AWS Audit Manager will no longer be open to new customers starting April 30, 2026. If you would like to use Audit Manager, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [AWS Audit Manager availability change](https://docs.aws.amazon.com/audit-manager/latest/userguide/audit-manager-availability-change.html). 

# Managing assessments in AWS Audit Manager
<a name="assessments"></a>



An Audit Manager assessment is based on a framework, which is a grouping of controls. Using a framework as a starting point, you can create an assessment that collects evidence for the controls in that framework. In your assessment, you can also define the scope of your audit. This includes specifying the AWS accounts that you want to collect evidence for.

## Key points
<a name="assessments-key-points"></a>

You can create an assessment from any framework. Either, you can use a [standard framework](https://docs.aws.amazon.com/audit-manager/latest/userguide/framework-overviews.html) that's provided by Audit Manager. Or, you can create an assessment from a [custom framework](https://docs.aws.amazon.com/audit-manager/latest/userguide/custom-frameworks.html) that you build yourself. Standard frameworks contain prebuilt control sets that support a specific compliance standard or regulation. In contrast, custom frameworks contain controls that you can customize and group according to your own requirements. 

When you create an assessment, this starts the ongoing collection of evidence. When it's time for an audit, you or a delegate can [review this evidence](https://docs.aws.amazon.com/audit-manager/latest/userguide/review-evidence.html) and then [add it to an assessment report](https://docs.aws.amazon.com/audit-manager/latest/userguide/generate-assessment-report.html#generate-assessment-report-include-evidence). 

**Note**  
AWS Audit Manager assists in collecting evidence that's relevant for verifying compliance with specific compliance standards and regulations. However, it doesn't assess your compliance itself. The evidence that's collected through AWS Audit Manager therefore might not include all the information about your AWS usage that's needed for audits. AWS Audit Manager isn't a substitute for legal counsel or compliance experts. 

## Additional resources
<a name="assessments-next-steps"></a>

To create and manage assessments in Audit Manager, follow the procedures that are outlined here.
+ [Creating an assessment in AWS Audit Manager](create-assessments.md)
+ [Finding your assessments in AWS Audit Manager](access-assessments.md)
+ [Reviewing an assessment in AWS Audit Manager](review-assessment.md)
  + [Reviewing assessment details in AWS Audit Manager](review-assessments.md)
  + [Reviewing an assessment control in AWS Audit Manager](review-controls.md)
  + [Reviewing an evidence folder in AWS Audit Manager](review-evidence-folders-detail.md)
  + [Reviewing evidence in AWS Audit Manager](review-evidence.md)
+ [Editing an assessment in AWS Audit Manager](edit-assessment.md)
  + [Changing the status of an assessment control in AWS Audit Manager](change-assessment-control-status.md)
  + [Changing the status of an assessment to inactive in AWS Audit Manager](change-assessment-status-to-inactive.md)
+ [Adding manual evidence in AWS Audit Manager](upload-evidence.md)
  + [Importing manual evidence files from Amazon S3](import-from-s3.md)
  + [Uploading manual evidence files from your browser](upload-from-computer.md)
  + [Entering free-form text responses as manual evidence](enter-text-response.md)
  + [Supported file formats for manual evidence](supported-manual-evidence-files.md)
+ [Preparing an assessment report in AWS Audit Manager](generate-assessment-report.md)
  + [Adding evidence to an assessment report](generate-assessment-report-include-evidence.md)
  + [Removing evidence from an assessment report](generate-assessment-report-remove-evidence.md)
  + [Generating an assessment report](generate-assessment-report-generation-steps.md)
  + [Downloading an assessment report from the download center](https://docs.aws.amazon.com/audit-manager/latest/userguide/download-center.html#download-a-file)
  + [Navigating an assessment report and exploring its contents](https://docs.aws.amazon.com/audit-manager/latest/userguide/assessment-reports.html)
  + [Validating an assessment report](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_ValidateAssessmentReportIntegrity.html)
  + [Deleting an assessment report](https://docs.aws.amazon.com/audit-manager/latest/userguide/download-center.html#delete-assessment-report-steps)
  + [Generating assessment reports from your evidence finder search results](https://amazonaws.com/audit-manager/latest/userguide/exporting-search-results-from-evidence-finder.html#generate-one-time-report-from-search-results)
+ [Deleting an assessment in AWS Audit Manager](delete-assessment.md)

# Creating an assessment in AWS Audit Manager
<a name="create-assessments"></a>



This topic builds on the [Tutorial for Audit Owners: Creating an assessment](tutorial-for-audit-owners.md). You'll find detailed instructions on this page that show you how to create an assessment from a framework. Follow these steps to create an assessment and start the ongoing collection of evidence. 

## Prerequisites
<a name="create-assessment-prerequisites"></a>

Before you start this tutorial, make sure that you meet the following conditions:
+ You completed all the prerequisites that are described in [Setting up AWS Audit Manager with the recommended settings](setting-up.md). You must use your AWS account and the Audit Manager console to complete this tutorial.
+ Your IAM identity has appropriate permissions to create and manage an assessment in Audit Manager. Two suggested policies that grant these permissions are [AWSAuditManagerAdministratorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSAuditManagerAdministratorAccess.html) and [Allow users management access to AWS Audit Manager](security_iam_id-based-policy-examples.md#management-access).

## Procedure
<a name="create-assessment-procedure"></a>

**Contents**
+ [Step 1: Specify assessment details](#specify-details)
+ [Step 2: Specify AWS accounts in scope](#specify-accounts)
+ [Step 3: Specify audit owners](#choose-audit-owners)
  + [Audit owner permissions](#choose-audit-owners-permissions)
+ [Step 4: Review and create](#review-and-create)

### Step 1: Specify assessment details
<a name="specify-details"></a>

Start by selecting a framework and providing basic information for your assessment.

**To specify assessment details**

1. Open the AWS Audit Manager console at [https://console.aws.amazon.com/auditmanager/home](https://console.aws.amazon.com/auditmanager/home).

1. In the navigation pane, choose **Assessments**, and then choose **Create assessment**. 

1. Under **Name**, enter a name for your assessment. 

1. (Optional) Under **Description**, enter a description for your assessment.

1. Under **Assessment reports destination**, select the S3 bucket where you want to save your assessment reports.
**Tip**  
The default assessment report destination is based on your [assessment settings](https://docs.aws.amazon.com/audit-manager/latest/userguide/settings-destination.html). If you prefer, you can create and use multiple S3 buckets to help you organize your assessment reports for different assessments. AWS Audit Manager supports exporting assessment reports to Amazon S3 buckets, including cross-account destinations. For optimal security and performance, we recommend using an S3 bucket in the same AWS account and region as your assessment.

1. Under **Select framework**, select the framework that you want to create your assessment from. You can also use the search bar to look up a framework by name, or by compliance standard or regulation.
**Tip**  
To learn more about a framework, choose the framework name to see the framework details page.

1. (Optional) Under **Tags**, choose **Add new tag** to associate a tag with your assessment. You can specify a key and a value for each tag. The tag key is mandatory and can be used as a search criteria when you search for this assessment. 

1. Choose **Next**.

**Note**  
It's important to make sure that your assessment collects the correct evidence for a given framework. Before you start evidence collection, we recommend that you review the requirements for your chosen framework. Then, validate these requirements against your current AWS Config rule parameters. To ensure that your rule parameters align with framework requirements, you can [update the rule in AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_manage-rules.html).   
For example, suppose that you’re creating an assessment for CIS v1.2.0. This framework has a control named [1.9 – Ensure IAM password policy requires a minimum length of 14 or greater](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.9). In AWS Config, the [iam-password-policy](https://docs.aws.amazon.com/config/latest/developerguide/iam-password-policy.html) rule has a `MinimumPasswordLength` parameter that checks password length. The default value for this parameter is 14 characters. As a result, the rule aligns with the control requirements. If you aren’t using the default parameter value, ensure that the value you’re using is equal to or greater than the 14 character requirement from CIS v1.2.0. You can find the default parameter details for each managed rule in the [AWS Config documentation](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).

### Step 2: Specify AWS accounts in scope
<a name="specify-accounts"></a>

You can specify multiple AWS accounts to be in the scope of an assessment. Audit Manager supports multiple accounts through integration with AWS Organizations. This means that Audit Manager assessments can be run over multiple accounts, and the evidence that's collected is consolidated into a delegated administrator account. To enable Organizations in Audit Manager, see [Enable and set up AWS Organizations](setup-recommendations.md#enabling-orgs).

**Note**  
Audit Manager can support up to 200 accounts in the scope of an assessment. If you try to include over 200 accounts, the assessment creation will fail.  
Additionally, if you try to add over 250 unique accounts across all of your assessments, the assessment creation will fail.

**To specify AWS accounts in scope**

1.  Under **AWS accounts**, select the AWS accounts that you want to include in the scope of your assessment. 
   + If you enabled Organizations in Audit Manager, multiple accounts are displayed. You can choose one or more accounts from the list. Alternatively, you can also search for an account by the account name, ID, or email.
   + If you didn't enable Organizations in Audit Manager, only your current AWS account is listed. 

1. Choose **Next**.

**Note**  
When an in-scope account is removed from your organization, Audit Manager no longer collects evidence for that account. However, the account continues to show in your assessment under the **AWS accounts** tab. To remove the account from the list of accounts in scope, [edit the assessment](https://docs.aws.amazon.com/audit-manager/latest/userguide/edit-assessment.html). The removed account no longer shows in the list during editing, and you can save your changes without that account in scope.

### Step 3: Specify audit owners
<a name="choose-audit-owners"></a>

In this step, you specify the audit owners for your assessment. Audit owners are the individuals in your workplace—usually from GRC, SecOps, or DevOps teams—who are responsible for managing the Audit Manager assessment. We recommend that they use the [AWSAuditManagerAdministratorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSAuditManagerAdministratorAccess.html) policy.

**To specify audit owners**

1. Under **Audit owners**, review the current list of audit owners. The **Audit owner** column displays the user IDs and roles. The **AWS account** column displays the AWS account of that audit owner. 

1. Audit owners that have a selected check box are included in your assessment. Clear the check box for any audit owner to remove them from the assessment. You can find additional audit owners by using the search bar to search by name or AWS account. 

1. When you're finished, choose **Next**.

#### Audit owner permissions
<a name="choose-audit-owners-permissions"></a>

The below policy is attached for all the audit owners of an assessment.

