'|'Custom',
                        'name': 'string',
                        'description': 'string',
                        'testingInformation': 'string',
                        'actionPlanTitle': 'string',
                        'actionPlanInstructions': 'string',
                        'controlSources': 'string',
                        'controlMappingSources': [
                            {
                                'sourceId': 'string',
                                'sourceName': 'string',
                                'sourceDescription': 'string',
                                'sourceSetUpOption': 'System_Controls_Mapping'|'Procedural_Controls_Mapping',
                                'sourceType': 'AWS_Cloudtrail'|'AWS_Config'|'AWS_Security_Hub'|'AWS_API_Call'|'MANUAL',
                                'sourceKeyword': {
                                    'keywordInputType': 'SELECT_FROM_LIST',
                                    'keywordValue': 'string'
                                },
                                'sourceFrequency': 'DAILY'|'WEEKLY'|'MONTHLY',
                                'troubleshootingText': 'string'
                            },
                        ],
                        'createdAt': datetime(2015, 1, 1),
                        'lastUpdatedAt': datetime(2015, 1, 1),
                        'createdBy': 'string',
                        'lastUpdatedBy': 'string',
                        'tags': {
                            'string': 'string'
                        }
                    },
                ]
            },
        ],
        'createdAt': datetime(2015, 1, 1),
        'lastUpdatedAt': datetime(2015, 1, 1),
        'createdBy': 'string',
        'lastUpdatedBy': 'string',
        'tags': {
            'string': 'string'
        }
    }
}

Response Structure

  • (dict) --
    • framework (dict) --

      The framework that the GetAssessmentFramework API returned.

      • arn (string) --

        The Amazon Resource Name (ARN) of the framework.

      • id (string) --

        The unique identifier for the framework.

      • name (string) --

        The name of the framework.

      • type (string) --

        The framework type, such as a custom framework or a standard framework.

      • complianceType (string) --

        The compliance type that the new custom framework supports, such as CIS or HIPAA.

      • description (string) --

        The description of the framework.

      • logo (string) --

        The logo that's associated with the framework.

      • controlSources (string) --

        The sources that Audit Manager collects evidence from for the control.

      • controlSets (list) --

        The control sets that are associated with the framework.

        • (dict) --

          A set of controls in Audit Manager.

          • id (string) --

            The identifier of the control set in the assessment. This is the control set name in a plain string format.

          • name (string) --

            The name of the control set.

          • controls (list) --

            The list of controls within the control set.

            • (dict) --

              A control in Audit Manager.

              • arn (string) --

                The Amazon Resource Name (ARN) of the control.

              • id (string) --

                The unique identifier for the control.

              • type (string) --

                The type of control, such as a custom control or a standard control.

              • name (string) --

                The name of the control.

              • description (string) --

                The description of the control.

              • testingInformation (string) --

                The steps that you should follow to determine if the control has been satisfied.

              • actionPlanTitle (string) --

                The title of the action plan for remediating the control.

              • actionPlanInstructions (string) --

                The recommended actions to carry out if the control isn't fulfilled.

              • controlSources (string) --

                The data source that determines where Audit Manager collects evidence from for the control.

              • controlMappingSources (list) --

                The data mapping sources for the control.

                • (dict) --

                  The data source that determines where Audit Manager collects evidence from for the control.

                  • sourceId (string) --

                    The unique identifier for the source.

                  • sourceName (string) --

                    The name of the source.

                  • sourceDescription (string) --

                    The description of the source.

                  • sourceSetUpOption (string) --

                    The setup option for the data source. This option reflects if the evidence collection is automated or manual.

                  • sourceType (string) --

                    Specifies one of the five types of data sources for evidence collection.

                  • sourceKeyword (dict) --

                    The keyword to search for in CloudTrail logs, Config rules, Security Hub checks, and Amazon Web Services API names.

                    To learn more about the supported keywords that you can use when mapping a control data source, see the following pages in the Audit Manager User Guide :

                    • keywordInputType (string) --

                      The input method for the keyword.

                    • keywordValue (string) --

                      The value of the keyword that's used when mapping a control data source. For example, this can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.

                      If you’re mapping a data source to a rule in Config, the keywordValue that you specify depends on the type of rule:

                      • For managed rules , you can use the rule identifier as the keywordValue . You can find the rule identifier from the list of Config managed rules .
                      • For custom rules , you form the keywordValue by adding the Custom_ prefix to the rule name. This prefix distinguishes the rule from a managed rule.
                        • Custom rule name: my-custom-config-rule keywordValue : Custom_my-custom-config-rule
                      • For service-linked rules , you form the keywordValue by adding the Custom_ prefix to the rule name. In addition, you remove the suffix ID that appears at the end of the rule name.
                        • Service-linked rule name: CustomRuleForAccount-conformance-pack-szsm1uv0w keywordValue : Custom_CustomRuleForAccount-conformance-pack
                        • Service-linked rule name: securityhub-api-gw-cache-encrypted-101104e1 keywordValue : Custom_securityhub-api-gw-cache-encrypted
                        • Service-linked rule name: OrgConfigRule-s3-bucket-versioning-enabled-dbgzf8ba keywordValue : Custom_OrgConfigRule-s3-bucket-versioning-enabled
                  • sourceFrequency (string) --

                    The frequency of evidence collection for the control mapping source.

                  • troubleshootingText (string) --

                    The instructions for troubleshooting the control.

              • createdAt (datetime) --

                Specifies when the control was created.

              • lastUpdatedAt (datetime) --

                Specifies when the control was most recently updated.

              • createdBy (string) --

                The IAM user or role that created the control.

              • lastUpdatedBy (string) --

                The IAM user or role that most recently updated the control.

              • tags (dict) --

                The tags associated with the control.

                • (string) --
                  • (string) --
      • createdAt (datetime) --

        Specifies when the framework was created.

      • lastUpdatedAt (datetime) --

        Specifies when the framework was most recently updated.

      • createdBy (string) --

        The IAM user or role that created the framework.

      • lastUpdatedBy (string) --

        The IAM user or role that most recently updated the framework.

      • tags (dict) --

        The tags that are associated with the framework.

        • (string) --
          • (string) --

Exceptions

  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
get_assessment_report_url(**kwargs)

Returns the URL of an assessment report in Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.get_assessment_report_url(
    assessmentReportId='string',
    assessmentId='string'
)
Parameters
  • assessmentReportId (string) --

    [REQUIRED]

    The unique identifier for the assessment report.

  • assessmentId (string) --

    [REQUIRED]

    The unique identifier for the assessment.

Return type

dict

Returns

Response Syntax

{
    'preSignedUrl': {
        'hyperlinkName': 'string',
        'link': 'string'
    }
}

Response Structure

  • (dict) --

    • preSignedUrl (dict) --

      Short for uniform resource locator. A URL is used as a unique identifier to locate a resource on the internet.

      • hyperlinkName (string) --

        The name or word that's used as a hyperlink to the URL.

      • link (string) --

        The unique identifier for the internet resource.

Exceptions

  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
  • AuditManager.Client.exceptions.ResourceNotFoundException
get_change_logs(**kwargs)

Returns a list of changelogs from Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.get_change_logs(
    assessmentId='string',
    controlSetId='string',
    controlId='string',
    nextToken='string',
    maxResults=123
)
Parameters
  • assessmentId (string) --

    [REQUIRED]

    The unique identifier for the assessment.

  • controlSetId (string) -- The unique identifier for the control set.
  • controlId (string) -- The unique identifier for the control.
  • nextToken (string) -- The pagination token that's used to fetch the next set of results.
  • maxResults (integer) -- Represents the maximum number of results on a page or for an API request call.
Return type

dict

Returns

Response Syntax

{
    'changeLogs': [
        {
            'objectType': 'ASSESSMENT'|'CONTROL_SET'|'CONTROL'|'DELEGATION'|'ASSESSMENT_REPORT',
            'objectName': 'string',
            'action': 'CREATE'|'UPDATE_METADATA'|'ACTIVE'|'INACTIVE'|'DELETE'|'UNDER_REVIEW'|'REVIEWED'|'IMPORT_EVIDENCE',
            'createdAt': datetime(2015, 1, 1),
            'createdBy': 'string'
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • changeLogs (list) --

      The list of user activity for the control.

      • (dict) --

        The record of a change within Audit Manager. For example, this could be the status change of an assessment or the delegation of a control set.

        • objectType (string) --

          The object that was changed, such as an assessment, control, or control set.

        • objectName (string) --

          The name of the object that changed. This could be the name of an assessment, control, or control set.

        • action (string) --

          The action that was performed.

        • createdAt (datetime) --

          The time when the action was performed and the changelog record was created.

        • createdBy (string) --

          The IAM user or role that performed the action.

    • nextToken (string) --

      The pagination token that's used to fetch the next set of results.

Exceptions

  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.InternalServerException
get_control(**kwargs)

Returns a control from Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.get_control(
    controlId='string'
)
Parameters
controlId (string) --

[REQUIRED]

The identifier for the control.

Return type
dict
Returns
Response Syntax
{
    'control': {
        'arn': 'string',
        'id': 'string',
        'type': 'Standard'|'Custom',
        'name': 'string',
        'description': 'string',
        'testingInformation': 'string',
        'actionPlanTitle': 'string',
        'actionPlanInstructions': 'string',
        'controlSources': 'string',
        'controlMappingSources': [
            {
                'sourceId': 'string',
                'sourceName': 'string',
                'sourceDescription': 'string',
                'sourceSetUpOption': 'System_Controls_Mapping'|'Procedural_Controls_Mapping',
                'sourceType': 'AWS_Cloudtrail'|'AWS_Config'|'AWS_Security_Hub'|'AWS_API_Call'|'MANUAL',
                'sourceKeyword': {
                    'keywordInputType': 'SELECT_FROM_LIST',
                    'keywordValue': 'string'
                },
                'sourceFrequency': 'DAILY'|'WEEKLY'|'MONTHLY',
                'troubleshootingText': 'string'
            },
        ],
        'createdAt': datetime(2015, 1, 1),
        'lastUpdatedAt': datetime(2015, 1, 1),
        'createdBy': 'string',
        'lastUpdatedBy': 'string',
        'tags': {
            'string': 'string'
        }
    }
}

Response Structure

  • (dict) --
    • control (dict) --

      The name of the control that the GetControl API returned.

      • arn (string) --

        The Amazon Resource Name (ARN) of the control.

      • id (string) --

        The unique identifier for the control.

      • type (string) --

        The type of control, such as a custom control or a standard control.

      • name (string) --

        The name of the control.

      • description (string) --

        The description of the control.

      • testingInformation (string) --

        The steps that you should follow to determine if the control has been satisfied.

      • actionPlanTitle (string) --

        The title of the action plan for remediating the control.

      • actionPlanInstructions (string) --

        The recommended actions to carry out if the control isn't fulfilled.

      • controlSources (string) --

        The data source that determines where Audit Manager collects evidence from for the control.

      • controlMappingSources (list) --

        The data mapping sources for the control.

        • (dict) --

          The data source that determines where Audit Manager collects evidence from for the control.

          • sourceId (string) --

            The unique identifier for the source.

          • sourceName (string) --

            The name of the source.

          • sourceDescription (string) --

            The description of the source.

          • sourceSetUpOption (string) --

            The setup option for the data source. This option reflects if the evidence collection is automated or manual.

          • sourceType (string) --

            Specifies one of the five types of data sources for evidence collection.

          • sourceKeyword (dict) --

            The keyword to search for in CloudTrail logs, Config rules, Security Hub checks, and Amazon Web Services API names.

            To learn more about the supported keywords that you can use when mapping a control data source, see the following pages in the Audit Manager User Guide :

            • keywordInputType (string) --

              The input method for the keyword.

            • keywordValue (string) --

              The value of the keyword that's used when mapping a control data source. For example, this can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.

              If you’re mapping a data source to a rule in Config, the keywordValue that you specify depends on the type of rule:

              • For managed rules , you can use the rule identifier as the keywordValue . You can find the rule identifier from the list of Config managed rules .
              • For custom rules , you form the keywordValue by adding the Custom_ prefix to the rule name. This prefix distinguishes the rule from a managed rule.
                • Custom rule name: my-custom-config-rule keywordValue : Custom_my-custom-config-rule
              • For service-linked rules , you form the keywordValue by adding the Custom_ prefix to the rule name. In addition, you remove the suffix ID that appears at the end of the rule name.
                • Service-linked rule name: CustomRuleForAccount-conformance-pack-szsm1uv0w keywordValue : Custom_CustomRuleForAccount-conformance-pack
                • Service-linked rule name: securityhub-api-gw-cache-encrypted-101104e1 keywordValue : Custom_securityhub-api-gw-cache-encrypted
                • Service-linked rule name: OrgConfigRule-s3-bucket-versioning-enabled-dbgzf8ba keywordValue : Custom_OrgConfigRule-s3-bucket-versioning-enabled
          • sourceFrequency (string) --

            The frequency of evidence collection for the control mapping source.

          • troubleshootingText (string) --

            The instructions for troubleshooting the control.

      • createdAt (datetime) --

        Specifies when the control was created.

      • lastUpdatedAt (datetime) --

        Specifies when the control was most recently updated.

      • createdBy (string) --

        The IAM user or role that created the control.

      • lastUpdatedBy (string) --

        The IAM user or role that most recently updated the control.

      • tags (dict) --

        The tags associated with the control.

        • (string) --
          • (string) --

Exceptions

  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
get_delegations(**kwargs)

Returns a list of delegations from an audit owner to a delegate.

See also: AWS API Documentation

Request Syntax

response = client.get_delegations(
    nextToken='string',
    maxResults=123
)
Parameters
  • nextToken (string) -- The pagination token that's used to fetch the next set of results.
  • maxResults (integer) -- Represents the maximum number of results on a page or for an API request call.
Return type

dict

Returns

Response Syntax

{
    'delegations': [
        {
            'id': 'string',
            'assessmentName': 'string',
            'assessmentId': 'string',
            'status': 'IN_PROGRESS'|'UNDER_REVIEW'|'COMPLETE',
            'roleArn': 'string',
            'creationTime': datetime(2015, 1, 1),
            'controlSetName': 'string'
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • delegations (list) --

      The list of delegations that the GetDelegations API returned.

      • (dict) --

        The metadata that's associated with the delegation.

        • id (string) --

          The unique identifier for the delegation.

        • assessmentName (string) --

          The name of the associated assessment.

        • assessmentId (string) --

          The unique identifier for the assessment.

        • status (string) --

          The current status of the delegation.

        • roleArn (string) --

          The Amazon Resource Name (ARN) of the IAM role.

        • creationTime (datetime) --

          Specifies when the delegation was created.

        • controlSetName (string) --

          Specifies the name of the control set that was delegated for review.

    • nextToken (string) --

      The pagination token that's used to fetch the next set of results.

Exceptions

  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
get_evidence(**kwargs)

Returns evidence from Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.get_evidence(
    assessmentId='string',
    controlSetId='string',
    evidenceFolderId='string',
    evidenceId='string'
)
Parameters
  • assessmentId (string) --

    [REQUIRED]

    The unique identifier for the assessment.

  • controlSetId (string) --

    [REQUIRED]

    The unique identifier for the control set.

  • evidenceFolderId (string) --

    [REQUIRED]

    The unique identifier for the folder that the evidence is stored in.

  • evidenceId (string) --

    [REQUIRED]

    The unique identifier for the evidence.