Audit Manager replaces the *placeholder text* with your account and resource identifiers before attaching the policy.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "AuditOwner",
            "Effect": "Allow",
            "Principal": {
                "AWS": "Principal for user/role who are the audit owners of the Assessment"
            },
            "Action": [
                "auditmanager:GetAssessment",
                "auditmanager:UpdateAssessment",
                "auditmanager:UpdateAssessmentControlSetStatus",
                "auditmanager:UpdateAssessmentStatus",
                "auditmanager:UpdateAssessmentControl",
                "auditmanager:DeleteAssessment",
                "auditmanager:GetChangeLogs",
                "auditmanager:GetEvidenceFoldersByAssessment",
                "auditmanager:GetEvidenceFoldersByAssessmentControl",
                "auditmanager:BatchImportEvidenceToAssessmentControl",
                "auditmanager:GetEvidenceFolder",
                "auditmanager:GetEvidence",
                "auditmanager:GetEvidenceByEvidenceFolder",
                "auditmanager:BatchCreateDelegationByAssessment",
                "auditmanager:BatchDeleteDelegationByAssessment",
                "auditmanager:AssociateAssessmentReportEvidenceFolder",
                "auditmanager:BatchAssociateAssessmentReportEvidence",
                "auditmanager:BatchDisassociateAssessmentReportEvidence",
                "auditmanager:CreateAssessmentReport",
                "auditmanager:DeleteAssessmentReport",
                "auditmanager:DisassociateAssessmentReportEvidenceFolder",
                "auditmanager:GetAssessmentReportUrl"
            ],
            "Resource": [
                "arn:aws:auditmanager:us-east-1:123456789012:assessment/assessment_ID",
                "arn:aws:auditmanager:us-east-1:123456789012:assessment/assessment_ID/*"
            ]
        }
    ]
}
```

------

### Step 4: Review and create
<a name="review-and-create"></a>

 Review the information for your assessment. To change the information for a step, choose **Edit**. When you're finished, choose **Create assessment**. 

This action starts the ongoing collection of evidence for your assessment. After you create an assessment, evidence collection continues until you [change the assessment status](https://docs.aws.amazon.com/audit-manager/latest/userguide/change-assessment-status-to-inactive.html) to *inactive*. Alternatively, you can stop evidence collection for a specific control by [change the control status](https://docs.aws.amazon.com/audit-manager/latest/userguide/change-assessment-control-status.html) to *inactive*.

**Note**  
Automated evidence becomes available 24 hours after your assessment is created. Audit Manager automatically collects evidence from multiple data sources, and the frequency of that evidence collection is based on the evidence type. To learn more, see [Evidence collection frequency](how-evidence-is-collected.md#frequency) in this guide. 

## Next steps
<a name="create-assessment-whatnow"></a>

To revisit your assessment at a later date, see [Finding your assessments in AWS Audit Manager](access-assessments.md). You can follow these steps to locate your assessment so that you can view, edit, or continue working on it.

## Additional resources
<a name="create-assessment-additonal-resources"></a>

For solutions to assessment issues in Audit Manager, see [Troubleshooting assessment and evidence collection issues](evidence-collection-issues.md).

# Finding your assessments in AWS Audit Manager
<a name="access-assessments"></a>



After you create assessments in AWS Audit Manager, you can find them on the assessments page of the Audit Manager console. 

From this page, you can perform various actions on your assessments. For example, you can view assessment details, edit assessment configurations, or delete assessments that are no longer required. Additionally, the assessments page serves as a starting point for creating new assessments.

You can also view your assessments programmatically using the Audit Manager API or the AWS Command Line Interface (AWS CLI). 

## Prerequisites
<a name="access-assessments-prerequisites"></a>

The following procedure assumes that you have previously created at least one assessment. If you haven’t created an assessment yet, you won’t see any results when you follow these steps.

Make sure your IAM identity has appropriate permissions to view an assessment in AWS Audit Manager. Two suggested policies that grant these permissions are [AWSAuditManagerAdministratorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSAuditManagerAdministratorAccess.html) and [Allow users management access to AWS Audit Manager](security_iam_id-based-policy-examples.md#management-access).

## Procedure
<a name="access-assessments-procedure"></a>

You can view your assessments using the Audit Manager console, the Audit Manager API, or the AWS Command Line Interface (AWS CLI). 

------
#### [ Audit Manager console ]

**To view your assessments on the Audit Manager console**

1. Open the AWS Audit Manager console at [https://console.aws.amazon.com/auditmanager/home](https://console.aws.amazon.com/auditmanager/home).

1. In the left navigation pane, choose **Assessments** to see a list of your assessments.

1. Choose any assessment name to view the details for that assessment.

------
#### [ AWS CLI ]

**To view your assessments (CLI)**  
To view assessments in Audit Manager, run the [list-assessments](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/auditmanager/list-assessments.html) command. You can use the `--status` subcommand to view assessments that are active or inactive. 

```
aws auditmanager list-assessments --status ACTIVE
```

```
aws auditmanager list-assessments --status INACTIVE
```

------
#### [ Audit Manager API ]

**To view your assessments using the API**  
To view assessments in Audit Manager, use the [ListAssessments](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_ListAssessments.html) operation. You can use the [status](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_ListAssessments.html#auditmanager-ListAssessments-request-status) attribute to view assessments that are active or inactive. 

For more information, choose either of the previous links to read more in the *AWS Audit Manager API Reference*. This includes information about how to use the `ListAssessments` operation and parameters in one of the language-specific AWS SDKs.

------

## Next steps
<a name="access-assessments-next-steps"></a>

When you're ready to explore your assessment's contents, follow the steps in [Reviewing an assessment in AWS Audit Manager](review-assessment.md). This page will guide you through the assessment details and explain the information that you see there.

From the assessments page, you can also [edit an assessment](https://docs.aws.amazon.com/audit-manager/latest/userguide/edit-assessment.html), [delete an assessment](https://docs.aws.amazon.com/audit-manager/latest/userguide/delete-assessment.html), or [create an assessment](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-assessments.html). 

## Additional resources
<a name="access-assessments-additonal-resources"></a>

For solutions to assessment issues in Audit Manager, see [Troubleshooting assessment and evidence collection issues](evidence-collection-issues.md).

# Reviewing an assessment in AWS Audit Manager
<a name="review-assessment"></a>



After you create assessments in Audit Manager, you can open and review your assessments at any time. 

## Key points
<a name="review-assessment-key-points"></a>

When you're ready to explore your assessment, you can gradually dive deeper into the details and review your assessment with increasing levels of granularity.

1. **Assessment details** – Start by reviewing the overall details of your assessment. On this page you can review the assessment name, description, scope, and other details. This gives you a high-level overview of the assessment.

1. **Assessment control details** – Next, dive deeper into the assessment by reviewing the details of each assessment control. This will enable you to understand the specific requirements and objectives of each control.

1. **Evidence folder details** – For each assessment control, you can review the corresponding evidence folders that contain the evidence for a given control. These folders organize the supporting evidence that’s related to each control.

1. **Evidence details** – Lastly, drill down further to review the individual pieces of evidence within each folder. This might include configuration snapshots, user activity logs, compliance findings, or manually uploaded evidence such as documents and screenshots. Reviewing this evidence will help you understand how your organization is meeting the requirements of the control.

By following these steps, you can thoroughly explore your assessment, understand its components, and review the evidence that supports your organization's compliance efforts.

## Additional resources
<a name="review-assessment-next-steps"></a>

To get started with reviewing an assessment in Audit Manager, follow the procedures that are outlined here. 
+ [Reviewing assessment details in AWS Audit Manager](review-assessments.md)
+ [Reviewing an assessment control in AWS Audit Manager](review-controls.md)
+ [Reviewing an evidence folder in AWS Audit Manager](review-evidence-folders-detail.md)
+ [Reviewing evidence in AWS Audit Manager](review-evidence.md)

# Reviewing assessment details in AWS Audit Manager
<a name="review-assessments"></a>



When you need to review the details of an assessment, you'll find the information organized into several sections on the assessment details page. These sections help you easily access and understand the relevant information for your task. 

**Contents**
+ [Prerequisites](#review-assessments-prerequisites)
+ [Procedure](#review-assessments-procedure)
  + [Assessment details section](#review-assessment-summary)
  + [Controls tab](#review-assessment-controls)
  + [Assessment report selection tab](#review-assessment-evidence)
  + [AWS accounts tab](#review-assessment-accounts)
  + [AWS services tab](#review-assessment-services)
  + [Audit owners tab](#review-assessment-audit-owners)
  + [Tags tab](#review-assessment-tags)
  + [Changelog tab](#review-assessment-changelog)
+ [Next steps](#review-assessments-next-steps)
+ [Additional resources](#review-assessments-additional-resources)

## Prerequisites
<a name="review-assessments-prerequisites"></a>

The following procedure assumes that you have previously created at least one assessment. If you haven’t created an assessment yet, you won’t see any results when you follow these steps.

Make sure your IAM identity has appropriate permissions to view an assessment in AWS Audit Manager. Two suggested policies that grant these permissions are [AWSAuditManagerAdministratorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSAuditManagerAdministratorAccess.html) and [Allow users management access to AWS Audit Manager](security_iam_id-based-policy-examples.md#management-access).

## Procedure
<a name="review-assessments-procedure"></a>

**To open and review an assessment details page**

1. Open the AWS Audit Manager console at [https://console.aws.amazon.com/auditmanager/home](https://console.aws.amazon.com/auditmanager/home).

1. In the left navigation pane, choose **Assessments** to see a list of your assessments. 

1. Choose the name of the assessment to open it.

1. Review the assessment details using the following information as reference.

**Topics**
+ [Assessment details section](#review-assessment-summary)
+ [Controls tab](#review-assessment-controls)
+ [Assessment report selection tab](#review-assessment-evidence)
+ [AWS accounts tab](#review-assessment-accounts)
+ [AWS services tab](#review-assessment-services)
+ [Audit owners tab](#review-assessment-audit-owners)
+ [Tags tab](#review-assessment-tags)
+ [Changelog tab](#review-assessment-changelog)

### Assessment details section
<a name="review-assessment-summary"></a>

 You can use the **Assessment details** section to see a summary of your assessment. 

![\[Screenshot of the assessment details section, with labels that relate to the following definitions.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/assessment-details-console.png)


In the assessment details section, you can review the following information:


| Name | Description | 
| --- | --- | 
|  **1. Description**  | The description of the assessment. | 
|  **2. Compliance type**  | The compliance standard or regulation that the assessment supports. | 
| 3. Assessment reports destination |  The S3 bucket that Audit Manager saves the assessment report in.  | 
| 4. Total evidence |  The total number of evidence items that are collected for this assessment.  | 
| 5. Assessment report selection |  The number of evidence items that are selected to be included in the assessment report.  | 
| 6. Date created |  The date when the assessment was created.  | 
| 7. Last updated |  The date when the assessment was last edited.  | 
| 8. Status |  The status of the assessment.  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/review-assessments.html)  | 

### Controls tab
<a name="review-assessment-controls"></a>

You can use this tab to see information about the controls in the assessment. 

Under **Control status summary**, you can review the following information:


| Name | Description | 
| --- | --- | 
|  **Total controls**  | The total number of controls in this assessment. | 
|  **Reviewed**  | The number of controls that were reviewed by an audit owner or a delegate. | 
| Under review | The number of controls that are currently under review.  | 
| Inactive | The number of controls that are no longer actively collecting evidence | 

In the **Control sets** table, you can review a list of controls grouped by control set. You can expand or collapse the controls in each control set. You can also search by name if you're looking for a specific control. 

In this table, you can review the following information:


| Name | Description | 
| --- | --- | 
|  **Controls grouped by control sets**  | The name of the control set. | 
|  **Control status**  |  The status of the control.  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/review-assessments.html)  | 
| Delegated to | The reviewer of this control, if it was assigned to a delegate for review. | 
| Total evidence |  The number of evidence items that have been collected for this control.  | 

### Assessment report selection tab
<a name="review-assessment-evidence"></a>

You can use this tab to see the evidence that will be included in the assessment report. The evidence is grouped by evidence folders, which are organized based on the date when they were created. 

You can browse these folders and select which evidence you want to include in your assessment report. For instructions on how to add evidence to an assessment report, see [Adding evidence to an assessment report](generate-assessment-report-include-evidence.md). 

In this section, you can review the following information:


| Name | Description | 
| --- | --- | 
|  **Evidence folder**  | The name of the evidence folder. The folder name is based on the date when the evidence was collected. | 
|  **Selected evidence**  | The number of evidence items within the folder that are included in the assessment report. | 
| Control name |  The name of the control that's associated with this evidence folder.   | 

### AWS accounts tab
<a name="review-assessment-accounts"></a>

You can use this tab to see the AWS accounts that are in the scope of the assessment. 

In this section, you can review the following information:


| Name | Description | 
| --- | --- | 
|  **Account ID**  | The ID of the AWS account. | 
|  **Account name**  | The name of the AWS account. | 
| Email |  The email address that's associated with the AWS account.   | 

### AWS services tab
<a name="review-assessment-services"></a>

You might or might not see this tab in your assessment.

#### If the AWS services tab isn't displayed (ideal state)
<a name="aws-services-are-not-visible"></a>

If you don't see this tab, Audit Manager is managing which AWS services are in scope for your assessment. 

Audit Manager infers this scope by examining your assessment controls and their data sources, and then mapping this information to the corresponding AWS services. Whenever an underlying data source changes for your assessment, Audit Manager automatically updates the scope as needed to reflect the correct AWS services. This ensures that your assessment collects accurate and comprehensive evidence about all of the relevant services in your AWS environment.

#### If the AWS services tab is displayed
<a name="aws-services-are-visible"></a>

If this you do see this tab, Audit Manager is not managing which AWS services are in scope for your assessment. 

In this case, you see the following information about the services in scope that you defined:


| Name | Description | 
| --- | --- | 
|  **AWS service**  | The name of the AWS service. | 
|  **Category**  | The service category, such as compute or database. | 
| Description |  The description of the AWS service.  | 

Audit Manager performs resource assessments for the services in this table. For example, if Amazon S3 is listed, Audit Manager can collect evidence about your S3 buckets. The exact evidence that's collected is determined by a control's [](concepts.md#control-data-source). For instance, if the data source type is AWS Config, and the data source mapping is an AWS Config rule (such as `s3-bucket-public-write-prohibited`), Audit Manager collects the result of that rule evaluation as evidence. For more information, see [What's the difference between a service in scope and a data source type?](evidence-collection-issues.md#data-source-vs-service-in-scope) in this guide. 

If your assessment was created in the console from a standard framework, Audit Manager selected the services for you and mapped their data sources according to the framework's requirements. If the standard framework contains only manual controls, no AWS services are in scope. 

**Note**  
The next time that you edit your assessment or change one of the custom controls in your assessment, Audit Manager takes over the management of services in scope for you. When this happens, the **AWS services** tab is removed from your assessment.

### Audit owners tab
<a name="review-assessment-audit-owners"></a>

You can use this tab to see the audit owners for the assessment.

In this section, you can review the following information:


| Name | Description | 
| --- | --- | 
|  **Audit owner**  | The name of the audit owner. | 
|  **AWS account**  | The AWS account ID of the audit owner. | 

### Tags tab
<a name="review-assessment-tags"></a>

You can use this tab to see the tags for your assessment. These tags are inherited from the framework that was used to create the assessment. For more information about tags in Audit Manager, see [Tagging AWS Audit Manager resources](tagging.md).

In this section, you can review the following information:


| Name | Description | 
| --- | --- | 
|  **Key**  | The key of the tag, such as a compliance standard, regulation, or category. | 
|  **Value**  | The value of the tag. | 

### Changelog tab
<a name="review-assessment-changelog"></a>

You can use this tab to see the user activity for the assessment. 

In this section, you can review the following information:


| Name | Description | 
| --- | --- | 
|  **Date**  | The date of the activity. | 
|  **User**  | The user who performed the action. | 
| Action |  The action that occurred, such as an assessment being created.  | 
| Type |  The object type that changed, such as an assessment.  | 
| Resource |  The resource that was affected by the change, such as the framework that the assessment was created from.  | 

## Next steps
<a name="review-assessments-next-steps"></a>

To continue reviewing your assessment's contents, follow the steps in [Reviewing an assessment control in AWS Audit Manager](review-controls.md). This page will guide you through the assessment control details and explain the information that you see there.

## Additional resources
<a name="review-assessments-additional-resources"></a>
+ [On my assessment details page, I’m prompted to recreate my assessment](evidence-collection-issues.md#recreate-assessment-post-common-controls)
+ [I can’t see any controls or control sets in my assessment](control-issues.md#cannot-view-controls)
+ [I can't see the services in scope for my assessment](evidence-collection-issues.md#unable-to-view-services)

# Reviewing an assessment control in AWS Audit Manager
<a name="review-controls"></a>



When you need to review the controls in an assessment, you'll find the information organized into several sections on the assessment control details page. These sections help you easily access and understand the relevant information for your task. 

**Contents**
+ [Prerequisites](#review-controls-prerequisites)
+ [Procedure](#review-controls-procedure)
  + [Control details section](#review-control-detail)
  + [Evidence folders tab](#review-evidence-folders)
  + [Details tab](#review-details)
  + [Evidence sources tab](#review-data-sources)
  + [Comments tab](#review-comments)
  + [Changelog tab](#review-changelog)
+ [Next steps](#review-controls-next-steps)
+ [Additional resources](#review-controls-additional-resources)

## Prerequisites
<a name="review-controls-prerequisites"></a>

The following procedure assumes that you have previously created at least one assessment. If you haven’t created an assessment yet, you won’t see any results when you follow these steps.

Make sure your IAM identity has appropriate permissions to view an assessment in AWS Audit Manager. Two suggested policies that grant these permissions are [AWSAuditManagerAdministratorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSAuditManagerAdministratorAccess.html) and [Allow users management access to AWS Audit Manager](security_iam_id-based-policy-examples.md#management-access).

## Procedure
<a name="review-controls-procedure"></a>

**To open and review an assessment control details page**

1. Open the AWS Audit Manager console at [https://console.aws.amazon.com/auditmanager/home](https://console.aws.amazon.com/auditmanager/home).

1. In the navigation pane, choose **Assessments** and choose the name of an assessment to open it.

1. From the assessment page, choose the **Controls** tab, scroll down to the **Control sets** table, and then choose the name of a control to open it.

1. Review the assessment control details using the following information as reference.

**Topics**
+ [Control details section](#review-control-detail)
+ [Evidence folders tab](#review-evidence-folders)
+ [Details tab](#review-details)
+ [Evidence sources tab](#review-data-sources)
+ [Comments tab](#review-comments)
+ [Changelog tab](#review-changelog)

### Control details section
<a name="review-control-detail"></a>

You can use the **Control details** section to see a summary of the assessment control.

In this section, you can review the following information:


| Name | Description | 
| --- | --- | 
|  **Description**  |   The description that's provided for this control.  | 
|  **Control status**  |  The status of the control.  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/review-controls.html)  | 

### Evidence folders tab
<a name="review-evidence-folders"></a>

You can use this tab to see the evidence that's collected for this control. It's organized into folders on a daily basis. From here, you can also take the following actions:
+ **Review an evidence folder **– To see details for any evidence folder, choose the hyperlinked folder name. 
+ **Add an evidence folder to an assessment report** – To include an evidence folder, select it and choose **Add to assessment report**. 
+ **Remove an evidence folder from an assessment report** – To exclude a folder, select it and choose **Remove from assessment report**.
+ **Add manual evidence** – For instructions, see [Adding manual evidence in AWS Audit Manager](upload-evidence.md). 

In this section, you can review the following information:


| Name | Description | 
| --- | --- | 
|  **Evidence folder**  |  The name of the evidence folder. The name is based on the date when the evidence was collected or manually added.  | 
|  **Compliance check**  |  The number of issues in the evidence folder. This number represents the total number of security issues that were reported directly from AWS Security Hub CSPM, AWS Config, or both.  If you see **Not applicable**, this indicates that you either don't have Security Hub CSPM or AWS Config enabled, or the evidence comes from a different data source type.  | 
| Total evidence |  The total number of evidence items inside the folder.  | 
| Assessment report selection |  The number of evidence items within the folder that are included in the assessment report.  | 

**Tip**  
If you can't see the evidence folder that you're looking for, change the dropdown filter to **All time**. Otherwise, you'll see the last seven days of folders by default.

### Details tab
<a name="review-details"></a>

In this section, you can review the following information:


| Name | Description | 
| --- | --- | 
|  **Testing information**  | The recommended procedure to test that the control is working as intended. | 
| Action plan |  The recommended actions to take if the control needs to be remediated.   | 

### Evidence sources tab
<a name="review-data-sources"></a>

You can use this tab to see where the assessment control collects evidence from. The evidence sources can include any of the following:


| Name | Description | 
| --- | --- | 