Return type

dict

Returns

Response Syntax

{
    'evidence': {
        'dataSource': 'string',
        'evidenceAwsAccountId': 'string',
        'time': datetime(2015, 1, 1),
        'eventSource': 'string',
        'eventName': 'string',
        'evidenceByType': 'string',
        'resourcesIncluded': [
            {
                'arn': 'string',
                'value': 'string'
            },
        ],
        'attributes': {
            'string': 'string'
        },
        'iamId': 'string',
        'complianceCheck': 'string',
        'awsOrganization': 'string',
        'awsAccountId': 'string',
        'evidenceFolderId': 'string',
        'id': 'string',
        'assessmentReportSelection': 'string'
    }
}

Response Structure

  • (dict) --

    • evidence (dict) --

      The evidence that the GetEvidenceResponse API returned.

      • dataSource (string) --

        The data source where the evidence was collected from.

      • evidenceAwsAccountId (string) --

        The identifier for the Amazon Web Services account.

      • time (datetime) --

        The timestamp that represents when the evidence was collected.

      • eventSource (string) --

        The Amazon Web Service that the evidence is collected from.

      • eventName (string) --

        The name of the evidence event.

      • evidenceByType (string) --

        The type of automated evidence.

      • resourcesIncluded (list) --

        The list of resources that are assessed to generate the evidence.

        • (dict) --

          A system asset that's evaluated in an Audit Manager assessment.

          • arn (string) --

            The Amazon Resource Name (ARN) for the resource.

          • value (string) --

            The value of the resource.

      • attributes (dict) --

        The names and values that are used by the evidence event. This includes an attribute name (such as allowUsersToChangePassword ) and value (such as true or false ).

        • (string) --
          • (string) --
      • iamId (string) --

        The unique identifier for the IAM user or role that's associated with the evidence.

      • complianceCheck (string) --

        The evaluation status for evidence that falls under the compliance check category. For evidence collected from Security Hub, a Pass or Fail result is shown. For evidence collected from Config, a Compliant or Noncompliant result is shown.

      • awsOrganization (string) --

        The Amazon Web Services account that the evidence is collected from, and its organization path.

      • awsAccountId (string) --

        The identifier for the Amazon Web Services account.

      • evidenceFolderId (string) --

        The identifier for the folder that the evidence is stored in.

      • id (string) --

        The identifier for the evidence.

      • assessmentReportSelection (string) --

        Specifies whether the evidence is included in the assessment report.

Exceptions

  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
get_evidence_by_evidence_folder(**kwargs)

Returns all evidence from a specified evidence folder in Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.get_evidence_by_evidence_folder(
    assessmentId='string',
    controlSetId='string',
    evidenceFolderId='string',
    nextToken='string',
    maxResults=123
)
Parameters
  • assessmentId (string) --

    [REQUIRED]

    The identifier for the assessment.

  • controlSetId (string) --

    [REQUIRED]

    The identifier for the control set.

  • evidenceFolderId (string) --

    [REQUIRED]

    The unique identifier for the folder that the evidence is stored in.

  • nextToken (string) -- The pagination token that's used to fetch the next set of results.
  • maxResults (integer) -- Represents the maximum number of results on a page or for an API request call.
Return type

dict

Returns

Response Syntax

{
    'evidence': [
        {
            'dataSource': 'string',
            'evidenceAwsAccountId': 'string',
            'time': datetime(2015, 1, 1),
            'eventSource': 'string',
            'eventName': 'string',
            'evidenceByType': 'string',
            'resourcesIncluded': [
                {
                    'arn': 'string',
                    'value': 'string'
                },
            ],
            'attributes': {
                'string': 'string'
            },
            'iamId': 'string',
            'complianceCheck': 'string',
            'awsOrganization': 'string',
            'awsAccountId': 'string',
            'evidenceFolderId': 'string',
            'id': 'string',
            'assessmentReportSelection': 'string'
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • evidence (list) --

      The list of evidence that the GetEvidenceByEvidenceFolder API returned.

      • (dict) --

        A record that contains the information needed to demonstrate compliance with the requirements specified by a control. Examples of evidence include change activity triggered by a user, or a system configuration snapshot.

        • dataSource (string) --

          The data source where the evidence was collected from.

        • evidenceAwsAccountId (string) --

          The identifier for the Amazon Web Services account.

        • time (datetime) --

          The timestamp that represents when the evidence was collected.

        • eventSource (string) --

          The Amazon Web Service that the evidence is collected from.

        • eventName (string) --

          The name of the evidence event.

        • evidenceByType (string) --

          The type of automated evidence.

        • resourcesIncluded (list) --

          The list of resources that are assessed to generate the evidence.

          • (dict) --

            A system asset that's evaluated in an Audit Manager assessment.

            • arn (string) --

              The Amazon Resource Name (ARN) for the resource.

            • value (string) --

              The value of the resource.

        • attributes (dict) --

          The names and values that are used by the evidence event. This includes an attribute name (such as allowUsersToChangePassword ) and value (such as true or false ).

          • (string) --
            • (string) --
        • iamId (string) --

          The unique identifier for the IAM user or role that's associated with the evidence.

        • complianceCheck (string) --

          The evaluation status for evidence that falls under the compliance check category. For evidence collected from Security Hub, a Pass or Fail result is shown. For evidence collected from Config, a Compliant or Noncompliant result is shown.

        • awsOrganization (string) --

          The Amazon Web Services account that the evidence is collected from, and its organization path.

        • awsAccountId (string) --

          The identifier for the Amazon Web Services account.

        • evidenceFolderId (string) --

          The identifier for the folder that the evidence is stored in.

        • id (string) --

          The identifier for the evidence.

        • assessmentReportSelection (string) --

          Specifies whether the evidence is included in the assessment report.

    • nextToken (string) --

      The pagination token that's used to fetch the next set of results.

Exceptions

  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
get_evidence_folder(**kwargs)

Returns an evidence folder from the specified assessment in Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.get_evidence_folder(
    assessmentId='string',
    controlSetId='string',
    evidenceFolderId='string'
)
Parameters
  • assessmentId (string) --

    [REQUIRED]

    The unique identifier for the assessment.

  • controlSetId (string) --

    [REQUIRED]

    The unique identifier for the control set.

  • evidenceFolderId (string) --

    [REQUIRED]

    The unique identifier for the folder that the evidence is stored in.

Return type

dict

Returns

Response Syntax

{
    'evidenceFolder': {
        'name': 'string',
        'date': datetime(2015, 1, 1),
        'assessmentId': 'string',
        'controlSetId': 'string',
        'controlId': 'string',
        'id': 'string',
        'dataSource': 'string',
        'author': 'string',
        'totalEvidence': 123,
        'assessmentReportSelectionCount': 123,
        'controlName': 'string',
        'evidenceResourcesIncludedCount': 123,
        'evidenceByTypeConfigurationDataCount': 123,
        'evidenceByTypeManualCount': 123,
        'evidenceByTypeComplianceCheckCount': 123,
        'evidenceByTypeComplianceCheckIssuesCount': 123,
        'evidenceByTypeUserActivityCount': 123,
        'evidenceAwsServiceSourceCount': 123
    }
}

Response Structure

  • (dict) --

    • evidenceFolder (dict) --

      The folder that the evidence is stored in.

      • name (string) --

        The name of the evidence folder.

      • date (datetime) --

        The date when the first evidence was added to the evidence folder.

      • assessmentId (string) --

        The identifier for the assessment.

      • controlSetId (string) --

        The identifier for the control set.

      • controlId (string) --

        The unique identifier for the control.

      • id (string) --

        The identifier for the folder that the evidence is stored in.

      • dataSource (string) --

        The Amazon Web Service that the evidence was collected from.

      • author (string) --

        The name of the user who created the evidence folder.

      • totalEvidence (integer) --

        The total amount of evidence in the evidence folder.

      • assessmentReportSelectionCount (integer) --

        The total count of evidence that's included in the assessment report.

      • controlName (string) --

        The name of the control.

      • evidenceResourcesIncludedCount (integer) --

        The amount of evidence that's included in the evidence folder.

      • evidenceByTypeConfigurationDataCount (integer) --

        The number of evidence that falls under the configuration data category. This evidence is collected from configuration snapshots of other Amazon Web Services such as Amazon EC2, Amazon S3, or IAM.

      • evidenceByTypeManualCount (integer) --

        The number of evidence that falls under the manual category. This evidence is imported manually.

      • evidenceByTypeComplianceCheckCount (integer) --

        The number of evidence that falls under the compliance check category. This evidence is collected from Config or Security Hub.

      • evidenceByTypeComplianceCheckIssuesCount (integer) --

        The total number of issues that were reported directly from Security Hub, Config, or both.

      • evidenceByTypeUserActivityCount (integer) --

        The number of evidence that falls under the user activity category. This evidence is collected from CloudTrail logs.

      • evidenceAwsServiceSourceCount (integer) --

        The total number of Amazon Web Services resources that were assessed to generate the evidence.

Exceptions

  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
get_evidence_folders_by_assessment(**kwargs)

Returns the evidence folders from a specified assessment in Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.get_evidence_folders_by_assessment(
    assessmentId='string',
    nextToken='string',
    maxResults=123
)
Parameters
  • assessmentId (string) --

    [REQUIRED]

    The unique identifier for the assessment.

  • nextToken (string) -- The pagination token that's used to fetch the next set of results.
  • maxResults (integer) -- Represents the maximum number of results on a page or for an API request call.
Return type

dict

Returns

Response Syntax

{
    'evidenceFolders': [
        {
            'name': 'string',
            'date': datetime(2015, 1, 1),
            'assessmentId': 'string',
            'controlSetId': 'string',
            'controlId': 'string',
            'id': 'string',
            'dataSource': 'string',
            'author': 'string',
            'totalEvidence': 123,
            'assessmentReportSelectionCount': 123,
            'controlName': 'string',
            'evidenceResourcesIncludedCount': 123,
            'evidenceByTypeConfigurationDataCount': 123,
            'evidenceByTypeManualCount': 123,
            'evidenceByTypeComplianceCheckCount': 123,
            'evidenceByTypeComplianceCheckIssuesCount': 123,
            'evidenceByTypeUserActivityCount': 123,
            'evidenceAwsServiceSourceCount': 123
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • evidenceFolders (list) --

      The list of evidence folders that the GetEvidenceFoldersByAssessment API returned.

      • (dict) --

        The folder where Audit Manager stores evidence for an assessment.

        • name (string) --

          The name of the evidence folder.

        • date (datetime) --

          The date when the first evidence was added to the evidence folder.

        • assessmentId (string) --

          The identifier for the assessment.

        • controlSetId (string) --

          The identifier for the control set.

        • controlId (string) --

          The unique identifier for the control.

        • id (string) --

          The identifier for the folder that the evidence is stored in.

        • dataSource (string) --

          The Amazon Web Service that the evidence was collected from.

        • author (string) --

          The name of the user who created the evidence folder.

        • totalEvidence (integer) --

          The total amount of evidence in the evidence folder.

        • assessmentReportSelectionCount (integer) --

          The total count of evidence that's included in the assessment report.

        • controlName (string) --

          The name of the control.

        • evidenceResourcesIncludedCount (integer) --

          The amount of evidence that's included in the evidence folder.

        • evidenceByTypeConfigurationDataCount (integer) --

          The number of evidence that falls under the configuration data category. This evidence is collected from configuration snapshots of other Amazon Web Services such as Amazon EC2, Amazon S3, or IAM.

        • evidenceByTypeManualCount (integer) --

          The number of evidence that falls under the manual category. This evidence is imported manually.

        • evidenceByTypeComplianceCheckCount (integer) --

          The number of evidence that falls under the compliance check category. This evidence is collected from Config or Security Hub.

        • evidenceByTypeComplianceCheckIssuesCount (integer) --

          The total number of issues that were reported directly from Security Hub, Config, or both.

        • evidenceByTypeUserActivityCount (integer) --

          The number of evidence that falls under the user activity category. This evidence is collected from CloudTrail logs.

        • evidenceAwsServiceSourceCount (integer) --

          The total number of Amazon Web Services resources that were assessed to generate the evidence.

    • nextToken (string) --

      The pagination token that's used to fetch the next set of results.

Exceptions

  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.InternalServerException
get_evidence_folders_by_assessment_control(**kwargs)

Returns a list of evidence folders that are associated with a specified control of an assessment in Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.get_evidence_folders_by_assessment_control(
    assessmentId='string',
    controlSetId='string',
    controlId='string',
    nextToken='string',
    maxResults=123
)
Parameters
  • assessmentId (string) --

    [REQUIRED]

    The identifier for the assessment.

  • controlSetId (string) --

    [REQUIRED]

    The identifier for the control set.

  • controlId (string) --

    [REQUIRED]

    The identifier for the control.

  • nextToken (string) -- The pagination token that's used to fetch the next set of results.
  • maxResults (integer) -- Represents the maximum number of results on a page or for an API request call.
Return type

dict

Returns

Response Syntax

{
    'evidenceFolders': [
        {
            'name': 'string',
            'date': datetime(2015, 1, 1),
            'assessmentId': 'string',
            'controlSetId': 'string',
            'controlId': 'string',
            'id': 'string',
            'dataSource': 'string',
            'author': 'string',
            'totalEvidence': 123,
            'assessmentReportSelectionCount': 123,
            'controlName': 'string',
            'evidenceResourcesIncludedCount': 123,
            'evidenceByTypeConfigurationDataCount': 123,
            'evidenceByTypeManualCount': 123,
            'evidenceByTypeComplianceCheckCount': 123,
            'evidenceByTypeComplianceCheckIssuesCount': 123,
            'evidenceByTypeUserActivityCount': 123,
            'evidenceAwsServiceSourceCount': 123
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • evidenceFolders (list) --

      The list of evidence folders that the GetEvidenceFoldersByAssessmentControl API returned.

      • (dict) --

        The folder where Audit Manager stores evidence for an assessment.

        • name (string) --

          The name of the evidence folder.

        • date (datetime) --

          The date when the first evidence was added to the evidence folder.

        • assessmentId (string) --

          The identifier for the assessment.

        • controlSetId (string) --

          The identifier for the control set.

        • controlId (string) --

          The unique identifier for the control.

        • id (string) --

          The identifier for the folder that the evidence is stored in.

        • dataSource (string) --

          The Amazon Web Service that the evidence was collected from.

        • author (string) --

          The name of the user who created the evidence folder.

        • totalEvidence (integer) --

          The total amount of evidence in the evidence folder.

        • assessmentReportSelectionCount (integer) --

          The total count of evidence that's included in the assessment report.

        • controlName (string) --

          The name of the control.

        • evidenceResourcesIncludedCount (integer) --

          The amount of evidence that's included in the evidence folder.

        • evidenceByTypeConfigurationDataCount (integer) --

          The number of evidence that falls under the configuration data category. This evidence is collected from configuration snapshots of other Amazon Web Services such as Amazon EC2, Amazon S3, or IAM.

        • evidenceByTypeManualCount (integer) --

          The number of evidence that falls under the manual category. This evidence is imported manually.

        • evidenceByTypeComplianceCheckCount (integer) --

          The number of evidence that falls under the compliance check category. This evidence is collected from Config or Security Hub.

        • evidenceByTypeComplianceCheckIssuesCount (integer) --

          The total number of issues that were reported directly from Security Hub, Config, or both.

        • evidenceByTypeUserActivityCount (integer) --

          The number of evidence that falls under the user activity category. This evidence is collected from CloudTrail logs.

        • evidenceAwsServiceSourceCount (integer) --

          The total number of Amazon Web Services resources that were assessed to generate the evidence.