|  **Common controls**  | These are the common controls that collect evidence to support the assessment control. Common controls collect evidence using underlying data sources that AWS manages for you. For every common control that’s listed, Audit Manager collects the relevant evidence for all of the supporting core controls. Choose a common control to see the related core controls. | 
|  **Core controls**  | These are the core controls that collect evidence to support the assessment control. Core controls collect evidence by using a predefined group of data sources that AWS manages for you. Choose a core control to see the underlying data sources. | 
| Data sources |  These are the individual data sources that collect evidence to support the assessment control. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/review-controls.html)  | 

### Comments tab
<a name="review-comments"></a>

In this tab, you can add a comment about the control and its evidence. You can also see a list of previous comments.
+ Under **Send comments**, you can add comments for a control by entering text and then choosing **Submit comments**.
+ Under **Previous comments**, you can view a list of previous comments along with the date the comment was made and the associated user ID.

### Changelog tab
<a name="review-changelog"></a>

You can use this tab to see the user activity for the assessment control. The same information is available as audit trail logs in AWS CloudTrail. With the user activity that's captured directly in Audit Manager, you can easily review an audit trail of activity for a given control. 

In this section, you can review the following information:


| Name | Description | 
| --- | --- | 
|  **Date**  | The date and time of the activity, represented in Coordinated Universal Time (UTC). | 
|  **User**  | The user or role that performed the activity. | 
| Action |  The action that occurred, such as an assessment being created.  | 
| Type |  The object type that changed, such as an assessment.  | 
| Resource |  The resource that was affected by the change, such as the framework that the assessment was created from.  | 

Audit Manager tracks the following user activity in changelogs: 
+ Creating an assessment
+ Editing an assessment
+ Completing an assessment
+ Deleting an assessment
+ Delegating a control set for review 
+ Submitting a reviewed control set back to the audit owner
+ Uploading manual evidence
+ Updating a control status
+ Generating assessment reports

## Next steps
<a name="review-controls-next-steps"></a>

To continue reviewing your assessment, follow the steps in [Reviewing an evidence folder in AWS Audit Manager](review-evidence-folders-detail.md). This page will guide you through the evidence folders and show you how to understand the information that you see.

## Additional resources
<a name="review-controls-additional-resources"></a>
+ [I can’t see any controls or control sets in my assessment](control-issues.md#cannot-view-controls)

# Reviewing an evidence folder in AWS Audit Manager
<a name="review-evidence-folders-detail"></a>



As your assessment collects evidence, Audit Manager organizes it into folders for your convenience. When you need to review an evidence folder, you'll find the information organized into several sections. 

**Contents**
+ [Prerequisites](#review-evidence-folders-detail-prerequisites)
+ [Procedure](#review-evidence-folders-detail-procedure)
  + [Evidence folder summary](#review-evidence-folders-summary-summary)
  + [Evidence table](#review-evidence-folders-summary-evidence)
+ [Next steps](#review-evidence-folders-detail-next-steps)
+ [Additional resources](#review-evidence-folders-detail-additional-resources)

## Prerequisites
<a name="review-evidence-folders-detail-prerequisites"></a>

The following procedure assumes that you have previously created at least one assessment. If you haven’t created an assessment yet, you won’t see any results when you follow these steps.

Make sure your IAM identity has appropriate permissions to view an assessment in AWS Audit Manager. Two suggested policies that grant these permissions are [AWSAuditManagerAdministratorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSAuditManagerAdministratorAccess.html) and [Allow users management access to AWS Audit Manager](security_iam_id-based-policy-examples.md#management-access).

Keep in mind that it takes up to 24 hours for an assessment to start collecting automated evidence. If your assessment has no evidence yet, you won’t see any results when you follow these steps. 

## Procedure
<a name="review-evidence-folders-detail-procedure"></a>

**To open and review an evidence folder**

1. Open the AWS Audit Manager console at [https://console.aws.amazon.com/auditmanager/home](https://console.aws.amazon.com/auditmanager/home).

1. In the navigation pane, choose **Assessments**, and then choose an assessment.

1. From the assessment page, choose the **Controls** tab, scroll down to the **Controls** table, and then choose an assessment control.

1. From the assessment control page, choose the **Evidence folders** tab.

1. In the **Evidence folders** table, choose the name of an evidence folder.

1. Review the evidence folder using the following information as reference.

**Topics**
+ [Evidence folder summary](#review-evidence-folders-summary-summary)
+ [Evidence table](#review-evidence-folders-summary-evidence)

### Evidence folder summary
<a name="review-evidence-folders-summary-summary"></a>

You can use the **Summary** section of the page to see a high-level overview of the evidence in the evidence folder. To learn more about different evidence types, see [Evidence](https://docs.aws.amazon.com/audit-manager/latest/userguide/concepts.html#evidence).

![\[Screenshot of the evidence folder with labels that relate to the following definitions.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/evidence-summary-console.png)


In this section, you can review the following information:


| Name | Description | 
| --- | --- | 
|  **1. Date and time**  | The time and date when the evidence folder was created. This is represented in Coordinated Universal Time (UTC). | 
|  **2. Control**  | The name of the control that's related the evidence folder.  | 
| 3. Added to assessment report |  The number of evidence items that were selected to be included in the assessment report.  | 
| 4. Total evidence |  The total number of evidence items in the evidence folder.  | 
| 5. Resources |  The total number of AWS resources that were assessed when collecting the evidence in this folder.  | 
| 6. User activity |  The number of evidence items that fall under the *user activity* category. This evidence is collected from AWS CloudTrail logs.   | 
| 7. Configuration data |  The number of evidence items that fall under the *configuration data* category. This evidence is collected from API calls that take configuration snapshots of other AWS services.   | 
| 8. Manual |  The number of evidence items that fall under the *manual* category. This evidence is added manually.  | 
| 9. Compliance check |  The number of evidence items that fall under the *compliance check* category. This evidence is collected from AWS Config, AWS Security Hub CSPM, or both.  | 
| 10. Compliance check status |  The total number of issues that were reported directly from AWS Security Hub CSPM, AWS Config, or both.  | 

### Evidence table
<a name="review-evidence-folders-summary-evidence"></a>

You can use the **Evidence** table to see the evidence that's contained within the evidence folder. From here table, you can also take the following actions:
+ **Review individual evidence **– To see details for any piece of evidence, choose the hyperlinked evidence name under the **Time** column. 
+ **Add evidence to an assessment report** – To include evidence, select it and choose **Add to assessment report**. 
+ **Remove evidence from an assessment report** – To exclude evidence, select it and choose **Remove from assessment report**.
+ **Add manual evidence** – For instructions, see [Adding manual evidence in AWS Audit Manager](upload-evidence.md).

 

In this table, you can review the following information:


| Name | Description | 
| --- | --- | 
|  **Time**  | Specifies when the evidence was collected. This also serves as the name of the evidence. The time is represented in Coordinated Universal Time (UTC).  | 
|  **Compliance check**  | The evaluation status for evidence that falls under the compliance check category. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/review-evidence-folders-detail.html) | 
| Evidence by type |  The type of evidence.  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/review-evidence-folders-detail.html)  | 
| Data source |  The data source where the evidence is collected from.  | 
| Event name |  The name of the event that invoked the evidence collection.   | 
| Event source |  The service principal that identifies the relevant AWS service for the event.  | 
| Resources |  The number of resources that were assessed when collecting the evidence.  | 
| Assessment report selection |  Indicates whether the evidence is included in the assessment report. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/review-evidence-folders-detail.html)  | 

## Next steps
<a name="review-evidence-folders-detail-next-steps"></a>

When you're ready to explore the individual pieces of evidence in a folder, follow the steps in [Reviewing evidence in AWS Audit Manager](review-evidence.md). This page will guide you through the evidence details and how to interpret the information that you see there.

## Additional resources
<a name="review-evidence-folders-detail-additional-resources"></a>
+ For solutions to evidence issues in Audit Manager, see [Troubleshooting assessment and evidence collection issues](evidence-collection-issues.md).

# Reviewing evidence in AWS Audit Manager
<a name="review-evidence"></a>



When you need to review a specific piece of evidence, follow the instructions on this page. You'll find the evidence details organized into several sections. 

**Contents**
+ [Prerequisites](#review-evidence-prerequisites)
+ [Procedure](#review-evidence-procedure)
  + [Summary](#review-evidence-folders-detail-1)
  + [Attributes](#review-evidence-folders-detail-2)
  + [Resources included](#review-evidence-folders-detail-3)
+ [Additional resources](#review-evidence-additional-resources)

## Prerequisites
<a name="review-evidence-prerequisites"></a>

The following procedure assumes that you have previously created at least one assessment. If you haven’t created an assessment yet, you won’t see any results when you follow these steps.

Make sure your IAM identity has appropriate permissions to view an assessment in AWS Audit Manager. Two suggested policies that grant these permissions are [AWSAuditManagerAdministratorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSAuditManagerAdministratorAccess.html) and [Allow users management access to AWS Audit Manager](security_iam_id-based-policy-examples.md#management-access).

Keep in mind that it takes up to 24 hours for an assessment to start collecting automated evidence. If your assessment has no evidence yet, you won’t see any results when you follow these steps. 

## Procedure
<a name="review-evidence-procedure"></a>

**To open and review an evidence details page**

1. Open the AWS Audit Manager console at [https://console.aws.amazon.com/auditmanager/home](https://console.aws.amazon.com/auditmanager/home).

1. In the navigation pane, choose **Assessments**, and then choose an assessment.

1. From the assessment page, choose the **Controls** tab, scroll down to the **Controls** table, and then choose a control.

1. From the control page, choose the **Evidence folders** tab.

1. In the **Evidence folders** table, choose the name of an evidence folder.

1. Choose the evidence name under the **Time** column to open the evidence details page.

1. Review the evidence details using the following information as reference.

**Topics**
+ [Summary](#review-evidence-folders-detail-1)
+ [Attributes](#review-evidence-folders-detail-2)
+ [Resources included](#review-evidence-folders-detail-3)

### Summary
<a name="review-evidence-folders-detail-1"></a>

You can use the **Summary** section to see an overview of the evidence. 

![\[Screenshot of the evidence details with labels that relate to the following definitions.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/evidence-detail-console.png)


In this section, you can review the following information:


| Name | Description | 
| --- | --- | 
|  **1. Evidence ID**  | The unique identifier for the evidence. | 
|  **2. Date and time**  | The time and date when the evidence was collected. This is represented in Coordinated Universal Time (UTC). | 
| 3. Compliance check |  The evaluation status for compliance check evidence.  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/review-evidence.html)  | 
| 4. Data source mapping |  The mapping keyword that was used to collect the evidence.  | 
| 5. Data source type |  The type of data source where the evidence was collected from.  | 
| 6. Account ID |  The AWS account that's associated with the evidence.  | 
| 7. IAM ID |  The relevant user or role, if applicable.  | 
| 8. Assessment |  The name of the assessment that's associated with the evidence.   | 
| 9. Control |  The name of the control that's associated with the evidence.   | 
| 10. Evidence folder name |  The name of the evidence folder that contains the evidence.  | 
| 11. Include in assessment report |  The switch that enables you to include or exclude the evidence from the assessment report.  | 

### Attributes
<a name="review-evidence-folders-detail-2"></a>

You can use the **Attributes** table to see the evidence attributes in detail. 

In this table, you can review the following information:


| Name | Description | 
| --- | --- | 
|  **Attribute name**  | The key for the attribute. | 
|  **Value**  | The value of the attribute. In some cases, a link to a JSON file is provided with more information. | 

### Resources included
<a name="review-evidence-folders-detail-3"></a>

You can use the **Resources included** table to see the resources that were assessed to generate this evidence. 

In this section, you can review the following information:


| Name | Description | 
| --- | --- | 
|  **ARN**  | The Amazon Resource Name (ARN) of the resource. An ARN might not be available for all evidence types. | 
|  **Resource compliance**  | The evaluation status for the resource.[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/review-evidence.html) | 
| Value |  More information about the resource assessment. In some cases, a link to a JSON file is provided with more information.  | 

## Additional resources
<a name="review-evidence-additional-resources"></a>
+ For solutions to evidence issues in Audit Manager, see [Troubleshooting assessment and evidence collection issues](evidence-collection-issues.md).

# Editing an assessment in AWS Audit Manager
<a name="edit-assessment"></a>



You might encounter situations where you need to edit your existing assessments in AWS Audit Manager. Perhaps the scope of your audit has changed, requiring updates to the AWS accounts included in the assessment. Or, you might need to revise the list of audit owners assigned to the assessment due to personnel changes. In such cases, you can edit your active assessments and make necessary adjustments without disrupting your evidence collection. 

The following page outlines the steps to edit your assessment details, change the AWS accounts in scope, update the audit owners, and review and save your changes. 

## Prerequisites
<a name="edit-assessment-prerequisites"></a>

The following procedure assumes that you have previously created at least one assessment, and it is in an active state.

Make sure your IAM identity has appropriate permissions to edit an assessment in AWS Audit Manager. Two suggested policies that grant these permissions are [AWSAuditManagerAdministratorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSAuditManagerAdministratorAccess.html) and [Allow users management access to AWS Audit Manager](security_iam_id-based-policy-examples.md#management-access).

## Procedure
<a name="edit-assessment-procedure"></a>

**Contents**
+ [Step 1: Edit assessment details](#edit-specify-details)
+ [Step 2: Edit AWS accounts in scope](#edit-accounts)
+ [Step 3: Edit audit owners](#edit-choose-audit-owners)
  + [Audit owner permissions](#edit-choose-audit-owners-permissions)
+ [Step 4: Review and save](#edit-review-and-create)

### Step 1: Edit assessment details
<a name="edit-specify-details"></a>

Follow these steps to edit the details of your assessment.

**To edit an assessment**

1. Open the AWS Audit Manager console at [https://console.aws.amazon.com/auditmanager/home](https://console.aws.amazon.com/auditmanager/home).

1. In the navigation pane, choose **Assessments**.

1. Select an assessment, and choose **Edit**.

1. Under **Edit assessment details**, edit your assessment details as needed.

1. Choose **Next**.

### Step 2: Edit AWS accounts in scope
<a name="edit-accounts"></a>

In this step, you can change which accounts are included in your assessment. Audit Manager can support up to 200 accounts in the scope of an assessment, and 250 unique member accounts across all assessments.

**To edit AWS accounts in scope**

1. To add an AWS account, select the check box next to the account name. 

1. To remove an AWS account, clear the check box next to the account name.

1. Choose **Next**.

**Note**  
To edit the delegated administrator for Audit Manager, see [Changing a delegated administrator](change-delegated-admin.md).

### Step 3: Edit audit owners
<a name="edit-choose-audit-owners"></a>

In this step, you can change which audit owners are included in your assessment. 

**To edit audit owners**

1. To add an audit owner, select the check box next to the account name. 

1. To remove an audit owner, clear the check box next to the account name.

1. Choose **Next**.

#### Audit owner permissions
<a name="edit-choose-audit-owners-permissions"></a>

The below policy is attached for all the audit owners of an assessment.

Audit Manager replaces the *placeholder text* with your account and resource identifiers before attaching the policy.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "AuditOwner",
            "Effect": "Allow",
            "Principal": {
                "AWS": "Principal for user/role who are the audit owners of the Assessment"
            },
            "Action": [
                "auditmanager:GetAssessment",
                "auditmanager:UpdateAssessment",
                "auditmanager:UpdateAssessmentControlSetStatus",
                "auditmanager:UpdateAssessmentStatus",
                "auditmanager:UpdateAssessmentControl",
                "auditmanager:DeleteAssessment",
                "auditmanager:GetChangeLogs",
                "auditmanager:GetEvidenceFoldersByAssessment",
                "auditmanager:GetEvidenceFoldersByAssessmentControl",
                "auditmanager:BatchImportEvidenceToAssessmentControl",
                "auditmanager:GetEvidenceFolder",
                "auditmanager:GetEvidence",
                "auditmanager:GetEvidenceByEvidenceFolder",
                "auditmanager:BatchCreateDelegationByAssessment",
                "auditmanager:BatchDeleteDelegationByAssessment",
                "auditmanager:AssociateAssessmentReportEvidenceFolder",
                "auditmanager:BatchAssociateAssessmentReportEvidence",
                "auditmanager:BatchDisassociateAssessmentReportEvidence",
                "auditmanager:CreateAssessmentReport",
                "auditmanager:DeleteAssessmentReport",
                "auditmanager:DisassociateAssessmentReportEvidenceFolder",
                "auditmanager:GetAssessmentReportUrl"
            ],
            "Resource": [
                "arn:aws:auditmanager:us-east-1:123456789012:assessment/assessment_ID",
                "arn:aws:auditmanager:us-east-1:123456789012:assessment/assessment_ID/*"
            ]
        }
    ]
}
```

------

### Step 4: Review and save
<a name="edit-review-and-create"></a>

 Review the information for your assessment. To change the information for a step, choose **Edit**. When you're finished, choose **Save changes** to confirm your edits. 

After you complete your edits, the changes to the assessment take effect at 00:00 UTC the following day.

## Next steps
<a name="edit-assessment-next-steps"></a>

When you no longer need to collect evidence for a specific assessment control, you can change the status of that control. For instructions, see [Changing the status of an assessment control in AWS Audit Manager](change-assessment-control-status.md).

When you no longer need to collect evidence for the entire assessment, you can change the assessment status to inactive. For instructions, see [Changing the status of an assessment to inactive in AWS Audit Manager](change-assessment-status-to-inactive.md).

## Additional resources
<a name="edit-assessment-additional-resources"></a>
+ For solutions to assessment issues in Audit Manager, see [Troubleshooting assessment and evidence collection issues](evidence-collection-issues.md).
+ For information about why it's no longer possible to edit services in scope, see [I can't edit the services in scope for my assessment](evidence-collection-issues.md#unable-to-edit-services) in the *Troubleshooting* section of this guide. 

# Adding manual evidence in AWS Audit Manager
<a name="upload-evidence"></a>



Audit Manager can automatically collect evidence for many controls. However, some controls might require evidence that can't be collected automatically. In such cases, you can manually add your own evidence.

Consider the following examples:
+ Some controls relate to the provision of physical records (such as signatures), or events that aren’t generated in the cloud (such as observations and interviews). In these cases, you can manually add files as evidence. For instance, if a control requires information about your organizational structure, you can upload a copy of your company’s org chart as manual evidence.
+ Some controls represent a vendor risk assessment question. A risk assessment question might require documentation as evidence (such as an org chart). Or, it might only need a simple text response (such as a list of job titles). For the latter, you can respond to the question and save your response as manual evidence.

You can also use the manual upload feature to manage evidence from multiple environments. If your company uses a hybrid cloud model or multicloud model, you can upload evidence from your on-premises environment, an environment hosted in the cloud, or your SaaS applications. This enables you to organize your evidence (regardless of where it came from) by storing it within the structure of an Audit Manager assessment, where each piece of evidence is mapped to a specific control.

## Key points
<a name="upload-evidence-key-points"></a>

When it comes to adding manual evidence to your assessments in Audit Manager, you have three methods to choose from. 

1. **Importing a file from Amazon S3 - **This method is ideal when you have evidence files stored in an S3 bucket, such as documentation, reports, or other artifacts that can't be automatically collected by Audit Manager. By importing these files directly from S3, you can seamlessly integrate this manual evidence with the automatically collected evidence.

1. **Uploading a file from your browser** - If you have evidence files locally stored on your computer or network, you can manually upload them to Audit Manager using this method. This approach is particularly useful when you need to include physical records, such as scanned documents or images, that aren't available in digital format within your AWS environment.

1. **Adding free-form text as evidence** - In some cases, the evidence you need to provide is not in the form of a file but rather a text response or explanation. This method allows you to enter free-form text directly into Audit Manager. This can be especially helpful when responding to vendor risk assessment questions.

## Additional resources
<a name="upload-evidence-additional-resources"></a>
+ For instructions on how to add manual evidence to an assessment control, see the following resources. Keep in mind you can only use one method at a time.
  + [Importing manual evidence files from Amazon S3](import-from-s3.md)
  + [Uploading manual evidence files from your browser](upload-from-computer.md)
  + [Entering free-form text responses as manual evidence](enter-text-response.md)
+ To learn which file formats you can use, see [Supported file formats for manual evidence](supported-manual-evidence-files.md).
+ To learn more about the different types of evidence in Audit Manager, see [](concepts.md#evidence) in the *Concepts and terminology* section of this guide. 
+ For troubleshooting assistance, see [I can’t upload manual evidence to a control](control-issues.md#cannot-upload-manual-evidence).

# Importing manual evidence files from Amazon S3
<a name="import-from-s3"></a>



You can manually import evidence files from an Amazon S3 bucket into your assessment. This enables you to supplement the automatically collected evidence with additional supporting materials.