    • nextToken (string) --

      The pagination token that's used to fetch the next set of results.

Exceptions

  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
get_insights()

Gets the latest analytics data for all your current active assessments.

See also: AWS API Documentation

Request Syntax

response = client.get_insights()
Return type
dict
Returns
Response Syntax
{
    'insights': {
        'activeAssessmentsCount': 123,
        'noncompliantEvidenceCount': 123,
        'compliantEvidenceCount': 123,
        'inconclusiveEvidenceCount': 123,
        'assessmentControlsCountByNoncompliantEvidence': 123,
        'totalAssessmentControlsCount': 123,
        'lastUpdated': datetime(2015, 1, 1)
    }
}

Response Structure

  • (dict) --
    • insights (dict) --

      The analytics data that the GetInsights API returned.

      • activeAssessmentsCount (integer) --

        The number of active assessments in Audit Manager.

      • noncompliantEvidenceCount (integer) --

        The number of compliance check evidence that Audit Manager classified as non-compliant on the lastUpdated date. This includes evidence that was collected from Security Hub with a Fail ruling, or collected from Config with a Non-compliant ruling.

      • compliantEvidenceCount (integer) --

        The number of compliance check evidence that Audit Manager classified as compliant on the lastUpdated date. This includes evidence that was collected from Security Hub with a Pass ruling, or collected from Config with a Compliant ruling.

      • inconclusiveEvidenceCount (integer) --

        The number of evidence without a compliance check ruling. Evidence is inconclusive when the associated control uses Security Hub or Config as a data source but you didn't enable those services. This is also the case when a control uses a data source that doesn’t support compliance checks (for example: manual evidence, API calls, or CloudTrail).

        Note

        If evidence has a compliance check status of not applicable , it's classed as inconclusive in Insights data.

      • assessmentControlsCountByNoncompliantEvidence (integer) --

        The number of assessment controls that collected non-compliant evidence on the lastUpdated date.

      • totalAssessmentControlsCount (integer) --

        The total number of controls across all active assessments.

      • lastUpdated (datetime) --

        The time when the cross-assessment insights were last updated.

Exceptions

  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
get_insights_by_assessment(**kwargs)

Gets the latest analytics data for a specific active assessment.

See also: AWS API Documentation

Request Syntax

response = client.get_insights_by_assessment(
    assessmentId='string'
)
Parameters
assessmentId (string) --

[REQUIRED]

The unique identifier for the assessment.

Return type
dict
Returns
Response Syntax
{
    'insights': {
        'noncompliantEvidenceCount': 123,
        'compliantEvidenceCount': 123,
        'inconclusiveEvidenceCount': 123,
        'assessmentControlsCountByNoncompliantEvidence': 123,
        'totalAssessmentControlsCount': 123,
        'lastUpdated': datetime(2015, 1, 1)
    }
}

Response Structure

  • (dict) --
    • insights (dict) --

      The assessment analytics data that the GetInsightsByAssessment API returned.

      • noncompliantEvidenceCount (integer) --

        The number of compliance check evidence that Audit Manager classified as non-compliant. This includes evidence that was collected from Security Hub with a Fail ruling, or collected from Config with a Non-compliant ruling.

      • compliantEvidenceCount (integer) --

        The number of compliance check evidence that Audit Manager classified as compliant. This includes evidence that was collected from Security Hub with a Pass ruling, or collected from Config with a Compliant ruling.

      • inconclusiveEvidenceCount (integer) --

        The amount of evidence without a compliance check ruling. Evidence is inconclusive if the associated control uses Security Hub or Config as a data source and you didn't enable those services. This is also the case if a control uses a data source that doesn’t support compliance checks (for example, manual evidence, API calls, or CloudTrail).

        Note

        If evidence has a compliance check status of not applicable , it's classified as inconclusive in InsightsByAssessment data.

      • assessmentControlsCountByNoncompliantEvidence (integer) --

        The number of assessment controls that collected non-compliant evidence on the lastUpdated date.

      • totalAssessmentControlsCount (integer) --

        The total number of controls in the assessment.

      • lastUpdated (datetime) --

        The time when the assessment insights were last updated.

Exceptions

  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
get_organization_admin_account()

Returns the name of the delegated Amazon Web Services administrator account for the organization.

See also: AWS API Documentation

Request Syntax

response = client.get_organization_admin_account()
Return type
dict
Returns
Response Syntax
{
    'adminAccountId': 'string',
    'organizationId': 'string'
}

Response Structure

  • (dict) --
    • adminAccountId (string) --

      The identifier for the administrator account.

    • organizationId (string) --

      The identifier for the organization.

Exceptions

  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
  • AuditManager.Client.exceptions.ResourceNotFoundException
get_paginator(operation_name)

Create a paginator for an operation.

Parameters
operation_name (string) -- The operation name. This is the same name as the method name on the client. For example, if the method name is create_foo, and you'd normally invoke the operation as client.create_foo(**kwargs), if the create_foo operation can be paginated, you can use the call client.get_paginator("create_foo").
Raises OperationNotPageableError
Raised if the operation is not pageable. You can use the client.can_paginate method to check if an operation is pageable.
Return type
L{botocore.paginate.Paginator}
Returns
A paginator object.
get_services_in_scope()

Returns a list of the in-scope Amazon Web Services for the specified assessment.

See also: AWS API Documentation

Request Syntax

response = client.get_services_in_scope()
Return type
dict
Returns
Response Syntax
{
    'serviceMetadata': [
        {
            'name': 'string',
            'displayName': 'string',
            'description': 'string',
            'category': 'string'
        },
    ]
}

Response Structure

  • (dict) --
    • serviceMetadata (list) --

      The metadata that's associated with the Amazon Web Service.

      • (dict) --

        The metadata that's associated with the Amazon Web Service.

        • name (string) --

          The name of the Amazon Web Service.

        • displayName (string) --

          The display name of the Amazon Web Service.

        • description (string) --

          The description of the Amazon Web Service.

        • category (string) --

          The category that the Amazon Web Service belongs to, such as compute, storage, or database.

Exceptions

  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.InternalServerException
get_settings(**kwargs)

Returns the settings for the specified Amazon Web Services account.

See also: AWS API Documentation

Request Syntax

response = client.get_settings(
    attribute='ALL'|'IS_AWS_ORG_ENABLED'|'SNS_TOPIC'|'DEFAULT_ASSESSMENT_REPORTS_DESTINATION'|'DEFAULT_PROCESS_OWNERS'
)
Parameters
attribute (string) --

[REQUIRED]

The list of SettingAttribute enum values.

Return type
dict
Returns
Response Syntax
{
    'settings': {
        'isAwsOrgEnabled': True|False,
        'snsTopic': 'string',
        'defaultAssessmentReportsDestination': {
            'destinationType': 'S3',
            'destination': 'string'
        },
        'defaultProcessOwners': [
            {
                'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER',
                'roleArn': 'string'
            },
        ],
        'kmsKey': 'string'
    }
}

Response Structure

  • (dict) --
    • settings (dict) --

      The settings object that holds all supported Audit Manager settings.

      • isAwsOrgEnabled (boolean) --

        Specifies whether Organizations is enabled.

      • snsTopic (string) --

        The designated Amazon Simple Notification Service (Amazon SNS) topic.

      • defaultAssessmentReportsDestination (dict) --

        The default storage destination for assessment reports.

        • destinationType (string) --

          The destination type, such as Amazon S3.

        • destination (string) --

          The destination of the assessment report.

      • defaultProcessOwners (list) --

        The designated default audit owners.

        • (dict) --

          The wrapper that contains the Audit Manager role information of the current user. This includes the role type and IAM Amazon Resource Name (ARN).

          • roleType (string) --

            The type of customer persona.

            Note

            In CreateAssessment , roleType can only be PROCESS_OWNER .

            In UpdateSettings , roleType can only be PROCESS_OWNER .

            In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .

          • roleArn (string) --

            The Amazon Resource Name (ARN) of the IAM role.

      • kmsKey (string) --

        The KMS key details.

Exceptions

  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
get_waiter(waiter_name)

Returns an object that can wait for some condition.

Parameters
waiter_name (str) -- The name of the waiter to get. See the waiters section of the service docs for a list of available waiters.
Returns
The specified waiter object.
Return type
botocore.waiter.Waiter
list_assessment_control_insights_by_control_domain(**kwargs)

Lists the latest analytics data for controls within a specific control domain and a specific active assessment.

Note

Control insights are listed only if the control belongs to the control domain and assessment that was specified. Moreover, the control must have collected evidence on the lastUpdated date of controlInsightsByAssessment . If neither of these conditions are met, no data is listed for that control.

See also: AWS API Documentation

Request Syntax

response = client.list_assessment_control_insights_by_control_domain(
    controlDomainId='string',
    assessmentId='string',
    nextToken='string',
    maxResults=123
)
Parameters
  • controlDomainId (string) --

    [REQUIRED]

    The unique identifier for the control domain.

  • assessmentId (string) --

    [REQUIRED]

    The unique identifier for the active assessment.

  • nextToken (string) -- The pagination token that's used to fetch the next set of results.
  • maxResults (integer) -- Represents the maximum number of results on a page or for an API request call.
Return type

dict

Returns

Response Syntax

{
    'controlInsightsByAssessment': [
        {
            'name': 'string',
            'id': 'string',
            'evidenceInsights': {
                'noncompliantEvidenceCount': 123,
                'compliantEvidenceCount': 123,
                'inconclusiveEvidenceCount': 123
            },
            'controlSetName': 'string',
            'lastUpdated': datetime(2015, 1, 1)
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • controlInsightsByAssessment (list) --

      The assessment control analytics data that the ListAssessmentControlInsightsByControlDomain API returned.

      • (dict) --

        A summary of the latest analytics data for a specific control in a specific active assessment.

        Control insights are grouped by control domain, and ranked by the highest total count of non-compliant evidence.

        • name (string) --

          The name of the assessment control.

        • id (string) --

          The unique identifier for the assessment control.

        • evidenceInsights (dict) --

          A breakdown of the compliance check status for the evidence that’s associated with the assessment control.

          • noncompliantEvidenceCount (integer) --

            The number of compliance check evidence that Audit Manager classified as non-compliant. This includes evidence that was collected from Security Hub with a Fail ruling, or collected from Config with a Non-compliant ruling.

          • compliantEvidenceCount (integer) --

            The number of compliance check evidence that Audit Manager classified as compliant. This includes evidence that was collected from Security Hub with a Pass ruling, or collected from Config with a Compliant ruling.

          • inconclusiveEvidenceCount (integer) --

            The number of evidence that a compliance check ruling isn't available for. Evidence is inconclusive when the associated control uses Security Hub or Config as a data source but you didn't enable those services. This is also the case when a control uses a data source that doesn’t support compliance checks (for example, manual evidence, API calls, or CloudTrail).

            Note

            If evidence has a compliance check status of not applicable in the console, it's classified as inconclusive in EvidenceInsights data.

        • controlSetName (string) --

          The name of the control set that the assessment control belongs to.

        • lastUpdated (datetime) --

          The time when the assessment control insights were last updated.

    • nextToken (string) --

      The pagination token that's used to fetch the next set of results.

Exceptions

  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
list_assessment_framework_share_requests(**kwargs)

Returns a list of sent or received share requests for custom frameworks in Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.list_assessment_framework_share_requests(
    requestType='SENT'|'RECEIVED',
    nextToken='string',
    maxResults=123
)
Parameters
  • requestType (string) --

    [REQUIRED]

    Specifies whether the share request is a sent request or a received request.

  • nextToken (string) -- The pagination token that's used to fetch the next set of results.
  • maxResults (integer) -- Represents the maximum number of results on a page or for an API request call.
Return type

dict

Returns

Response Syntax

{
    'assessmentFrameworkShareRequests': [
        {
            'id': 'string',
            'frameworkId': 'string',
            'frameworkName': 'string',
            'frameworkDescription': 'string',
            'status': 'ACTIVE'|'REPLICATING'|'SHARED'|'EXPIRING'|'FAILED'|'EXPIRED'|'DECLINED'|'REVOKED',
            'sourceAccount': 'string',
            'destinationAccount': 'string',
            'destinationRegion': 'string',
            'expirationTime': datetime(2015, 1, 1),
            'creationTime': datetime(2015, 1, 1),
            'lastUpdated': datetime(2015, 1, 1),
            'comment': 'string',
            'standardControlsCount': 123,
            'customControlsCount': 123,
            'complianceType': 'string'
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • assessmentFrameworkShareRequests (list) --

      The list of share requests that the ListAssessmentFrameworkShareRequests API returned.

      • (dict) --

        Represents a share request for a custom framework in Audit Manager.

        • id (string) --

          The unique identifier for the share request.

        • frameworkId (string) --

          The unique identifier for the shared custom framework.

        • frameworkName (string) --

          The name of the custom framework that the share request is for.

        • frameworkDescription (string) --

          The description of the shared custom framework.

        • status (string) --

          The status of the share request.

        • sourceAccount (string) --

          The Amazon Web Services account of the sender.

        • destinationAccount (string) --

          The Amazon Web Services account of the recipient.

        • destinationRegion (string) --

          The Amazon Web Services Region of the recipient.

        • expirationTime (datetime) --

          The time when the share request expires.

        • creationTime (datetime) --

          The time when the share request was created.

        • lastUpdated (datetime) --

          Specifies when the share request was last updated.

        • comment (string) --

          An optional comment from the sender about the share request.

        • standardControlsCount (integer) --

          The number of standard controls that are part of the shared custom framework.

        • customControlsCount (integer) --

          The number of custom controls that are part of the shared custom framework.

        • complianceType (string) --

          The compliance type that the shared custom framework supports, such as CIS or HIPAA.

    • nextToken (string) --

      The pagination token that's used to fetch the next set of results.

Exceptions

  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.InternalServerException
list_assessment_frameworks(**kwargs)

Returns a list of the frameworks that are available in the Audit Manager framework library.

See also: AWS API Documentation

Request Syntax

response = client.list_assessment_frameworks(
    frameworkType='Standard'|'Custom',
    nextToken='string',
    maxResults=123
)
Parameters
  • frameworkType (string) --

    [REQUIRED]

    The type of framework, such as a standard framework or a custom framework.

  • nextToken (string) -- The pagination token that's used to fetch the next set of results.
  • maxResults (integer) -- Represents the maximum number of results on a page or for an API request call.
Return type

dict

Returns

Response Syntax

{
    'frameworkMetadataList': [
        {
            'arn': 'string',
            'id': 'string',
            'type': 'Standard'|'Custom',
            'name': 'string',
            'description': 'string',
            'logo': 'string',
            'complianceType': 'string',
            'controlsCount': 123,
            'controlSetsCount': 123,
            'createdAt': datetime(2015, 1, 1),
            'lastUpdatedAt': datetime(2015, 1, 1)
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • frameworkMetadataList (list) --

      The list of metadata objects for the framework.

      • (dict) --

        The metadata that's associated with a standard framework or a custom framework.

        • arn (string) --

          The Amazon Resource Name (ARN) of the framework.

        • id (string) --

          The unique identifier for the framework.

        • type (string) --

          The framework type, such as a standard framework or a custom framework.

        • name (string) --

          The name of the framework.

        • description (string) --

          The description of the framework.

        • logo (string) --

          The logo that's associated with the framework.

        • complianceType (string) --

          The compliance type that the new custom framework supports, such as CIS or HIPAA.

        • controlsCount (integer) --

          The number of controls that are associated with the framework.

        • controlSetsCount (integer) --

          The number of control sets that are associated with the framework.