## Prerequisites
<a name="import-from-s3-prerequisites"></a>
+ The maximum supported size for a single manual evidence file is 100 MB.
+ You must use one of the [Supported file formats for manual evidence](supported-manual-evidence-files.md).
+ Each AWS account can manually upload up to 100 evidence files to a control each day. Exceeding this daily quota causes any additional manual uploads to fail for that control. If you need to upload a large amount of manual evidence to a single control, upload your evidence in batches across several days.
+ When a control is *inactive*, you can't add manual evidence to that control. To add manual evidence, you must first [change the control status](https://docs.aws.amazon.com/audit-manager/latest/userguide/change-assessment-control-status.html) to either *under review* or *reviewed*.
+ Make sure your IAM identity has appropriate permissions to manage an assessment in AWS Audit Manager. Two suggested policies that grant these permissions are [AWSAuditManagerAdministratorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSAuditManagerAdministratorAccess.html) and [Allow users management access to AWS Audit Manager](security_iam_id-based-policy-examples.md#management-access).

## Procedure
<a name="import-from-s3-procedure"></a>

You can import a file using the Audit Manager console, the Audit Manager API, or the AWS Command Line Interface (AWS CLI).

------
#### [ AWS console ]

**Important**  
We strongly recommend that you never import any sensitive or personally identifiable information (PII) as manual evidence. This includes, but is not limited to, Social Security numbers, addresses, phone numbers, or any other information that could be used to identify an individual. 

**To import a file from S3 on the Audit Manager console**

1. Open the AWS Audit Manager console at [https://console.aws.amazon.com/auditmanager/home](https://console.aws.amazon.com/auditmanager/home).

1. In the left navigation pane, choose **Assessments** and then choose an assessment.

1. Choose the **Controls** tab, scroll down to **Control sets** and then choose a control.

1. On the **Evidence folders** tab, choose **Add manual evidence**, and then choose **Import file from S3**.

1. On the next page, enter the S3 URI of the evidence. You can find the S3 URI by navigating to the object in the [Amazon S3 console](https://console.aws.amazon.com/s3/) and choosing **Copy S3 URI**. 

1. Choose **Upload**.

------
#### [ AWS CLI ]

**Important**  
We strongly recommend that you never import any sensitive or personally identifiable information (PII) as manual evidence. This includes, but is not limited to, Social Security numbers, addresses, phone numbers, or any other information that could be used to identify an individual. 

In the following procedure, replace the *placeholder text* with your own information.

**To import a file from S3 in the AWS CLI**

1. Run the `[list-assessments](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/auditmanager/list-assessments.html)` command to see a list of your assessments. 

   ```
   aws auditmanager list-assessments
   ```

   In the response, find the assessment that you want to upload evidence to and take note of the assessment ID.

1. Run the `[get-assessment](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/auditmanager/get-assessment.html)` command and specify the assessment ID from step one.

   ```
   aws auditmanager get-assessment --assessment-id 1a2b3c4d-5e6f-7g8h-9i0j-0k1l2m3n4o5p
   ```

   In the response, find the control set and the control that you want to upload evidence to, and take note of their IDs.

1. Run the `[batch-import-evidence-to-assessment-control](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/auditmanager/batch-import-evidence-to-assessment-control.html)` command with the following parameters:
   + `--assessment-id` – Use the assessment ID from step one.
   + `--control-set-id` – Use the control set ID from step two.
   + `--control-id` – Use the control ID from step two.
   + `--manual-evidence` – Use `s3ResourcePath` as the manual evidence type and specify the S3 URI of the evidence. You can find the S3 URI by navigating to the object in the [Amazon S3 console](https://console.aws.amazon.com/s3/) and choosing **Copy S3 URI**.

   ```
   aws auditmanager batch-import-evidence-to-assessment-control --assessment-id 1a2b3c4d-5e6f-7g8h-9i0j-0k1l2m3n4o5p --control-set-id ControlSet --control-id a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6 --manual-evidence s3ResourcePath=s3://amzn-s3-demo-bucket/EXAMPLE-FILE.extension
   ```

------
#### [ Audit Manager API ]

**Important**  
We strongly recommend that you never import any sensitive or personally identifiable information (PII) as manual evidence. This includes, but is not limited to, Social Security numbers, addresses, phone numbers, or any other information that could be used to identify an individual. 

**To import a file from S3 using the API**

1. Call the `[ListAssessments](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_ListAssessments.html)` operation to see a list of your assessments. In the response, find the assessment that you want to upload evidence to and take note of the assessment ID.

1. Call the `[GetAssessment](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_GetAssessment.html)` operation and specify the assessment ID from step one. In the response, find the control set and the control that you want to upload evidence to, and take note of their IDs.

1. Call the `[BatchImportEvidenceToAssessmentControl](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_BatchImportEvidenceToAssessmentControl.html)` operation with the following parameters:
   + `[assessmentId](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_BatchImportEvidenceToAssessmentControl.html#auditmanager-BatchImportEvidenceToAssessmentControl-request-assessmentId)` – Use the assessment ID from step one.
   + `[controlSetId](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_BatchImportEvidenceToAssessmentControl.html#auditmanager-BatchImportEvidenceToAssessmentControl-request-controlSetId)` – Use the control set ID from step two.
   + `[controlId](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_BatchImportEvidenceToAssessmentControl.html#auditmanager-BatchImportEvidenceToAssessmentControl-request-controlId)` – Use the control ID from step two.
   + `[manualEvidence](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_BatchImportEvidenceToAssessmentControl.html#auditmanager-BatchImportEvidenceToAssessmentControl-request-manualEvidence)` – Use `s3ResourcePath` as the manual evidence type and specify the S3 URI of the evidence. You can find the S3 URI by navigating to the object in the [Amazon S3 console](https://console.aws.amazon.com/s3/) and choosing **Copy S3 URI**.

For more information, choose any of the links in the previous procedure to read more in the *AWS Audit Manager API Reference*. This includes information about how to use these operations and parameters in one of the language-specific AWS SDKs.

------

## Next steps
<a name="import-from-s3-next-steps"></a>

After you've added and reviewed the evidence for your assessment, you can generate an assessment report. For more information, see [Preparing an assessment report in AWS Audit Manager](generate-assessment-report.md).

## Additional resources
<a name="import-from-s3-additional-resources"></a>

To learn which file formats you can use, see [Supported file formats for manual evidence](supported-manual-evidence-files.md).

# Uploading manual evidence files from your browser
<a name="upload-from-computer"></a>



You can manually upload evidence files from your browser into your Audit Manager assessment. This enables you to supplement the automatically collected evidence with additional supporting materials.

## Prerequisites
<a name="upload-from-computer-prerequisites"></a>
+ The maximum supported size for a single manual evidence file is 100 MB.
+ You must use one of the [Supported file formats for manual evidence](supported-manual-evidence-files.md).
+ Each AWS account can manually upload up to 100 evidence files to a control each day. Exceeding this daily quota causes any additional manual uploads to fail for that control. If you need to upload a large amount of manual evidence to a single control, upload your evidence in batches across several days.
+ When a control is *inactive*, you can't add manual evidence to that control. To add manual evidence, you must first [change the control status](https://docs.aws.amazon.com/audit-manager/latest/userguide/change-assessment-control-status.html) to either *under review* or *reviewed*.
+ Make sure your IAM identity has appropriate permissions to manage an assessment in AWS Audit Manager. Two suggested policies that grant these permissions are [AWSAuditManagerAdministratorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSAuditManagerAdministratorAccess.html) and [Allow users management access to AWS Audit Manager](security_iam_id-based-policy-examples.md#management-access).

## Procedure
<a name="upload-from-computer-procedure"></a>

You can upload a file using the Audit Manager console, the Audit Manager API, or the AWS Command Line Interface (AWS CLI).

------
#### [ AWS console ]

**Important**  
We strongly recommend that you never upload any sensitive or personally identifiable information (PII) as manual evidence. This includes, but is not limited to, Social Security numbers, addresses, phone numbers, or any other information that could be used to identify an individual. 

**To upload a file from your browser on the Audit Manager console**

1. Open the AWS Audit Manager console at [https://console.aws.amazon.com/auditmanager/home](https://console.aws.amazon.com/auditmanager/home).

1. In the left navigation pane, choose **Assessments** and then choose an assessment.

1. On the **Controls** tab, scroll down to **Control sets** and then choose a control. 

1. From the **Evidence folders** tab, choose **Add manual evidence**. 

1. Choose **Upload file from browser**. 

1. Choose the file that you want to upload.

1. Choose **Upload**.

------
#### [ AWS CLI ]

**Important**  
We strongly recommend that you never upload any sensitive or personally identifiable information (PII) as manual evidence. This includes, but is not limited to, Social Security numbers, addresses, phone numbers, or any other information that could be used to identify an individual. 

In the following procedure, replace the *placeholder text* with your own information.

**To upload a file from your browser in the AWS CLI**

1. Run the `[list-assessments](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/auditmanager/list-assessments.html)` command to see a list of your assessments. 

   ```
   aws auditmanager list-assessments
   ```

   In the response, find the assessment that you want to upload evidence to and take note of the assessment ID.

1. Run the `[get-assessment](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/auditmanager/get-assessment.html)` command and specify the assessment ID from step one. 

   ```
   aws auditmanager get-assessment --assessment-id 1a2b3c4d-5e6f-7g8h-9i0j-0k1l2m3n4o5p
   ```

   In the response, find the control set and the control that you want to upload evidence to, and take note of their IDs.

1. Run the `[get-evidence-file-upload-url](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/auditmanager/get-evidence-file-upload-url.html)` command and specify the file that you want to upload. 

   ```
   aws auditmanager get-evidence-file-upload-url --file-name fileName.extension
   ```

   In the response, take note of the presigned URL and the `evidenceFileName`.

1. Use the presigned URL from step three to upload the file from your browser. This action uploads your file to Amazon S3, where it's saved as an object that can be attached to an assessment control. In the following step, you'll reference the newly-created object by using the `evidenceFileName` parameter.
**Note**  
When you upload a file using a presigned URL, Audit Manager protects and stores your data by using server side encryption with AWS Key Management Service. To support this, you must use the `x-amz-server-side-encryption` header in your request when you use the presigned URL to upload your file.  
If you're using a customer managed AWS KMS key in your Audit Manager [Configuring your data encryption settings](settings-KMS.md) settings, make sure that you also include the `x-amz-server-side-encryption-aws-kms-key-id` header in your request. If the `x-amz-server-side-encryption-aws-kms-key-id` header isn't present in the request, Amazon S3 assumes that you want to use the AWS managed key.   
For more information, see [Protecting data using server-side encryption with AWS Key Management Service keys (SSE-KMS)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html) in the *Amazon Simple Storage Service User Guide*.