        • createdAt (datetime) --

          Specifies when the framework was created.

        • lastUpdatedAt (datetime) --

          Specifies when the framework was most recently updated.

    • nextToken (string) --

      The pagination token that's used to fetch the next set of results.

Exceptions

  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
list_assessment_reports(**kwargs)

Returns a list of assessment reports created in Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.list_assessment_reports(
    nextToken='string',
    maxResults=123
)
Parameters
  • nextToken (string) -- The pagination token that's used to fetch the next set of results.
  • maxResults (integer) -- Represents the maximum number of results on a page or for an API request call.
Return type

dict

Returns

Response Syntax

{
    'assessmentReports': [
        {
            'id': 'string',
            'name': 'string',
            'description': 'string',
            'assessmentId': 'string',
            'assessmentName': 'string',
            'author': 'string',
            'status': 'COMPLETE'|'IN_PROGRESS'|'FAILED',
            'creationTime': datetime(2015, 1, 1)
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • assessmentReports (list) --

      The list of assessment reports that the ListAssessmentReports API returned.

      • (dict) --

        The metadata objects that are associated with the specified assessment report.

        • id (string) --

          The unique identifier for the assessment report.

        • name (string) --

          The name of the assessment report.

        • description (string) --

          The description of the assessment report.

        • assessmentId (string) --

          The unique identifier for the associated assessment.

        • assessmentName (string) --

          The name of the associated assessment.

        • author (string) --

          The name of the user who created the assessment report.

        • status (string) --

          The current status of the assessment report.

        • creationTime (datetime) --

          Specifies when the assessment report was created.

    • nextToken (string) --

      The pagination token that's used to fetch the next set of results.

Exceptions

  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
list_assessments(**kwargs)

Returns a list of current and past assessments from Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.list_assessments(
    status='ACTIVE'|'INACTIVE',
    nextToken='string',
    maxResults=123
)
Parameters
  • status (string) -- The current status of the assessment.
  • nextToken (string) -- The pagination token that's used to fetch the next set of results.
  • maxResults (integer) -- Represents the maximum number of results on a page or for an API request call.
Return type

dict

Returns

Response Syntax

{
    'assessmentMetadata': [
        {
            'name': 'string',
            'id': 'string',
            'complianceType': 'string',
            'status': 'ACTIVE'|'INACTIVE',
            'roles': [
                {
                    'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER',
                    'roleArn': 'string'
                },
            ],
            'delegations': [
                {
                    'id': 'string',
                    'assessmentName': 'string',
                    'assessmentId': 'string',
                    'status': 'IN_PROGRESS'|'UNDER_REVIEW'|'COMPLETE',
                    'roleArn': 'string',
                    'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER',
                    'creationTime': datetime(2015, 1, 1),
                    'lastUpdated': datetime(2015, 1, 1),
                    'controlSetId': 'string',
                    'comment': 'string',
                    'createdBy': 'string'
                },
            ],
            'creationTime': datetime(2015, 1, 1),
            'lastUpdated': datetime(2015, 1, 1)
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • assessmentMetadata (list) --

      The metadata that's associated with the assessment.

      • (dict) --

        A metadata object that's associated with an assessment in Audit Manager.

        • name (string) --

          The name of the assessment.

        • id (string) --

          The unique identifier for the assessment.

        • complianceType (string) --

          The name of the compliance standard that's related to the assessment, such as PCI-DSS.

        • status (string) --

          The current status of the assessment.

        • roles (list) --

          The roles that are associated with the assessment.

          • (dict) --

            The wrapper that contains the Audit Manager role information of the current user. This includes the role type and IAM Amazon Resource Name (ARN).

            • roleType (string) --

              The type of customer persona.

              Note

              In CreateAssessment , roleType can only be PROCESS_OWNER .

              In UpdateSettings , roleType can only be PROCESS_OWNER .

              In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .

            • roleArn (string) --

              The Amazon Resource Name (ARN) of the IAM role.

        • delegations (list) --

          The delegations that are associated with the assessment.

          • (dict) --

            The assignment of a control set to a delegate for review.

            • id (string) --

              The unique identifier for the delegation.

            • assessmentName (string) --

              The name of the assessment that's associated with the delegation.

            • assessmentId (string) --

              The identifier for the assessment that's associated with the delegation.

            • status (string) --

              The status of the delegation.

            • roleArn (string) --

              The Amazon Resource Name (ARN) of the IAM role.

            • roleType (string) --

              The type of customer persona.

              Note

              In CreateAssessment , roleType can only be PROCESS_OWNER .

              In UpdateSettings , roleType can only be PROCESS_OWNER .

              In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .

            • creationTime (datetime) --

              Specifies when the delegation was created.

            • lastUpdated (datetime) --

              Specifies when the delegation was last updated.

            • controlSetId (string) --

              The identifier for the control set that's associated with the delegation.

            • comment (string) --

              The comment that's related to the delegation.

            • createdBy (string) --

              The IAM user or role that created the delegation.

        • creationTime (datetime) --

          Specifies when the assessment was created.

        • lastUpdated (datetime) --

          The time of the most recent update.

    • nextToken (string) --

      The pagination token that's used to fetch the next set of results.

Exceptions

  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.InternalServerException
list_control_domain_insights(**kwargs)

Lists the latest analytics data for control domains across all of your active assessments.

Note

A control domain is listed only if at least one of the controls within that domain collected evidence on the lastUpdated date of controlDomainInsights . If this condition isn’t met, no data is listed for that control domain.

See also: AWS API Documentation

Request Syntax

response = client.list_control_domain_insights(
    nextToken='string',
    maxResults=123
)
Parameters
  • nextToken (string) -- The pagination token that's used to fetch the next set of results.
  • maxResults (integer) -- Represents the maximum number of results on a page or for an API request call.
Return type

dict

Returns

Response Syntax

{
    'controlDomainInsights': [
        {
            'name': 'string',
            'id': 'string',
            'controlsCountByNoncompliantEvidence': 123,
            'totalControlsCount': 123,
            'evidenceInsights': {
                'noncompliantEvidenceCount': 123,
                'compliantEvidenceCount': 123,
                'inconclusiveEvidenceCount': 123
            },
            'lastUpdated': datetime(2015, 1, 1)
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • controlDomainInsights (list) --

      The control domain analytics data that the ListControlDomainInsights API returned.

      • (dict) --

        A summary of the latest analytics data for a specific control domain.

        Control domain insights are grouped by control domain, and ranked by the highest total count of non-compliant evidence.

        • name (string) --

          The name of the control domain.

        • id (string) --

          The unique identifier for the control domain.

        • controlsCountByNoncompliantEvidence (integer) --

          The number of controls in the control domain that collected non-compliant evidence on the lastUpdated date.

        • totalControlsCount (integer) --

          The total number of controls in the control domain.

        • evidenceInsights (dict) --

          A breakdown of the compliance check status for the evidence that’s associated with the control domain.

          • noncompliantEvidenceCount (integer) --

            The number of compliance check evidence that Audit Manager classified as non-compliant. This includes evidence that was collected from Security Hub with a Fail ruling, or collected from Config with a Non-compliant ruling.

          • compliantEvidenceCount (integer) --

            The number of compliance check evidence that Audit Manager classified as compliant. This includes evidence that was collected from Security Hub with a Pass ruling, or collected from Config with a Compliant ruling.

          • inconclusiveEvidenceCount (integer) --

            The number of evidence that a compliance check ruling isn't available for. Evidence is inconclusive when the associated control uses Security Hub or Config as a data source but you didn't enable those services. This is also the case when a control uses a data source that doesn’t support compliance checks (for example, manual evidence, API calls, or CloudTrail).

            Note

            If evidence has a compliance check status of not applicable in the console, it's classified as inconclusive in EvidenceInsights data.

        • lastUpdated (datetime) --

          The time when the control domain insights were last updated.

    • nextToken (string) --

      The pagination token that's used to fetch the next set of results.

Exceptions

  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
  • AuditManager.Client.exceptions.ValidationException
list_control_domain_insights_by_assessment(**kwargs)

Lists analytics data for control domains within a specified active assessment.

Note

A control domain is listed only if at least one of the controls within that domain collected evidence on the lastUpdated date of controlDomainInsights . If this condition isn’t met, no data is listed for that domain.

See also: AWS API Documentation

Request Syntax

response = client.list_control_domain_insights_by_assessment(
    assessmentId='string',
    nextToken='string',
    maxResults=123
)
Parameters
  • assessmentId (string) --

    [REQUIRED]

    The unique identifier for the active assessment.

  • nextToken (string) -- The pagination token that's used to fetch the next set of results.
  • maxResults (integer) -- Represents the maximum number of results on a page or for an API request call.
Return type

dict

Returns

Response Syntax

{
    'controlDomainInsights': [
        {
            'name': 'string',
            'id': 'string',
            'controlsCountByNoncompliantEvidence': 123,
            'totalControlsCount': 123,
            'evidenceInsights': {
                'noncompliantEvidenceCount': 123,
                'compliantEvidenceCount': 123,
                'inconclusiveEvidenceCount': 123
            },
            'lastUpdated': datetime(2015, 1, 1)
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • controlDomainInsights (list) --

      The control domain analytics data that the ListControlDomainInsightsByAssessment API returned.

      • (dict) --

        A summary of the latest analytics data for a specific control domain.

        Control domain insights are grouped by control domain, and ranked by the highest total count of non-compliant evidence.

        • name (string) --

          The name of the control domain.

        • id (string) --

          The unique identifier for the control domain.

        • controlsCountByNoncompliantEvidence (integer) --

          The number of controls in the control domain that collected non-compliant evidence on the lastUpdated date.

        • totalControlsCount (integer) --

          The total number of controls in the control domain.

        • evidenceInsights (dict) --

          A breakdown of the compliance check status for the evidence that’s associated with the control domain.

          • noncompliantEvidenceCount (integer) --

            The number of compliance check evidence that Audit Manager classified as non-compliant. This includes evidence that was collected from Security Hub with a Fail ruling, or collected from Config with a Non-compliant ruling.

          • compliantEvidenceCount (integer) --

            The number of compliance check evidence that Audit Manager classified as compliant. This includes evidence that was collected from Security Hub with a Pass ruling, or collected from Config with a Compliant ruling.

          • inconclusiveEvidenceCount (integer) --

            The number of evidence that a compliance check ruling isn't available for. Evidence is inconclusive when the associated control uses Security Hub or Config as a data source but you didn't enable those services. This is also the case when a control uses a data source that doesn’t support compliance checks (for example, manual evidence, API calls, or CloudTrail).

            Note

            If evidence has a compliance check status of not applicable in the console, it's classified as inconclusive in EvidenceInsights data.

        • lastUpdated (datetime) --

          The time when the control domain insights were last updated.

    • nextToken (string) --

      The pagination token that's used to fetch the next set of results.

Exceptions

  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
list_control_insights_by_control_domain(**kwargs)

Lists the latest analytics data for controls within a specific control domain across all active assessments.

Note

Control insights are listed only if the control belongs to the control domain that was specified and the control collected evidence on the lastUpdated date of controlInsightsMetadata . If neither of these conditions are met, no data is listed for that control.

See also: AWS API Documentation

Request Syntax

response = client.list_control_insights_by_control_domain(
    controlDomainId='string',
    nextToken='string',
    maxResults=123
)
Parameters
  • controlDomainId (string) --

    [REQUIRED]

    The unique identifier for the control domain.

  • nextToken (string) -- The pagination token that's used to fetch the next set of results.
  • maxResults (integer) -- Represents the maximum number of results on a page or for an API request call.
Return type

dict

Returns

Response Syntax

{
    'controlInsightsMetadata': [
        {
            'name': 'string',
            'id': 'string',
            'evidenceInsights': {
                'noncompliantEvidenceCount': 123,
                'compliantEvidenceCount': 123,
                'inconclusiveEvidenceCount': 123
            },
            'lastUpdated': datetime(2015, 1, 1)
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • controlInsightsMetadata (list) --

      The control analytics data that the ListControlInsightsByControlDomain API returned.

      • (dict) --

        A summary of the latest analytics data for a specific control.

        This data reflects the total counts for the specified control across all active assessments. Control insights are grouped by control domain, and ranked by the highest total count of non-compliant evidence.

        • name (string) --

          The name of the control.

        • id (string) --

          The unique identifier for the control.

        • evidenceInsights (dict) --

          A breakdown of the compliance check status for the evidence that’s associated with the control.

          • noncompliantEvidenceCount (integer) --

            The number of compliance check evidence that Audit Manager classified as non-compliant. This includes evidence that was collected from Security Hub with a Fail ruling, or collected from Config with a Non-compliant ruling.

          • compliantEvidenceCount (integer) --

            The number of compliance check evidence that Audit Manager classified as compliant. This includes evidence that was collected from Security Hub with a Pass ruling, or collected from Config with a Compliant ruling.

          • inconclusiveEvidenceCount (integer) --

            The number of evidence that a compliance check ruling isn't available for. Evidence is inconclusive when the associated control uses Security Hub or Config as a data source but you didn't enable those services. This is also the case when a control uses a data source that doesn’t support compliance checks (for example, manual evidence, API calls, or CloudTrail).

            Note

            If evidence has a compliance check status of not applicable in the console, it's classified as inconclusive in EvidenceInsights data.

        • lastUpdated (datetime) --

          The time when the control insights were last updated.

    • nextToken (string) --

      The pagination token that's used to fetch the next set of results.

Exceptions

  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
  • AuditManager.Client.exceptions.ValidationException
list_controls(**kwargs)

Returns a list of controls from Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.list_controls(
    controlType='Standard'|'Custom',
    nextToken='string',
    maxResults=123
)
Parameters
  • controlType (string) --

    [REQUIRED]

    The type of control, such as a standard control or a custom control.

  • nextToken (string) -- The pagination token that's used to fetch the next set of results.
  • maxResults (integer) -- Represents the maximum number of results on a page or for an API request call.
Return type

dict

Returns

Response Syntax

{
    'controlMetadataList': [
        {
            'arn': 'string',
            'id': 'string',
            'name': 'string',
            'controlSources': 'string',
            'createdAt': datetime(2015, 1, 1),
            'lastUpdatedAt': datetime(2015, 1, 1)
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • controlMetadataList (list) --

      The list of control metadata objects that the ListControls API returned.

      • (dict) --

        The metadata that's associated with the standard control or custom control.

        • arn (string) --

          The Amazon Resource Name (ARN) of the control.

        • id (string) --

          The unique identifier for the control.

        • name (string) --

          The name of the control.

        • controlSources (string) --

          The data source that determines where Audit Manager collects evidence from for the control.

        • createdAt (datetime) --

          Specifies when the control was created.

        • lastUpdatedAt (datetime) --

          Specifies when the control was most recently updated.

    • nextToken (string) --

      The pagination token that's used to fetch the next set of results.

Exceptions

  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.InternalServerException
list_keywords_for_data_source(**kwargs)

Returns a list of keywords that are pre-mapped to the specified control data source.

See also: AWS API Documentation

Request Syntax

response = client.list_keywords_for_data_source(
    source='AWS_Cloudtrail'|'AWS_Config'|'AWS_Security_Hub'|'AWS_API_Call'|'MANUAL',
    nextToken='string',
    maxResults=123
)
Parameters
  • source (string) --

    [REQUIRED]

    The control mapping data source that the keywords apply to.

  • nextToken (string) -- The pagination token that's used to fetch the next set of results.
  • maxResults (integer) -- Represents the maximum number of results on a page or for an API request call.
Return type

dict

Returns

Response Syntax

{
    'keywords': [
        'string',
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • keywords (list) --

      The list of keywords for the event mapping source.

      • (string) --
    • nextToken (string) --

      The pagination token that's used to fetch the next set of results.

Exceptions

  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.InternalServerException
list_notifications(**kwargs)

Returns a list of all Audit Manager notifications.

See also: AWS API Documentation

Request Syntax

response = client.list_notifications(
    nextToken='string',
    maxResults=123
)
Parameters
  • nextToken (string) -- The pagination token that's used to fetch the next set of results.
  • maxResults (integer) -- Represents the maximum number of results on a page or for an API request call.
Return type

dict

Returns

Response Syntax

{
    'notifications': [
        {
            'id': 'string',
            'assessmentId': 'string',
            'assessmentName': 'string',
            'controlSetId': 'string',
            'controlSetName': 'string',
            'description': 'string',
            'eventTime': datetime(2015, 1, 1),
            'source': 'string'
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • notifications (list) --

      The returned list of notifications.

      • (dict) --

        The notification that informs a user of an update in Audit Manager. For example, this includes the notification that's sent when a control set is delegated for review.

        • id (string) --

          The unique identifier for the notification.

        • assessmentId (string) --

          The identifier for the assessment.

        • assessmentName (string) --

          The name of the related assessment.

        • controlSetId (string) --

          The identifier for the control set.

        • controlSetName (string) --

          Specifies the name of the control set that the notification is about.

        • description (string) --

          The description of the notification.

        • eventTime (datetime) --

          The time when the notification was sent.

        • source (string) --

          The sender of the notification.

    • nextToken (string) --

      The pagination token that's used to fetch the next set of results.

Exceptions

  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.InternalServerException
list_tags_for_resource(**kwargs)

Returns a list of tags for the specified resource in Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.list_tags_for_resource(
    resourceArn='string'
)
Parameters
resourceArn (string) --

[REQUIRED]

The Amazon Resource Name (ARN) of the resource.

Return type
dict
Returns
Response Syntax
{
    'tags': {
        'string': 'string'
    }
}

Response Structure

  • (dict) --
    • tags (dict) --

      The list of tags that the ListTagsForResource API returned.

      • (string) --
        • (string) --

Exceptions

  • AuditManager.Client.exceptions.InternalServerException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.ResourceNotFoundException
register_account(**kwargs)

Enables Audit Manager for the specified Amazon Web Services account.

See also: AWS API Documentation

Request Syntax

response = client.register_account(
    kmsKey='string',
    delegatedAdminAccount='string'
)
Parameters
  • kmsKey (string) -- The KMS key details.
  • delegatedAdminAccount (string) -- The delegated administrator account for Audit Manager.
Return type

dict

Returns

Response Syntax

{
    'status': 'ACTIVE'|'INACTIVE'|'PENDING_ACTIVATION'
}

Response Structure

  • (dict) --

    • status (string) --

      The status of the account registration request.

Exceptions

  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.ThrottlingException
register_organization_admin_account(**kwargs)

Enables an Amazon Web Services account within the organization as the delegated administrator for Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.register_organization_admin_account(
    adminAccountId='string'
)
Parameters
adminAccountId (string) --

[REQUIRED]

The identifier for the delegated administrator account.

Return type
dict
Returns
Response Syntax
{
    'adminAccountId': 'string',
    'organizationId': 'string'
}

Response Structure

  • (dict) --
    • adminAccountId (string) --

      The identifier for the delegated administrator account.

    • organizationId (string) --

      The identifier for the organization.

Exceptions

  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
  • AuditManager.Client.exceptions.ResourceNotFoundException
start_assessment_framework_share(**kwargs)

Creates a share request for a custom framework in Audit Manager.

The share request specifies a recipient and notifies them that a custom framework is available. Recipients have 120 days to accept or decline the request. If no action is taken, the share request expires.

When you create a share request, Audit Manager stores a snapshot of your custom framework in the US East (N. Virginia) Amazon Web Services Region. Audit Manager also stores a backup of the same snapshot in the US West (Oregon) Amazon Web Services Region.

Audit Manager deletes the snapshot and the backup snapshot when one of the following events occurs:

  • The sender revokes the share request.
  • The recipient declines the share request.
  • The recipient encounters an error and doesn't successfully accept the share request.
  • The share request expires before the recipient responds to the request.

When a sender resends a share request , the snapshot is replaced with an updated version that corresponds with the latest version of the custom framework.

When a recipient accepts a share request, the snapshot is replicated into their Amazon Web Services account under the Amazon Web Services Region that was specified in the share request.

Warning

When you invoke the StartAssessmentFrameworkShare API, you are about to share a custom framework with another Amazon Web Services account. You may not share a custom framework that is derived from a standard framework if the standard framework is designated as not eligible for sharing by Amazon Web Services, unless you have obtained permission to do so from the owner of the standard framework. To learn more about which standard frameworks are eligible for sharing, see Framework sharing eligibility in the Audit Manager User Guide .

See also: AWS API Documentation

Request Syntax

response = client.start_assessment_framework_share(
    frameworkId='string',
    destinationAccount='string',
    destinationRegion='string',
    comment='string'
)
Parameters
  • frameworkId (string) --

    [REQUIRED]

    The unique identifier for the custom framework to be shared.

  • destinationAccount (string) --

    [REQUIRED]

    The Amazon Web Services account of the recipient.

  • destinationRegion (string) --

    [REQUIRED]

    The Amazon Web Services Region of the recipient.

  • comment (string) -- An optional comment from the sender about the share request.
Return type

dict

Returns

Response Syntax

{
    'assessmentFrameworkShareRequest': {
        'id': 'string',
        'frameworkId': 'string',
        'frameworkName': 'string',
        'frameworkDescription': 'string',
        'status': 'ACTIVE'|'REPLICATING'|'SHARED'|'EXPIRING'|'FAILED'|'EXPIRED'|'DECLINED'|'REVOKED',
        'sourceAccount': 'string',
        'destinationAccount': 'string',
        'destinationRegion': 'string',
        'expirationTime': datetime(2015, 1, 1),
        'creationTime': datetime(2015, 1, 1),
        'lastUpdated': datetime(2015, 1, 1),
        'comment': 'string',
        'standardControlsCount': 123,
        'customControlsCount': 123,
        'complianceType': 'string'
    }
}

Response Structure

  • (dict) --

    • assessmentFrameworkShareRequest (dict) --

      The share request that's created by the StartAssessmentFrameworkShare API.

      • id (string) --

        The unique identifier for the share request.

      • frameworkId (string) --

        The unique identifier for the shared custom framework.

      • frameworkName (string) --

        The name of the custom framework that the share request is for.

      • frameworkDescription (string) --

        The description of the shared custom framework.

      • status (string) --

        The status of the share request.

      • sourceAccount (string) --

        The Amazon Web Services account of the sender.

      • destinationAccount (string) --

        The Amazon Web Services account of the recipient.

      • destinationRegion (string) --

        The Amazon Web Services Region of the recipient.

      • expirationTime (datetime) --

        The time when the share request expires.

      • creationTime (datetime) --

        The time when the share request was created.

      • lastUpdated (datetime) --

        Specifies when the share request was last updated.

      • comment (string) --

        An optional comment from the sender about the share request.

      • standardControlsCount (integer) --

        The number of standard controls that are part of the shared custom framework.

      • customControlsCount (integer) --

        The number of custom controls that are part of the shared custom framework.

      • complianceType (string) --

        The compliance type that the shared custom framework supports, such as CIS or HIPAA.

Exceptions

  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
  • AuditManager.Client.exceptions.ResourceNotFoundException
tag_resource(**kwargs)

Tags the specified resource in Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.tag_resource(
    resourceArn='string',
    tags={
        'string': 'string'
    }
)
Parameters
  • resourceArn (string) --

    [REQUIRED]

    The Amazon Resource Name (ARN) of the resource.

  • tags (dict) --

    [REQUIRED]

    The tags that are associated with the resource.

    • (string) --
      • (string) --
Return type

dict

Returns

Response Syntax

{}

Response Structure

  • (dict) --

Exceptions

  • AuditManager.Client.exceptions.InternalServerException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.ResourceNotFoundException
untag_resource(**kwargs)

Removes a tag from a resource in Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.untag_resource(
    resourceArn='string',
    tagKeys=[
        'string',
    ]
)
Parameters
  • resourceArn (string) --

    [REQUIRED]

    The Amazon Resource Name (ARN) of the specified resource.

  • tagKeys (list) --

    [REQUIRED]

    The name or key of the tag.

    • (string) --
Return type

dict

Returns

Response Syntax

{}

Response Structure

  • (dict) --

Exceptions

  • AuditManager.Client.exceptions.InternalServerException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.ResourceNotFoundException
update_assessment(**kwargs)

Edits an Audit Manager assessment.

See also: AWS API Documentation

Request Syntax

response = client.update_assessment(
    assessmentId='string',
    assessmentName='string',
    assessmentDescription='string',
    scope={
        'awsAccounts': [
            {
                'id': 'string',
                'emailAddress': 'string',
                'name': 'string'
            },
        ],
        'awsServices': [
            {
                'serviceName': 'string'
            },
        ]
    },
    assessmentReportsDestination={
        'destinationType': 'S3',
        'destination': 'string'
    },
    roles=[
        {
            'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER',
            'roleArn': 'string'
        },
    ]
)
Parameters
  • assessmentId (string) --

    [REQUIRED]

    The unique identifier for the assessment.

  • assessmentName (string) -- The name of the assessment to be updated.
  • assessmentDescription (string) -- The description of the assessment.
  • scope (dict) --

    [REQUIRED]

    The scope of the assessment.

    • awsAccounts (list) --

      The Amazon Web Services accounts that are included in the scope of the assessment.

      • (dict) --

        The wrapper of Amazon Web Services account details, such as account ID or email address.

        • id (string) --

          The identifier for the Amazon Web Services account.

        • emailAddress (string) --

          The email address that's associated with the Amazon Web Services account.

        • name (string) --

          The name of the Amazon Web Services account.

    • awsServices (list) --

      The Amazon Web Services services that are included in the scope of the assessment.

      • (dict) --

        An Amazon Web Service such as Amazon S3 or CloudTrail.

        • serviceName (string) --

          The name of the Amazon Web Service.

  • assessmentReportsDestination (dict) --

    The assessment report storage destination for the assessment that's being updated.

    • destinationType (string) --

      The destination type, such as Amazon S3.

    • destination (string) --

      The destination of the assessment report.

  • roles (list) --

    The list of roles for the assessment.

    • (dict) --

      The wrapper that contains the Audit Manager role information of the current user. This includes the role type and IAM Amazon Resource Name (ARN).

      • roleType (string) -- [REQUIRED]

        The type of customer persona.

        Note

        In CreateAssessment , roleType can only be PROCESS_OWNER .

        In UpdateSettings , roleType can only be PROCESS_OWNER .

        In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .

      • roleArn (string) -- [REQUIRED]

        The Amazon Resource Name (ARN) of the IAM role.

Return type

dict

Returns

Response Syntax

{
    'assessment': {
        'arn': 'string',
        'awsAccount': {
            'id': 'string',
            'emailAddress': 'string',
            'name': 'string'
        },
        'metadata': {
            'name': 'string',
            'id': 'string',
            'description': 'string',
            'complianceType': 'string',
            'status': 'ACTIVE'|'INACTIVE',
            'assessmentReportsDestination': {
                'destinationType': 'S3',
                'destination': 'string'
            },
            'scope': {
                'awsAccounts': [
                    {
                        'id': 'string',
                        'emailAddress': 'string',
                        'name': 'string'
                    },
                ],
                'awsServices': [
                    {
                        'serviceName': 'string'
                    },
                ]
            },
            'roles': [
                {
                    'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER',
                    'roleArn': 'string'
                },
            ],
            'delegations': [
                {
                    'id': 'string',
                    'assessmentName': 'string',
                    'assessmentId': 'string',
                    'status': 'IN_PROGRESS'|'UNDER_REVIEW'|'COMPLETE',
                    'roleArn': 'string',
                    'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER',
                    'creationTime': datetime(2015, 1, 1),
                    'lastUpdated': datetime(2015, 1, 1),
                    'controlSetId': 'string',
                    'comment': 'string',
                    'createdBy': 'string'
                },
            ],
            'creationTime': datetime(2015, 1, 1),
            'lastUpdated': datetime(2015, 1, 1)
        },
        'framework': {
            'id': 'string',
            'arn': 'string',
            'metadata': {
                'name': 'string',
                'description': 'string',
                'logo': 'string',
                'complianceType': 'string'
            },
            'controlSets': [
                {
                    'id': 'string',
                    'description': 'string',
                    'status': 'ACTIVE'|'UNDER_REVIEW'|'REVIEWED',
                    'roles': [
                        {
                            'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER',
                            'roleArn': 'string'
                        },
                    ],
                    'controls': [
                        {
                            'id': 'string',
                            'name': 'string',
                            'description': 'string',
                            'status': 'UNDER_REVIEW'|'REVIEWED'|'INACTIVE',
                            'response': 'MANUAL'|'AUTOMATE'|'DEFER'|'IGNORE',
                            'comments': [
                                {
                                    'authorName': 'string',
                                    'commentBody': 'string',
                                    'postedDate': datetime(2015, 1, 1)
                                },
                            ],
                            'evidenceSources': [
                                'string',
                            ],
                            'evidenceCount': 123,
                            'assessmentReportEvidenceCount': 123
                        },
                    ],
                    'delegations': [
                        {
                            'id': 'string',
                            'assessmentName': 'string',
                            'assessmentId': 'string',
                            'status': 'IN_PROGRESS'|'UNDER_REVIEW'|'COMPLETE',
                            'roleArn': 'string',
                            'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER',
                            'creationTime': datetime(2015, 1, 1),
                            'lastUpdated': datetime(2015, 1, 1),
                            'controlSetId': 'string',
                            'comment': 'string',
                            'createdBy': 'string'
                        },
                    ],
                    'systemEvidenceCount': 123,
                    'manualEvidenceCount': 123
                },
            ]
        },
        'tags': {
            'string': 'string'
        }
    }
}

Response Structure

  • (dict) --

    • assessment (dict) --

      The response object for the UpdateAssessmentRequest API. This is the name of the updated assessment.

      • arn (string) --

        The Amazon Resource Name (ARN) of the assessment.

      • awsAccount (dict) --

        The Amazon Web Services account that's associated with the assessment.

        • id (string) --

          The identifier for the Amazon Web Services account.

        • emailAddress (string) --

          The email address that's associated with the Amazon Web Services account.

        • name (string) --

          The name of the Amazon Web Services account.

      • metadata (dict) --

        The metadata for the assessment.

        • name (string) --

          The name of the assessment.

        • id (string) --

          The unique identifier for the assessment.

        • description (string) --

          The description of the assessment.

        • complianceType (string) --

          The name of the compliance standard that's related to the assessment, such as PCI-DSS.

        • status (string) --

          The overall status of the assessment.

        • assessmentReportsDestination (dict) --

          The destination that evidence reports are stored in for the assessment.

          • destinationType (string) --

            The destination type, such as Amazon S3.

          • destination (string) --

            The destination of the assessment report.

        • scope (dict) --

          The wrapper of Amazon Web Services accounts and services that are in scope for the assessment.

          • awsAccounts (list) --

            The Amazon Web Services accounts that are included in the scope of the assessment.