1. Run the `[batch-import-evidence-to-assessment-control](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/auditmanager/batch-import-evidence-to-assessment-control.html)` command with the following parameters:
   + `--assessment-id` – Use the assessment ID from step one.
   + `--control-set-id` – Use the control set ID from step two.
   + `--control-id` – Use the control ID from step two.
   + `--manual-evidence` – Use `evidenceFileName` as the manual evidence type and specify the evidence file name from step three.

   ```
   aws auditmanager batch-import-evidence-to-assessment-control --assessment-id 1a2b3c4d-5e6f-7g8h-9i0j-0k1l2m3n4o5p --control-set-id ControlSet --control-id a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6 --manual-evidence evidenceFileName=fileName.extension
   ```

------
#### [ Audit Manager API ]

**Important**  
We strongly recommend that you never upload any sensitive or personally identifiable information (PII) as manual evidence. This includes, but is not limited to, Social Security numbers, addresses, phone numbers, or any other information that could be used to identify an individual. 

**To upload a file from your browser using the API**

1. Call the `[ListAssessments](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_ListAssessments.html)` operation. In the response, find the assessment that you want to upload evidence to and take note of the assessment ID.

1. Call the `[GetAssessment](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_GetAssessment.html)` operation and specify the `assessmentId` from step one. In the response, find the control set and the control that you want to upload evidence to, and take note of their IDs.

1. Call the `[GetEvidenceFileUploadUrl](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_GetEvidenceFileUploadUrl.html)` operation and specify the `fileName` that you want to upload. In the response, take note of the presigned URL and the `evidenceFileName`.

1. Use the presigned URL from step three to upload the file from your browser. This action uploads your file to Amazon S3, where it's saved as an object that can be attached to an assessment control. In the following step, you'll reference the newly-created object by using the `evidenceFileName` parameter.
**Note**  
When you upload a file using a presigned URL, Audit Manager protects and stores your data by using server side encryption with AWS Key Management Service. To support this, you must use the `x-amz-server-side-encryption` header in your request when you use the presigned URL to upload your file.  
If you're using a customer managed AWS KMS key in your Audit Manager [Configuring your data encryption settings](settings-KMS.md) settings, make sure that you also include the `x-amz-server-side-encryption-aws-kms-key-id` header in your request. If the `x-amz-server-side-encryption-aws-kms-key-id` header isn't present in the request, Amazon S3 assumes that you want to use the AWS managed key.   
For more information, see [Protecting data using server-side encryption with AWS Key Management Service keys (SSE-KMS)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html) in the *Amazon Simple Storage Service User Guide*.

1. Call the `[BatchImportEvidenceToAssessmentControl](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_BatchImportEvidenceToAssessmentControl.html)` operation with the following parameters:
   + `[assessmentId](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_BatchImportEvidenceToAssessmentControl.html#auditmanager-BatchImportEvidenceToAssessmentControl-request-assessmentId)` – Use the assessment ID from step one.
   + `[controlSetId](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_BatchImportEvidenceToAssessmentControl.html#auditmanager-BatchImportEvidenceToAssessmentControl-request-controlSetId)` – Use the control set ID from step two.
   + `[controlId](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_BatchImportEvidenceToAssessmentControl.html#auditmanager-BatchImportEvidenceToAssessmentControl-request-controlId)` – Use the control ID from step two.
   + `[manualEvidence](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_BatchImportEvidenceToAssessmentControl.html#auditmanager-BatchImportEvidenceToAssessmentControl-request-manualEvidence)` – Use `evidenceFileName` as the manual evidence type and specify the evidence file name from step three.

For more information, choose any of the links in the previous procedure to read more in the *AWS Audit Manager API Reference*. This includes information about how to use these operations and parameters in one of the language-specific AWS SDKs.

------

## Next steps
<a name="upload-from-computer-next-steps"></a>

After you've collected and reviewed the evidence for your assessment, you can generate an assessment report. For more information, see [Preparing an assessment report in AWS Audit Manager](generate-assessment-report.md).

## Additional resources
<a name="upload-from-computer-additional-resources"></a>

To learn which file formats you can use, see [Supported file formats for manual evidence](supported-manual-evidence-files.md).

# Entering free-form text responses as manual evidence
<a name="enter-text-response"></a>



You can provide additional context and supporting information for an assessment control by entering free-form text and saving that text as evidence. This allows you to manually document details that aren’t captured through automatic evidence collection. 

For example, you can use Audit Manager to create custom controls that represent questions in a vendor risk assessment questionnaire. In this case, the name of each control is a specific question that asks for information about your organization’s security and compliance posture. To record your response to a given vendor risk assessment question, you can enter a text response and save it as manual evidence for the control.

## Prerequisites
<a name="enter-text-response-prerequisites"></a>
+ When a control is *inactive*, you can't add manual evidence to that control. To add manual evidence, you must first [change the control status](https://docs.aws.amazon.com/audit-manager/latest/userguide/change-assessment-control-status.html) to either *under review* or *reviewed*.
+ Make sure your IAM identity has appropriate permissions to manage an assessment in AWS Audit Manager. Two suggested policies that grant these permissions are [AWSAuditManagerAdministratorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSAuditManagerAdministratorAccess.html) and [Allow users management access to AWS Audit Manager](security_iam_id-based-policy-examples.md#management-access).

## Procedure
<a name="enter-text-response-procedure"></a>

You can enter text responses using the Audit Manager console, the Audit Manager API, or the AWS Command Line Interface (AWS CLI).

------
#### [ AWS console ]

**Important**  
We strongly recommend that you never enter any sensitive or personally identifiable information (PII) as manual evidence. This includes, but is not limited to, Social Security numbers, addresses, phone numbers, or any other information that could be used to identify an individual. 

**To enter a text response on the Audit Manager console**

1. Open the AWS Audit Manager console at [https://console.aws.amazon.com/auditmanager/home](https://console.aws.amazon.com/auditmanager/home).

1. In the left navigation pane, choose **Assessments** and then choose an assessment.

1. Choose the **Controls** tab, scroll down to **Control sets** and then choose a control. 

1. From the **Evidence folders** tab, choose **Add manual evidence**.

1. Choose **Enter text response**.

1. In the pop-up window that appears, enter your response in plain text format.

1. Choose **Confirm**.

------
#### [ AWS CLI ]

**Important**  
We strongly recommend that you never enter any sensitive or personally identifiable information (PII) as manual evidence. This includes, but is not limited to, Social Security numbers, addresses, phone numbers, or any other information that could be used to identify an individual. 

In the following procedure, replace the *placeholder text* with your own information.

**To enter a text response in the AWS CLI**

1. Run the `[list-assessments](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/auditmanager/list-assessments.html)` command. 

   ```
   aws auditmanager list-assessments
   ```

   In the response, find the assessment that you want to upload evidence to and take note of the assessment ID.

1. Run the `[get-assessment](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/auditmanager/get-assessment.html)` command and specify the assessment ID from step one. 

   ```
   aws auditmanager get-assessment --assessment-id 1a2b3c4d-5e6f-7g8h-9i0j-0k1l2m3n4o5p
   ```

   In the response, find the control set and control that you want to upload evidence to, and take note of their IDs.

1. Run the `[batch-import-evidence-to-assessment-control](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/auditmanager/batch-import-evidence-to-assessment-control.html)` command with the following parameters:
   + `--assessment-id` – Use the assessment ID from step one.
   + `--control-set-id` – Use the control set ID from step two.
   + `--control-id` – Use the control ID from step two.
   + `--manual-evidence` – Use `textResponse` as the manual evidence type and enter the text that you want to save as manual evidence.

   ```
   aws auditmanager batch-import-evidence-to-assessment-control --assessment-id 1a2b3c4d-5e6f-7g8h-9i0j-0k1l2m3n4o5p --control-set-id ControlSet --control-id a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6 --manual-evidence textResponse="enter text here"
   ```

------
#### [ Audit Manager API ]

**Important**  
We strongly recommend that you never enter any sensitive or personally identifiable information (PII) as manual evidence. This includes, but is not limited to, Social Security numbers, addresses, phone numbers, or any other information that could be used to identify an individual. 

**To enter a text response using the API**

1. Call the `[ListAssessments](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_ListAssessments.html)` operation. In the response, find the assessment that you want to upload evidence to and take note of the assessment ID.

1. Call the `[GetAssessment](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_GetAssessment.html)` operation and specify the `assessmentId` from step one. In the response, find the control set and control that you want to upload evidence to, and take note of their IDs.

1. Call the `[BatchImportEvidenceToAssessmentControl](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_BatchImportEvidenceToAssessmentControl.html)` operation with the following parameters:
   + `[assessmentId](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_BatchImportEvidenceToAssessmentControl.html#auditmanager-BatchImportEvidenceToAssessmentControl-request-assessmentId)` – Use the assessment ID from step one.
   + `[controlSetId](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_BatchImportEvidenceToAssessmentControl.html#auditmanager-BatchImportEvidenceToAssessmentControl-request-controlSetId)` – Use the control set ID from step two.
   + `[controlId](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_BatchImportEvidenceToAssessmentControl.html#auditmanager-BatchImportEvidenceToAssessmentControl-request-controlId)` – Use the control ID from step two.
   + `[manualEvidence](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_BatchImportEvidenceToAssessmentControl.html#auditmanager-BatchImportEvidenceToAssessmentControl-request-manualEvidence)` – Use `textResponse` as the manual evidence type and enter the text that you want to save as manual evidence.

For more information, choose any of the links in the previous procedure to read more in the *AWS Audit Manager API Reference*. This includes information about how to use these operations and parameters in one of the language-specific AWS SDKs.

------

## Next steps
<a name="enter-text-response-next-steps"></a>

After you've collected and reviewed the evidence for your assessment, you can generate an assessment report. For more information, see [Preparing an assessment report in AWS Audit Manager](generate-assessment-report.md).

# Supported file formats for manual evidence
<a name="supported-manual-evidence-files"></a>



The following table lists and describes the types of file that you can upload as manual evidence. For each file type, the table also lists the supported file extensions.


| File type | Description | Supported file extensions | 
| --- | --- | --- | 
|  Compression or archive  |  GNU Zip compressed archives and ZIP compressed archives  |  `.gz`, `.zip`  | 
|  Document  |  Common document files such as PDFs and Microsoft Office files  |  `.doc`, `.docx`, `.pdf`, `.ppt`, `.pptx`, `.xls`, `.xlsx`  | 
|  Image  |  Image and graphic files  |  `.jpeg`, `.jpg`, `.png`, `.svg`  | 
|  Text  |  Other non-binary text files, such as plain-text documents and markup language files  |  `.cer`, `.csv`, `.html`, `.jmx`, `.json`, `.md`, `.out`, `.rtf`, `.txt`, `.xml`, `.yaml`, `.yml`  | 

## Additional resources
<a name="supported-manual-evidence-files-additional-resources"></a>

Review the following pages to learn about the different ways that you can add your own evidence to an assessment control.
+ [Importing manual evidence files from Amazon S3](import-from-s3.md)
+ [Uploading manual evidence files from your browser](upload-from-computer.md)
+ [Entering free-form text responses as manual evidence](enter-text-response.md)

# Preparing an assessment report in AWS Audit Manager
<a name="generate-assessment-report"></a>



After you've collected and reviewed the evidence for your assessment, you can generate an assessment report. An assessment report summarizes your assessment and provides links to an organized set of folders that contain the related evidence. 