            • (dict) --

              The wrapper of Amazon Web Services account details, such as account ID or email address.

              • id (string) --

                The identifier for the Amazon Web Services account.

              • emailAddress (string) --

                The email address that's associated with the Amazon Web Services account.

              • name (string) --

                The name of the Amazon Web Services account.

          • awsServices (list) --

            The Amazon Web Services services that are included in the scope of the assessment.

            • (dict) --

              An Amazon Web Service such as Amazon S3 or CloudTrail.

              • serviceName (string) --

                The name of the Amazon Web Service.

        • roles (list) --

          The roles that are associated with the assessment.

          • (dict) --

            The wrapper that contains the Audit Manager role information of the current user. This includes the role type and IAM Amazon Resource Name (ARN).

            • roleType (string) --

              The type of customer persona.

              Note

              In CreateAssessment , roleType can only be PROCESS_OWNER .

              In UpdateSettings , roleType can only be PROCESS_OWNER .

              In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .

            • roleArn (string) --

              The Amazon Resource Name (ARN) of the IAM role.

        • delegations (list) --

          The delegations that are associated with the assessment.

          • (dict) --

            The assignment of a control set to a delegate for review.

            • id (string) --

              The unique identifier for the delegation.

            • assessmentName (string) --

              The name of the assessment that's associated with the delegation.

            • assessmentId (string) --

              The identifier for the assessment that's associated with the delegation.

            • status (string) --

              The status of the delegation.

            • roleArn (string) --

              The Amazon Resource Name (ARN) of the IAM role.

            • roleType (string) --

              The type of customer persona.

              Note

              In CreateAssessment , roleType can only be PROCESS_OWNER .

              In UpdateSettings , roleType can only be PROCESS_OWNER .

              In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .

            • creationTime (datetime) --

              Specifies when the delegation was created.

            • lastUpdated (datetime) --

              Specifies when the delegation was last updated.

            • controlSetId (string) --

              The identifier for the control set that's associated with the delegation.

            • comment (string) --

              The comment that's related to the delegation.

            • createdBy (string) --

              The IAM user or role that created the delegation.

        • creationTime (datetime) --

          Specifies when the assessment was created.

        • lastUpdated (datetime) --

          The time of the most recent update.

      • framework (dict) --

        The framework that the assessment was created from.

        • id (string) --

          The unique identifier for the framework.

        • arn (string) --

          The Amazon Resource Name (ARN) of the framework.

        • metadata (dict) --

          The metadata of a framework, such as the name, ID, or description.

          • name (string) --

            The name of the framework.

          • description (string) --

            The description of the framework.

          • logo (string) --

            The logo that's associated with the framework.

          • complianceType (string) --

            The compliance standard that's associated with the framework. For example, this could be PCI DSS or HIPAA.

        • controlSets (list) --

          The control sets that are associated with the framework.

          • (dict) --

            Represents a set of controls in an Audit Manager assessment.

            • id (string) --

              The identifier of the control set in the assessment. This is the control set name in a plain string format.

            • description (string) --

              The description for the control set.

            • status (string) --

              Specifies the current status of the control set.

            • roles (list) --

              The roles that are associated with the control set.

              • (dict) --

                The wrapper that contains the Audit Manager role information of the current user. This includes the role type and IAM Amazon Resource Name (ARN).

                • roleType (string) --

                  The type of customer persona.

                  Note

                  In CreateAssessment , roleType can only be PROCESS_OWNER .

                  In UpdateSettings , roleType can only be PROCESS_OWNER .

                  In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .

                • roleArn (string) --

                  The Amazon Resource Name (ARN) of the IAM role.

            • controls (list) --

              The list of controls that's contained with the control set.

              • (dict) --

                The control entity that represents a standard control or a custom control in an Audit Manager assessment.

                • id (string) --

                  The identifier for the control.

                • name (string) --

                  The name of the control.

                • description (string) --

                  The description of the control.

                • status (string) --

                  The status of the control.

                • response (string) --

                  The response of the control.

                • comments (list) --

                  The list of comments that's attached to the control.

                  • (dict) --

                    A comment that's posted by a user on a control. This includes the author's name, the comment text, and a timestamp.

                    • authorName (string) --

                      The name of the user who authored the comment.

                    • commentBody (string) --

                      The body text of a control comment.

                    • postedDate (datetime) --

                      The time when the comment was posted.

                • evidenceSources (list) --

                  The list of data sources for the evidence.

                  • (string) --
                • evidenceCount (integer) --

                  The amount of evidence that's generated for the control.

                • assessmentReportEvidenceCount (integer) --

                  The amount of evidence in the assessment report.

            • delegations (list) --

              The delegations that are associated with the control set.

              • (dict) --

                The assignment of a control set to a delegate for review.

                • id (string) --

                  The unique identifier for the delegation.

                • assessmentName (string) --

                  The name of the assessment that's associated with the delegation.

                • assessmentId (string) --

                  The identifier for the assessment that's associated with the delegation.

                • status (string) --

                  The status of the delegation.

                • roleArn (string) --

                  The Amazon Resource Name (ARN) of the IAM role.

                • roleType (string) --

                  The type of customer persona.

                  Note

                  In CreateAssessment , roleType can only be PROCESS_OWNER .

                  In UpdateSettings , roleType can only be PROCESS_OWNER .

                  In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .

                • creationTime (datetime) --

                  Specifies when the delegation was created.

                • lastUpdated (datetime) --

                  Specifies when the delegation was last updated.

                • controlSetId (string) --

                  The identifier for the control set that's associated with the delegation.

                • comment (string) --

                  The comment that's related to the delegation.

                • createdBy (string) --

                  The IAM user or role that created the delegation.

            • systemEvidenceCount (integer) --

              The total number of evidence objects that are retrieved automatically for the control set.

            • manualEvidenceCount (integer) --

              The total number of evidence objects that are uploaded manually to the control set.

      • tags (dict) --

        The tags that are associated with the assessment.

        • (string) --
          • (string) --

Exceptions

  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
update_assessment_control(**kwargs)

Updates a control within an assessment in Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.update_assessment_control(
    assessmentId='string',
    controlSetId='string',
    controlId='string',
    controlStatus='UNDER_REVIEW'|'REVIEWED'|'INACTIVE',
    commentBody='string'
)
Parameters
  • assessmentId (string) --

    [REQUIRED]

    The unique identifier for the assessment.

  • controlSetId (string) --

    [REQUIRED]

    The unique identifier for the control set.

  • controlId (string) --

    [REQUIRED]

    The unique identifier for the control.

  • controlStatus (string) -- The status of the control.
  • commentBody (string) -- The comment body text for the control.
Return type

dict

Returns

Response Syntax

{
    'control': {
        'id': 'string',
        'name': 'string',
        'description': 'string',
        'status': 'UNDER_REVIEW'|'REVIEWED'|'INACTIVE',
        'response': 'MANUAL'|'AUTOMATE'|'DEFER'|'IGNORE',
        'comments': [
            {
                'authorName': 'string',
                'commentBody': 'string',
                'postedDate': datetime(2015, 1, 1)
            },
        ],
        'evidenceSources': [
            'string',
        ],
        'evidenceCount': 123,
        'assessmentReportEvidenceCount': 123
    }
}

Response Structure

  • (dict) --

    • control (dict) --

      The name of the updated control set that the UpdateAssessmentControl API returned.

      • id (string) --

        The identifier for the control.

      • name (string) --

        The name of the control.

      • description (string) --

        The description of the control.

      • status (string) --

        The status of the control.

      • response (string) --

        The response of the control.

      • comments (list) --

        The list of comments that's attached to the control.

        • (dict) --

          A comment that's posted by a user on a control. This includes the author's name, the comment text, and a timestamp.

          • authorName (string) --

            The name of the user who authored the comment.

          • commentBody (string) --

            The body text of a control comment.

          • postedDate (datetime) --

            The time when the comment was posted.

      • evidenceSources (list) --

        The list of data sources for the evidence.

        • (string) --
      • evidenceCount (integer) --

        The amount of evidence that's generated for the control.

      • assessmentReportEvidenceCount (integer) --

        The amount of evidence in the assessment report.

Exceptions

  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
update_assessment_control_set_status(**kwargs)

Updates the status of a control set in an Audit Manager assessment.

See also: AWS API Documentation

Request Syntax

response = client.update_assessment_control_set_status(
    assessmentId='string',
    controlSetId='string',
    status='ACTIVE'|'UNDER_REVIEW'|'REVIEWED',
    comment='string'
)
Parameters
  • assessmentId (string) --

    [REQUIRED]

    The unique identifier for the assessment.

  • controlSetId (string) --

    [REQUIRED]

    The unique identifier for the control set.

  • status (string) --

    [REQUIRED]

    The status of the control set that's being updated.

  • comment (string) --

    [REQUIRED]

    The comment that's related to the status update.

Return type

dict

Returns

Response Syntax

{
    'controlSet': {
        'id': 'string',
        'description': 'string',
        'status': 'ACTIVE'|'UNDER_REVIEW'|'REVIEWED',
        'roles': [
            {
                'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER',
                'roleArn': 'string'
            },
        ],
        'controls': [
            {
                'id': 'string',
                'name': 'string',
                'description': 'string',
                'status': 'UNDER_REVIEW'|'REVIEWED'|'INACTIVE',
                'response': 'MANUAL'|'AUTOMATE'|'DEFER'|'IGNORE',
                'comments': [
                    {
                        'authorName': 'string',
                        'commentBody': 'string',
                        'postedDate': datetime(2015, 1, 1)
                    },
                ],
                'evidenceSources': [
                    'string',
                ],
                'evidenceCount': 123,
                'assessmentReportEvidenceCount': 123
            },
        ],
        'delegations': [
            {
                'id': 'string',
                'assessmentName': 'string',
                'assessmentId': 'string',
                'status': 'IN_PROGRESS'|'UNDER_REVIEW'|'COMPLETE',
                'roleArn': 'string',
                'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER',
                'creationTime': datetime(2015, 1, 1),
                'lastUpdated': datetime(2015, 1, 1),
                'controlSetId': 'string',
                'comment': 'string',
                'createdBy': 'string'
            },
        ],
        'systemEvidenceCount': 123,
        'manualEvidenceCount': 123
    }
}

Response Structure

  • (dict) --

    • controlSet (dict) --

      The name of the updated control set that the UpdateAssessmentControlSetStatus API returned.

      • id (string) --

        The identifier of the control set in the assessment. This is the control set name in a plain string format.

      • description (string) --

        The description for the control set.

      • status (string) --

        Specifies the current status of the control set.

      • roles (list) --

        The roles that are associated with the control set.

        • (dict) --

          The wrapper that contains the Audit Manager role information of the current user. This includes the role type and IAM Amazon Resource Name (ARN).

          • roleType (string) --

            The type of customer persona.

            Note

            In CreateAssessment , roleType can only be PROCESS_OWNER .

            In UpdateSettings , roleType can only be PROCESS_OWNER .

            In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .

          • roleArn (string) --

            The Amazon Resource Name (ARN) of the IAM role.

      • controls (list) --

        The list of controls that's contained with the control set.

        • (dict) --

          The control entity that represents a standard control or a custom control in an Audit Manager assessment.

          • id (string) --

            The identifier for the control.

          • name (string) --

            The name of the control.

          • description (string) --

            The description of the control.

          • status (string) --

            The status of the control.

          • response (string) --

            The response of the control.

          • comments (list) --

            The list of comments that's attached to the control.

            • (dict) --

              A comment that's posted by a user on a control. This includes the author's name, the comment text, and a timestamp.

              • authorName (string) --

                The name of the user who authored the comment.

              • commentBody (string) --

                The body text of a control comment.

              • postedDate (datetime) --

                The time when the comment was posted.

          • evidenceSources (list) --

            The list of data sources for the evidence.

            • (string) --
          • evidenceCount (integer) --

            The amount of evidence that's generated for the control.

          • assessmentReportEvidenceCount (integer) --

            The amount of evidence in the assessment report.

      • delegations (list) --

        The delegations that are associated with the control set.

        • (dict) --

          The assignment of a control set to a delegate for review.

          • id (string) --

            The unique identifier for the delegation.

          • assessmentName (string) --

            The name of the assessment that's associated with the delegation.

          • assessmentId (string) --

            The identifier for the assessment that's associated with the delegation.

          • status (string) --

            The status of the delegation.

          • roleArn (string) --

            The Amazon Resource Name (ARN) of the IAM role.

          • roleType (string) --

            The type of customer persona.

            Note

            In CreateAssessment , roleType can only be PROCESS_OWNER .

            In UpdateSettings , roleType can only be PROCESS_OWNER .

            In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .

          • creationTime (datetime) --

            Specifies when the delegation was created.

          • lastUpdated (datetime) --

            Specifies when the delegation was last updated.

          • controlSetId (string) --

            The identifier for the control set that's associated with the delegation.

          • comment (string) --

            The comment that's related to the delegation.

          • createdBy (string) --

            The IAM user or role that created the delegation.

      • systemEvidenceCount (integer) --

        The total number of evidence objects that are retrieved automatically for the control set.

      • manualEvidenceCount (integer) --

        The total number of evidence objects that are uploaded manually to the control set.

Exceptions

  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
update_assessment_framework(**kwargs)

Updates a custom framework in Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.update_assessment_framework(
    frameworkId='string',
    name='string',
    description='string',
    complianceType='string',
    controlSets=[
        {
            'id': 'string',
            'name': 'string',
            'controls': [
                {
                    'id': 'string'
                },
            ]
        },
    ]
)
Parameters
  • frameworkId (string) --

    [REQUIRED]

    The unique identifier for the framework.

  • name (string) --

    [REQUIRED]

    The name of the framework to be updated.

  • description (string) -- The description of the updated framework.
  • complianceType (string) -- The compliance type that the new custom framework supports, such as CIS or HIPAA.
  • controlSets (list) --

    [REQUIRED]

    The control sets that are associated with the framework.

    • (dict) --

      A controlSet entity that represents a collection of controls in Audit Manager. This doesn't contain the control set ID.

      • id (string) --

        The unique identifier for the control set.

      • name (string) -- [REQUIRED]

        The name of the control set.

      • controls (list) -- [REQUIRED]

        The list of controls that are contained within the control set.

        • (dict) --

          The control entity attributes that uniquely identify an existing control to be added to a framework in Audit Manager.

          • id (string) -- [REQUIRED]

            The unique identifier of the control.

Return type

dict

Returns

Response Syntax

{
    'framework': {
        'arn': 'string',
        'id': 'string',
        'name': 'string',
        'type': 'Standard'|'Custom',
        'complianceType': 'string',
        'description': 'string',
        'logo': 'string',
        'controlSources': 'string',
        'controlSets': [
            {
                'id': 'string',
                'name': 'string',
                'controls': [
                    {
                        'arn': 'string',
                        'id': 'string',
                        'type': 'Standard'|'Custom',
                        'name': 'string',
                        'description': 'string',
                        'testingInformation': 'string',
                        'actionPlanTitle': 'string',
                        'actionPlanInstructions': 'string',
                        'controlSources': 'string',
                        'controlMappingSources': [
                            {
                                'sourceId': 'string',
                                'sourceName': 'string',
                                'sourceDescription': 'string',
                                'sourceSetUpOption': 'System_Controls_Mapping'|'Procedural_Controls_Mapping',
                                'sourceType': 'AWS_Cloudtrail'|'AWS_Config'|'AWS_Security_Hub'|'AWS_API_Call'|'MANUAL',
                                'sourceKeyword': {
                                    'keywordInputType': 'SELECT_FROM_LIST',
                                    'keywordValue': 'string'
                                },
                                'sourceFrequency': 'DAILY'|'WEEKLY'|'MONTHLY',
                                'troubleshootingText': 'string'
                            },
                        ],
                        'createdAt': datetime(2015, 1, 1),
                        'lastUpdatedAt': datetime(2015, 1, 1),
                        'createdBy': 'string',
                        'lastUpdatedBy': 'string',
                        'tags': {
                            'string': 'string'
                        }
                    },
                ]
            },
        ],
        'createdAt': datetime(2015, 1, 1),
        'lastUpdatedAt': datetime(2015, 1, 1),
        'createdBy': 'string',
        'lastUpdatedBy': 'string',
        'tags': {
            'string': 'string'
        }
    }
}

Response Structure

  • (dict) --

    • framework (dict) --

      The name of the framework.