## Key points
<a name="generate-assessment-report-key-points"></a>

Newly-collected evidence doesn't automatically appear in an assessment report. This means that you can control which evidence you want to include in the report. After you select the evidence that you want to include, you can generate the final assessment report to share with your auditors. 

When you generate an assessment report, it's placed into the S3 bucket that you chose as your assessment report destination. You can also download the assessment report from the download center in Audit Manager.

## Additional resources
<a name="generate-assessment-report-additional-resources"></a>

For more information about assessment reports and how to manage them, see the following resources.
+ [Adding evidence to an assessment report](generate-assessment-report-include-evidence.md)
+ [Removing evidence from an assessment report](generate-assessment-report-remove-evidence.md)
+ [Generating an assessment report](generate-assessment-report-generation-steps.md)
+ [Downloading an assessment report](https://docs.aws.amazon.com/audit-manager/latest/userguide/download-center.html#download-a-file)
+ [Navigating an assessment report and exploring its contents](https://docs.aws.amazon.com/audit-manager/latest/userguide/assessment-reports.html)
+ [Validating an assessment report](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_ValidateAssessmentReportIntegrity.html)
+ [Deleting an assessment report](https://docs.aws.amazon.com/audit-manager/latest/userguide/download-center.html#delete-assessment-report-steps)
+ [Generating assessment reports from your evidence finder search results](https://docs.aws.amazon.com/audit-manager/latest/userguide/exporting-search-results-from-evidence-finder.html#generate-one-time-report-from-search-results)
+ [Configuring your default assessment report destination](settings-destination.md)
+ [Troubleshooting assessment report issues](assessment-report-issues.md)

# Adding evidence to an assessment report
<a name="generate-assessment-report-include-evidence"></a>



Before you can generate an assessment report, you must add at least one piece of evidence to your assessment report. You can either add an entire evidence folder, or you can add specific evidence items from within a folder. 

## Procedure
<a name="generate-assessment-report-include-evidence-procedure"></a>

To include evidence in an assessment report, follow these steps.

**To add evidence to an assessment report**

1. Open the AWS Audit Manager console at [https://console.aws.amazon.com/auditmanager/home](https://console.aws.amazon.com/auditmanager/home).

1. In the navigation pane, choose **Assessments** and then choose an assessment.

1. On the **Controls** tab, scroll down to the **Control sets** table and choose a control with evidence that you want to include in the assessment report.

1. Choose how you want to add evidence to your assessment report.

   1.  To add an entire evidence folder, scroll down to **Evidence folders**, select the folder that you want to add, and then choose **Add to assessment report**. 
**Tip**  
If you can't see the folder that you're looking for, change the dropdown filter to **All time**. Otherwise, you'll see the last seven days of folders by default.   
If **Add to assessment report** is greyed out, the evidence folder was already added to the assessment report.

   1. To add specific evidence, choose an evidence folder to open its contents. Select one or more items from the list, and then choose **Add to assessment report**. 
**Tip**  
If **Add to assessment report** is greyed out, make sure that you selected the check box next to the evidence, and then try again.

1. After you add the evidence to the assessment report, a green success banner appears. Choose **View evidence in assessment report** to see the evidence that will be included in your assessment report.
   + Alternatively, you can see the evidence that will be included in your assessment report by navigating back to your assessment and choosing the **Assessment report selection** tab.

## Next steps
<a name="generate-assessment-report-include-evidence-next-steps"></a>

If you need to remove evidence from an assessment report, see [Removing evidence from an assessment report](generate-assessment-report-remove-evidence.md).

When you're ready to generate an assessment report, see [Generating an assessment report](generate-assessment-report-generation-steps.md).

## Additional resources
<a name="generate-assessment-report-include-evidence-additional-resources"></a>

To find answers to common questions and issues, see [Troubleshooting assessment report issues](assessment-report-issues.md) in the *Troubleshooting* section of this guide.

# Removing evidence from an assessment report
<a name="generate-assessment-report-remove-evidence"></a>



If you need to remove evidence from an assessment report, follow these steps. You can either remove an entire evidence folder, or you can remove specific evidence items from within a folder. 

## Procedure
<a name="generate-assessment-report-remove-evidence-procedure"></a>

**To remove evidence from an assessment report**

1. Open the AWS Audit Manager console at [https://console.aws.amazon.com/auditmanager/home](https://console.aws.amazon.com/auditmanager/home).

1. In the navigation pane, choose **Assessments** and then choose the name of the assessment to open it.

1. On the **Controls** tab, scroll down to the **Control sets** table and choose the name of a control to open it.

1. Choose how you want to remove evidence from your assessment report.

   1. To remove an entire evidence folder, scroll down to **Evidence folders**, select the folder that you want to remove, and then choose **Remove from assessment report**. 
**Tip**  
If you can't see the folder that you're looking for, change the dropdown filter to **All time**. Otherwise, you'll see the last seven days of folders by default.   
If **Remove from assessment report** is greyed out, the evidence folder was already removed from the assessment report.

   1. To remove specific evidence, choose an evidence folder to open its contents. Select one or more items from the list, and then choose **Remove from assessment report**. 
**Tip**  
If **Remove from assessment report** is greyed out, make sure that you selected the check box next to the evidence, and then try again.

1. After you add the evidence to the assessment report, a green success banner appears. Choose **View evidence in assessment report** to see the evidence that will be included in your assessment report.
   + Alternatively, you can see the evidence that will be included in your assessment report by navigating back to your assessment and choosing the **Assessment report selection** tab.

## Next steps
<a name="generate-assessment-report-remove-evidence-next-steps"></a>

When you're ready to generate an assessment report, see [Generating an assessment report](generate-assessment-report-generation-steps.md).

## Additional resources
<a name="generate-assessment-report-remove-evidence-additional-resources"></a>

To find answers to common questions and issues, see [Troubleshooting assessment report issues](assessment-report-issues.md) in the *Troubleshooting* section of this guide.

# Generating an assessment report
<a name="generate-assessment-report-generation-steps"></a>



When you're ready to generate your assessment report, follow these steps.

## Prerequisites
<a name="generate-assessment-report-generation-steps-prerequisite"></a>

Before you can generate an assessment report, you must add at least one piece of evidence to your assessment report. You can either add an entire evidence folder, or you can add individual evidence items from within a folder. 

To ensure that your assessment report is generated successfully, review our [Configuration tips for your assessment report destination](settings-destination.md#settings-assessment-report-destination-tips).

## Procedure
<a name="generate-assessment-report-generation-steps-procedure"></a>

**To generate an assessment report**

1. Open the AWS Audit Manager console at [https://console.aws.amazon.com/auditmanager/home](https://console.aws.amazon.com/auditmanager/home).

1. In the left navigation pane, choose **Assessments**.

1. Choose the name of the assessment that you want to generate an assessment report for. 

1. Choose the **Assessment report selection** tab, and then choose **Generate assessment report**. 
**Tip**  
If **Generate assessment report** is greyed out, this means that no evidence was added to the assessment report yet.

1. In the pop-up window, provide a name and description for the assessment report, and review the assessment report details. 

1. Choose **Generate assessment report** and wait a few minutes while your assessment report is generated. 

1. Find and download your assessment report from the **Download center** page of the Audit Manager console.
   + Alternatively, you can go to your assessment report destination S3 bucket and download the assessment report from there. 

## Next steps
<a name="generate-assessment-report-generation-steps-next-steps"></a>

After you generate an assessment report, you can learn more about the following:
+ **Find and download your assessment report** – Learn how to download your assessment report [from the download center](https://docs.aws.amazon.com/audit-manager/latest/userguide/download-center.html#download-a-file) or [from Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/download-objects.html).
+ **Explore your assessment report** – Learn how to [navigate an assessment report and explore its contents](https://docs.aws.amazon.com/audit-manager/latest/userguide/assessment-reports.html).
+ **Validate your assessment report** – Learn how to use the [ValidateAssessmentReportIntegrity](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_ValidateAssessmentReportIntegrity.html) API operation to validate your assessment report.
+ **Delete an unwanted assessment report** – Learn how to delete an unwanted report [from the download center](https://docs.aws.amazon.com/audit-manager/latest/userguide/download-center.html#delete-assessment-report-steps) or [from Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/DeletingObjects.html).
+ **Generate assessment reports from evidence finder** – Learn how to [generate assessment reports from your evidence finder search results](https://docs.aws.amazon.com/audit-manager/latest/userguide/viewing-search-results-in-evidence-finder.html#generate-one-time-report-from-search-results). 

## Additional resources
<a name="generate-assessment-report-generation-steps-additional-resources"></a>

To find answers to common questions and issues, see [Troubleshooting assessment report issues](assessment-report-issues.md) in the *Troubleshooting* section of this guide.

# Changing the status of an assessment control in AWS Audit Manager
<a name="change-assessment-control-status"></a>

You can change the status of an assessment control within your active assessment. Updating a control's status enables you to track its progress and indicate when you have reviewed it, keeping your assessment organized and up-to-date. 

## Prerequisites
<a name="change-assessment-control-status-prerequisites"></a>

The following procedure assumes that you have previously created an assessment, and its current status is active.

Make sure your IAM identity has appropriate permissions to manage an assessment in AWS Audit Manager. Two suggested policies that grant these permissions are [AWSAuditManagerAdministratorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSAuditManagerAdministratorAccess.html) and [Allow users management access to AWS Audit Manager](security_iam_id-based-policy-examples.md#management-access).

## Procedure
<a name="change-assessment-control-status-procedure"></a>

You can update an assessment control status using the Audit Manager console, the Audit Manager API, or the AWS Command Line Interface (AWS CLI).

**Note**  
Changing a control status to *Reviewed* is final. After you set the status of a control to *Reviewed*, you can no longer change the status of that control or revert to a previous status. 

------
#### [ Audit Manager console ]

**To change an assessment control status on the Audit Manager console**

1. Open the AWS Audit Manager console at [https://console