      • arn (string) --

        The Amazon Resource Name (ARN) of the framework.

      • id (string) --

        The unique identifier for the framework.

      • name (string) --

        The name of the framework.

      • type (string) --

        The framework type, such as a custom framework or a standard framework.

      • complianceType (string) --

        The compliance type that the new custom framework supports, such as CIS or HIPAA.

      • description (string) --

        The description of the framework.

      • logo (string) --

        The logo that's associated with the framework.

      • controlSources (string) --

        The sources that Audit Manager collects evidence from for the control.

      • controlSets (list) --

        The control sets that are associated with the framework.

        • (dict) --

          A set of controls in Audit Manager.

          • id (string) --

            The identifier of the control set in the assessment. This is the control set name in a plain string format.

          • name (string) --

            The name of the control set.

          • controls (list) --

            The list of controls within the control set.

            • (dict) --

              A control in Audit Manager.

              • arn (string) --

                The Amazon Resource Name (ARN) of the control.

              • id (string) --

                The unique identifier for the control.

              • type (string) --

                The type of control, such as a custom control or a standard control.

              • name (string) --

                The name of the control.

              • description (string) --

                The description of the control.

              • testingInformation (string) --

                The steps that you should follow to determine if the control has been satisfied.

              • actionPlanTitle (string) --

                The title of the action plan for remediating the control.

              • actionPlanInstructions (string) --

                The recommended actions to carry out if the control isn't fulfilled.

              • controlSources (string) --

                The data source that determines where Audit Manager collects evidence from for the control.

              • controlMappingSources (list) --

                The data mapping sources for the control.

                • (dict) --

                  The data source that determines where Audit Manager collects evidence from for the control.

                  • sourceId (string) --

                    The unique identifier for the source.

                  • sourceName (string) --

                    The name of the source.

                  • sourceDescription (string) --

                    The description of the source.

                  • sourceSetUpOption (string) --

                    The setup option for the data source. This option reflects if the evidence collection is automated or manual.

                  • sourceType (string) --

                    Specifies one of the five types of data sources for evidence collection.

                  • sourceKeyword (dict) --

                    The keyword to search for in CloudTrail logs, Config rules, Security Hub checks, and Amazon Web Services API names.

                    To learn more about the supported keywords that you can use when mapping a control data source, see the following pages in the Audit Manager User Guide :

                    • keywordInputType (string) --

                      The input method for the keyword.

                    • keywordValue (string) --

                      The value of the keyword that's used when mapping a control data source. For example, this can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.

                      If you’re mapping a data source to a rule in Config, the keywordValue that you specify depends on the type of rule:

                      • For managed rules , you can use the rule identifier as the keywordValue . You can find the rule identifier from the list of Config managed rules .
                      • For custom rules , you form the keywordValue by adding the Custom_ prefix to the rule name. This prefix distinguishes the rule from a managed rule.
                        • Custom rule name: my-custom-config-rule keywordValue : Custom_my-custom-config-rule
                      • For service-linked rules , you form the keywordValue by adding the Custom_ prefix to the rule name. In addition, you remove the suffix ID that appears at the end of the rule name.
                        • Service-linked rule name: CustomRuleForAccount-conformance-pack-szsm1uv0w keywordValue : Custom_CustomRuleForAccount-conformance-pack
                        • Service-linked rule name: securityhub-api-gw-cache-encrypted-101104e1 keywordValue : Custom_securityhub-api-gw-cache-encrypted
                        • Service-linked rule name: OrgConfigRule-s3-bucket-versioning-enabled-dbgzf8ba keywordValue : Custom_OrgConfigRule-s3-bucket-versioning-enabled
                  • sourceFrequency (string) --

                    The frequency of evidence collection for the control mapping source.

                  • troubleshootingText (string) --

                    The instructions for troubleshooting the control.

              • createdAt (datetime) --

                Specifies when the control was created.

              • lastUpdatedAt (datetime) --

                Specifies when the control was most recently updated.

              • createdBy (string) --

                The IAM user or role that created the control.

              • lastUpdatedBy (string) --

                The IAM user or role that most recently updated the control.

              • tags (dict) --

                The tags associated with the control.

                • (string) --
                  • (string) --
      • createdAt (datetime) --

        Specifies when the framework was created.

      • lastUpdatedAt (datetime) --

        Specifies when the framework was most recently updated.

      • createdBy (string) --

        The IAM user or role that created the framework.

      • lastUpdatedBy (string) --

        The IAM user or role that most recently updated the framework.

      • tags (dict) --

        The tags that are associated with the framework.

        • (string) --
          • (string) --

Exceptions

  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
update_assessment_framework_share(**kwargs)

Updates a share request for a custom framework in Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.update_assessment_framework_share(
    requestId='string',
    requestType='SENT'|'RECEIVED',
    action='ACCEPT'|'DECLINE'|'REVOKE'
)
Parameters
  • requestId (string) --

    [REQUIRED]

    The unique identifier for the share request.

  • requestType (string) --

    [REQUIRED]

    Specifies whether the share request is a sent request or a received request.

  • action (string) --

    [REQUIRED]

    Specifies the update action for the share request.

Return type

dict

Returns

Response Syntax

{
    'assessmentFrameworkShareRequest': {
        'id': 'string',
        'frameworkId': 'string',
        'frameworkName': 'string',
        'frameworkDescription': 'string',
        'status': 'ACTIVE'|'REPLICATING'|'SHARED'|'EXPIRING'|'FAILED'|'EXPIRED'|'DECLINED'|'REVOKED',
        'sourceAccount': 'string',
        'destinationAccount': 'string',
        'destinationRegion': 'string',
        'expirationTime': datetime(2015, 1, 1),
        'creationTime': datetime(2015, 1, 1),
        'lastUpdated': datetime(2015, 1, 1),
        'comment': 'string',
        'standardControlsCount': 123,
        'customControlsCount': 123,
        'complianceType': 'string'
    }
}

Response Structure

  • (dict) --

    • assessmentFrameworkShareRequest (dict) --

      The updated share request that's returned by the UpdateAssessmentFrameworkShare operation.

      • id (string) --

        The unique identifier for the share request.

      • frameworkId (string) --

        The unique identifier for the shared custom framework.

      • frameworkName (string) --

        The name of the custom framework that the share request is for.

      • frameworkDescription (string) --

        The description of the shared custom framework.

      • status (string) --

        The status of the share request.

      • sourceAccount (string) --

        The Amazon Web Services account of the sender.

      • destinationAccount (string) --

        The Amazon Web Services account of the recipient.

      • destinationRegion (string) --

        The Amazon Web Services Region of the recipient.

      • expirationTime (datetime) --

        The time when the share request expires.

      • creationTime (datetime) --

        The time when the share request was created.

      • lastUpdated (datetime) --

        Specifies when the share request was last updated.

      • comment (string) --

        An optional comment from the sender about the share request.

      • standardControlsCount (integer) --

        The number of standard controls that are part of the shared custom framework.

      • customControlsCount (integer) --

        The number of custom controls that are part of the shared custom framework.

      • complianceType (string) --

        The compliance type that the shared custom framework supports, such as CIS or HIPAA.

Exceptions

  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
update_assessment_status(**kwargs)

Updates the status of an assessment in Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.update_assessment_status(
    assessmentId='string',
    status='ACTIVE'|'INACTIVE'
)
Parameters
  • assessmentId (string) --

    [REQUIRED]

    The unique identifier for the assessment.

  • status (string) --

    [REQUIRED]

    The current status of the assessment.

Return type

dict

Returns

Response Syntax

{
    'assessment': {
        'arn': 'string',
        'awsAccount': {
            'id': 'string',
            'emailAddress': 'string',
            'name': 'string'
        },
        'metadata': {
            'name': 'string',
            'id': 'string',
            'description': 'string',
            'complianceType': 'string',
            'status': 'ACTIVE'|'INACTIVE',
            'assessmentReportsDestination': {
                'destinationType': 'S3',
                'destination': 'string'
            },
            'scope': {
                'awsAccounts': [
                    {
                        'id': 'string',
                        'emailAddress': 'string',
                        'name': 'string'
                    },
                ],
                'awsServices': [
                    {
                        'serviceName': 'string'
                    },
                ]
            },
            'roles': [
                {
                    'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER',
                    'roleArn': 'string'
                },
            ],
            'delegations': [
                {
                    'id': 'string',
                    'assessmentName': 'string',
                    'assessmentId': 'string',
                    'status': 'IN_PROGRESS'|'UNDER_REVIEW'|'COMPLETE',
                    'roleArn': 'string',
                    'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER',
                    'creationTime': datetime(2015, 1, 1),
                    'lastUpdated': datetime(2015, 1, 1),
                    'controlSetId': 'string',
                    'comment': 'string',
                    'createdBy': 'string'
                },
            ],
            'creationTime': datetime(2015, 1, 1),
            'lastUpdated': datetime(2015, 1, 1)
        },
        'framework': {
            'id': 'string',
            'arn': 'string',
            'metadata': {
                'name': 'string',
                'description': 'string',
                'logo': 'string',
                'complianceType': 'string'
            },
            'controlSets': [
                {
                    'id': 'string',
                    'description': 'string',
                    'status': 'ACTIVE'|'UNDER_REVIEW'|'REVIEWED',
                    'roles': [
                        {
                            'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER',
                            'roleArn': 'string'
                        },
                    ],
                    'controls': [
                        {
                            'id': 'string',
                            'name': 'string',
                            'description': 'string',
                            'status': 'UNDER_REVIEW'|'REVIEWED'|'INACTIVE',
                            'response': 'MANUAL'|'AUTOMATE'|'DEFER'|'IGNORE',
                            'comments': [
                                {
                                    'authorName': 'string',
                                    'commentBody': 'string',
                                    'postedDate': datetime(2015, 1, 1)
                                },
                            ],
                            'evidenceSources': [
                                'string',
                            ],
                            'evidenceCount': 123,
                            'assessmentReportEvidenceCount': 123
                        },
                    ],
                    'delegations': [
                        {
                            'id': 'string',
                            'assessmentName': 'string',
                            'assessmentId': 'string',
                            'status': 'IN_PROGRESS'|'UNDER_REVIEW'|'COMPLETE',
                            'roleArn': 'string',
                            'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER',
                            'creationTime': datetime(2015, 1, 1),
                            'lastUpdated': datetime(2015, 1, 1),
                            'controlSetId': 'string',
                            'comment': 'string',
                            'createdBy': 'string'
                        },
                    ],
                    'systemEvidenceCount': 123,
                    'manualEvidenceCount': 123
                },
            ]
        },
        'tags': {
            'string': 'string'
        }
    }
}

Response Structure

  • (dict) --

    • assessment (dict) --

      The name of the updated assessment that the UpdateAssessmentStatus API returned.

      • arn (string) --

        The Amazon Resource Name (ARN) of the assessment.

      • awsAccount (dict) --

        The Amazon Web Services account that's associated with the assessment.

        • id (string) --

          The identifier for the Amazon Web Services account.

        • emailAddress (string) --

          The email address that's associated with the Amazon Web Services account.

        • name (string) --

          The name of the Amazon Web Services account.

      • metadata (dict) --

        The metadata for the assessment.

        • name (string) --

          The name of the assessment.

        • id (string) --

          The unique identifier for the assessment.

        • description (string) --

          The description of the assessment.

        • complianceType (string) --

          The name of the compliance standard that's related to the assessment, such as PCI-DSS.

        • status (string) --

          The overall status of the assessment.

        • assessmentReportsDestination (dict) --

          The destination that evidence reports are stored in for the assessment.

          • destinationType (string) --

            The destination type, such as Amazon S3.

          • destination (string) --

            The destination of the assessment report.

        • scope (dict) --

          The wrapper of Amazon Web Services accounts and services that are in scope for the assessment.

          • awsAccounts (list) --

            The Amazon Web Services accounts that are included in the scope of the assessment.

            • (dict) --

              The wrapper of Amazon Web Services account details, such as account ID or email address.

              • id (string) --

                The identifier for the Amazon Web Services account.

              • emailAddress (string) --

                The email address that's associated with the Amazon Web Services account.

              • name (string) --

                The name of the Amazon Web Services account.

          • awsServices (list) --

            The Amazon Web Services services that are included in the scope of the assessment.

            • (dict) --

              An Amazon Web Service such as Amazon S3 or CloudTrail.

              • serviceName (string) --

                The name of the Amazon Web Service.

        • roles (list) --

          The roles that are associated with the assessment.

          • (dict) --

            The wrapper that contains the Audit Manager role information of the current user. This includes the role type and IAM Amazon Resource Name (ARN).

            • roleType (string) --

              The type of customer persona.

              Note

              In CreateAssessment , roleType can only be PROCESS_OWNER .

              In UpdateSettings , roleType can only be PROCESS_OWNER .

              In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .

            • roleArn (string) --

              The Amazon Resource Name (ARN) of the IAM role.

        • delegations (list) --

          The delegations that are associated with the assessment.

          • (dict) --

            The assignment of a control set to a delegate for review.

            • id (string) --

              The unique identifier for the delegation.

            • assessmentName (string) --

              The name of the assessment that's associated with the delegation.

            • assessmentId (string) --

              The identifier for the assessment that's associated with the delegation.

            • status (string) --

              The status of the delegation.

            • roleArn (string) --

              The Amazon Resource Name (ARN) of the IAM role.

            • roleType (string) --

              The type of customer persona.

              Note

              In CreateAssessment , roleType can only be PROCESS_OWNER .

              In UpdateSettings , roleType can only be PROCESS_OWNER .

              In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .

            • creationTime (datetime) --

              Specifies when the delegation was created.

            • lastUpdated (datetime) --

              Specifies when the delegation was last updated.

            • controlSetId (string) --

              The identifier for the control set that's associated with the delegation.

            • comment (string) --

              The comment that's related to the delegation.

            • createdBy (string) --

              The IAM user or role that created the delegation.

        • creationTime (datetime) --

          Specifies when the assessment was created.

        • lastUpdated (datetime) --

          The time of the most recent update.

      • framework (dict) --

        The framework that the assessment was created from.

        • id (string) --

          The unique identifier for the framework.

        • arn (string) --

          The Amazon Resource Name (ARN) of the framework.

        • metadata (dict) --

          The metadata of a framework, such as the name, ID, or description.

          • name (string) --

            The name of the framework.

          • description (string) --

            The description of the framework.

          • logo (string) --

            The logo that's associated with the framework.

          • complianceType (string) --

            The compliance standard that's associated with the framework. For example, this could be PCI DSS or HIPAA.

        • controlSets (list) --

          The control sets that are associated with the framework.

          • (dict) --

            Represents a set of controls in an Audit Manager assessment.

            • id (string) --

              The identifier of the control set in the assessment. This is the control set name in a plain string format.

            • description (string) --

              The description for the control set.

            • status (string) --

              Specifies the current status of the control set.

            • roles (list) --

              The roles that are associated with the control set.

              • (dict) --

                The wrapper that contains the Audit Manager role information of the current user. This includes the role type and IAM Amazon Resource Name (ARN).

                • roleType (string) --

                  The type of customer persona.

                  Note

                  In CreateAssessment , roleType can only be PROCESS_OWNER .

                  In UpdateSettings , roleType can only be PROCESS_OWNER .

                  In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .

                • roleArn (string) --

                  The Amazon Resource Name (ARN) of the IAM role.

            • controls (list) --

              The list of controls that's contained with the control set.

              • (dict) --

                The control entity that represents a standard control or a custom control in an Audit Manager assessment.

                • id (string) --

                  The identifier for the control.

                • name (string) --

                  The name of the control.

                • description (string) --

                  The description of the control.

                • status (string) --

                  The status of the control.

                • response (string) --

                  The response of the control.

                • comments (list) --

                  The list of comments that's attached to the control.

                  • (dict) --

                    A comment that's posted by a user on a control. This includes the author's name, the comment text, and a timestamp.

                    • authorName (string) --

                      The name of the user who authored the comment.

                    • commentBody (string) --

                      The body text of a control comment.

                    • postedDate (datetime) --

                      The time when the comment was posted.

                • evidenceSources (list) --

                  The list of data sources for the evidence.

                  • (string) --
                • evidenceCount (integer) --

                  The amount of evidence that's generated for the control.

                • assessmentReportEvidenceCount (integer) --

                  The amount of evidence in the assessment report.

            • delegations (list) --

              The delegations that are associated with the control set.

              • (dict) --

                The assignment of a control set to a delegate for review.

                • id (string) --

                  The unique identifier for the delegation.

                • assessmentName (string) --

                  The name of the assessment that's associated with the delegation.

                • assessmentId (string) --

                  The identifier for the assessment that's associated with the delegation.

                • status (string) --

                  The status of the delegation.

                • roleArn (string) --

                  The Amazon Resource Name (ARN) of the IAM role.

                • roleType (string) --

                  The type of customer persona.

                  Note

                  In CreateAssessment , roleType can only be PROCESS_OWNER .

                  In UpdateSettings , roleType can only be PROCESS_OWNER .

                  In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .

                • creationTime (datetime) --

                  Specifies when the delegation was created.

                • lastUpdated (datetime) --

                  Specifies when the delegation was last updated.

                • controlSetId (string) --

                  The identifier for the control set that's associated with the delegation.

                • comment (string) --

                  The comment that's related to the delegation.

                • createdBy (string) --

                  The IAM user or role that created the delegation.

            • systemEvidenceCount (integer) --

              The total number of evidence objects that are retrieved automatically for the control set.

            • manualEvidenceCount (integer) --

              The total number of evidence objects that are uploaded manually to the control set.

      • tags (dict) --

        The tags that are associated with the assessment.

        • (string) --
          • (string) --

Exceptions

  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
  • AuditManager.Client.exceptions.ServiceQuotaExceededException
update_control(**kwargs)

Updates a custom control in Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.update_control(
    controlId='string',
    name='string',
    description='string',
    testingInformation='string',
    actionPlanTitle='string',
    actionPlanInstructions='string',
    controlMappingSources=[
        {
            'sourceId': 'string',
            'sourceName': 'string',
            'sourceDescription': 'string',
            'sourceSetUpOption': 'System_Controls_Mapping'|'Procedural_Controls_Mapping',
            'sourceType': 'AWS_Cloudtrail'|'AWS_Config'|'AWS_Security_Hub'|'AWS_API_Call'|'MANUAL',
            'sourceKeyword': {
                'keywordInputType': 'SELECT_FROM_LIST',
                'keywordValue': 'string'
            },
            'sourceFrequency': 'DAILY'|'WEEKLY'|'MONTHLY',
            'troubleshootingText': 'string'
        },
    ]
)
Parameters
  • controlId (string) --

    [REQUIRED]

    The identifier for the control.

  • name (string) --

    [REQUIRED]

    The name of the updated control.

  • description (string) -- The optional description of the control.
  • testingInformation (string) -- The steps that you should follow to determine if the control is met.
  • actionPlanTitle (string) -- The title of the action plan for remediating the control.
  • actionPlanInstructions (string) -- The recommended actions to carry out if the control isn't fulfilled.
  • controlMappingSources (list) --

    [REQUIRED]

    The data mapping sources for the control.

    • (dict) --

      The data source that determines where Audit Manager collects evidence from for the control.

      • sourceId (string) --

        The unique identifier for the source.

      • sourceName (string) --

        The name of the source.

      • sourceDescription (string) --

        The description of the source.

      • sourceSetUpOption (string) --

        The setup option for the data source. This option reflects if the evidence collection is automated or manual.

      • sourceType (string) --

        Specifies one of the five types of data sources for evidence collection.

      • sourceKeyword (dict) --

        The keyword to search for in CloudTrail logs, Config rules, Security Hub checks, and Amazon Web Services API names.

        To learn more about the supported keywords that you can use when mapping a control data source, see the following pages in the Audit Manager User Guide :

        • keywordInputType (string) --

          The input method for the keyword.

        • keywordValue (string) --

          The value of the keyword that's used when mapping a control data source. For example, this can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.

          If you’re mapping a data source to a rule in Config, the keywordValue that you specify depends on the type of rule:

          • For managed rules , you can use the rule identifier as the keywordValue . You can find the rule identifier from the list of Config managed rules .
          • For custom rules , you form the keywordValue by adding the Custom_ prefix to the rule name. This prefix distinguishes the rule from a managed rule.
            • Custom rule name: my-custom-config-rule keywordValue : Custom_my-custom-config-rule
          • For service-linked rules , you form the keywordValue by adding the Custom_ prefix to the rule name. In addition, you remove the suffix ID that appears at the end of the rule name.
            • Service-linked rule name: CustomRuleForAccount-conformance-pack-szsm1uv0w keywordValue : Custom_CustomRuleForAccount-conformance-pack
            • Service-linked rule name: securityhub-api-gw-cache-encrypted-101104e1 keywordValue : Custom_securityhub-api-gw-cache-encrypted
            • Service-linked rule name: OrgConfigRule-s3-bucket-versioning-enabled-dbgzf8ba keywordValue : Custom_OrgConfigRule-s3-bucket-versioning-enabled
      • sourceFrequency (string) --

        The frequency of evidence collection for the control mapping source.

      • troubleshootingText (string) --

        The instructions for troubleshooting the control.

Return type

dict

Returns

Response Syntax

{
    'control': {
        'arn': 'string',
        'id': 'string',
        'type': 'Standard'|'Custom',
        'name': 'string',
        'description': 'string',
        'testingInformation': 'string',
        'actionPlanTitle': 'string',
        'actionPlanInstructions': 'string',
        'controlSources': 'string',
        'controlMappingSources': [
            {
                'sourceId': 'string',
                'sourceName': 'string',
                'sourceDescription': 'string',
                'sourceSetUpOption': 'System_Controls_Mapping'|'Procedural_Controls_Mapping',
                'sourceType': 'AWS_Cloudtrail'|'AWS_Config'|'AWS_Security_Hub'|'AWS_API_Call'|'MANUAL',
                'sourceKeyword': {
                    'keywordInputType': 'SELECT_FROM_LIST',
                    'keywordValue': 'string'
                },
                'sourceFrequency': 'DAILY'|'WEEKLY'|'MONTHLY',
                'troubleshootingText': 'string'
            },
        ],
        'createdAt': datetime(2015, 1, 1),
        'lastUpdatedAt': datetime(2015, 1, 1),
        'createdBy': 'string',
        'lastUpdatedBy': 'string',
        'tags': {
            'string': 'string'
        }
    }
}

Response Structure

  • (dict) --

    • control (dict) --

      The name of the updated control set that the UpdateControl API returned.

      • arn (string) --

        The Amazon Resource Name (ARN) of the control.

      • id (string) --

        The unique identifier for the control.

      • type (string) --

        The type of control, such as a custom control or a standard control.

      • name (string) --

        The name of the control.

      • description (string) --

        The description of the control.

      • testingInformation (string) --

        The steps that you should follow to determine if the control has been satisfied.

      • actionPlanTitle (string) --

        The title of the action plan for remediating the control.

      • actionPlanInstructions (string) --

        The recommended actions to carry out if the control isn't fulfilled.

      • controlSources (string) --

        The data source that determines where Audit Manager collects evidence from for the control.

      • controlMappingSources (list) --

        The data mapping sources for the control.

        • (dict) --

          The data source that determines where Audit Manager collects evidence from for the control.

          • sourceId (string) --

            The unique identifier for the source.

          • sourceName (string) --

            The name of the source.

          • sourceDescription (string) --

            The description of the source.

          • sourceSetUpOption (string) --

            The setup option for the data source. This option reflects if the evidence collection is automated or manual.

          • sourceType (string) --

            Specifies one of the five types of data sources for evidence collection.

          • sourceKeyword (dict) --

            The keyword to search for in CloudTrail logs, Config rules, Security Hub checks, and Amazon Web Services API names.

            To learn more about the supported keywords that you can use when mapping a control data source, see the following pages in the Audit Manager User Guide :

            • keywordInputType (string) --

              The input method for the keyword.

            • keywordValue (string) --

              The value of the keyword that's used when mapping a control data source. For example, this can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.

              If you’re mapping a data source to a rule in Config, the keywordValue that you specify depends on the type of rule:

              • For managed rules , you can use the rule identifier as the keywordValue . You can find the rule identifier from the list of Config managed rules .
              • For custom rules , you form the keywordValue by adding the Custom_ prefix to the rule name. This prefix distinguishes the rule from a managed rule.
                • Custom rule name: my-custom-config-rule keywordValue : Custom_my-custom-config-rule
              • For service-linked rules , you form the keywordValue by adding the Custom_ prefix to the rule name. In addition, you remove the suffix ID that appears at the end of the rule name.
                • Service-linked rule name: CustomRuleForAccount-conformance-pack-szsm1uv0w keywordValue : Custom_CustomRuleForAccount-conformance-pack
                • Service-linked rule name: securityhub-api-gw-cache-encrypted-101104e1 keywordValue : Custom_securityhub-api-gw-cache-encrypted
                • Service-linked rule name: OrgConfigRule-s3-bucket-versioning-enabled-dbgzf8ba keywordValue : Custom_OrgConfigRule-s3-bucket-versioning-enabled
          • sourceFrequency (string) --

            The frequency of evidence collection for the control mapping source.

          • troubleshootingText (string) --

            The instructions for troubleshooting the control.

      • createdAt (datetime) --

        Specifies when the control was created.

      • lastUpdatedAt (datetime) --

        Specifies when the control was most recently updated.

      • createdBy (string) --

        The IAM user or role that created the control.

      • lastUpdatedBy (string) --

        The IAM user or role that most recently updated the control.

      • tags (dict) --

        The tags associated with the control.

        • (string) --
          • (string) --

Exceptions

  • AuditManager.Client.exceptions.ResourceNotFoundException
  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
update_settings(**kwargs)

Updates Audit Manager settings for the current user account.

See also: AWS API Documentation

Request Syntax

response = client.update_settings(
    snsTopic='string',
    defaultAssessmentReportsDestination={
        'destinationType': 'S3',
        'destination': 'string'
    },
    defaultProcessOwners=[
        {
            'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER',
            'roleArn': 'string'
        },
    ],
    kmsKey='string'
)
Parameters
  • snsTopic (string) -- The Amazon Simple Notification Service (Amazon SNS) topic that Audit Manager sends notifications to.
  • defaultAssessmentReportsDestination (dict) --

    The default storage destination for assessment reports.

    • destinationType (string) --

      The destination type, such as Amazon S3.

    • destination (string) --

      The destination of the assessment report.

  • defaultProcessOwners (list) --

    A list of the default audit owners.

    • (dict) --

      The wrapper that contains the Audit Manager role information of the current user. This includes the role type and IAM Amazon Resource Name (ARN).

      • roleType (string) -- [REQUIRED]

        The type of customer persona.

        Note

        In CreateAssessment , roleType can only be PROCESS_OWNER .

        In UpdateSettings , roleType can only be PROCESS_OWNER .

        In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .

      • roleArn (string) -- [REQUIRED]

        The Amazon Resource Name (ARN) of the IAM role.

  • kmsKey (string) -- The KMS key details.
Return type

dict

Returns

Response Syntax

{
    'settings': {
        'isAwsOrgEnabled': True|False,
        'snsTopic': 'string',
        'defaultAssessmentReportsDestination': {
            'destinationType': 'S3',
            'destination': 'string'
        },
        'defaultProcessOwners': [
            {
                'roleType': 'PROCESS_OWNER'|'RESOURCE_OWNER',
                'roleArn': 'string'
            },
        ],
        'kmsKey': 'string'
    }
}

Response Structure

  • (dict) --

    • settings (dict) --

      The current list of settings.

      • isAwsOrgEnabled (boolean) --

        Specifies whether Organizations is enabled.

      • snsTopic (string) --

        The designated Amazon Simple Notification Service (Amazon SNS) topic.

      • defaultAssessmentReportsDestination (dict) --

        The default storage destination for assessment reports.

        • destinationType (string) --

          The destination type, such as Amazon S3.

        • destination (string) --

          The destination of the assessment report.

      • defaultProcessOwners (list) --

        The designated default audit owners.

        • (dict) --

          The wrapper that contains the Audit Manager role information of the current user. This includes the role type and IAM Amazon Resource Name (ARN).

          • roleType (string) --

            The type of customer persona.

            Note

            In CreateAssessment , roleType can only be PROCESS_OWNER .

            In UpdateSettings , roleType can only be PROCESS_OWNER .

            In BatchCreateDelegationByAssessment , roleType can only be RESOURCE_OWNER .

          • roleArn (string) --

            The Amazon Resource Name (ARN) of the IAM role.

      • kmsKey (string) --

        The KMS key details.

Exceptions

  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
validate_assessment_report_integrity(**kwargs)

Validates the integrity of an assessment report in Audit Manager.

See also: AWS API Documentation

Request Syntax

response = client.validate_assessment_report_integrity(
    s3RelativePath='string'
)
Parameters
s3RelativePath (string) --

[REQUIRED]

The relative path of the Amazon S3 bucket that the assessment report is stored in.

Return type
dict
Returns
Response Syntax
{
    'signatureValid': True|False,
    'signatureAlgorithm': 'string',
    'signatureDateTime': 'string',
    'signatureKeyId': 'string',
    'validationErrors': [
        'string',
    ]
}

Response Structure

  • (dict) --
    • signatureValid (boolean) --

      Specifies whether the signature key is valid.

    • signatureAlgorithm (string) --

      The signature algorithm that's used to code sign the assessment report file.

    • signatureDateTime (string) --

      The date and time signature that specifies when the assessment report was created.

    • signatureKeyId (string) --

      The unique identifier for the validation signature key.

    • validationErrors (list) --

      Represents any errors that occurred when validating the assessment report.

      • (string) --

Exceptions

  • AuditManager.Client.exceptions.ValidationException
  • AuditManager.Client.exceptions.AccessDeniedException
  • AuditManager.Client.exceptions.InternalServerException
  • AuditManager.Client.exceptions.ResourceNotFoundException

Paginators

The available paginators are: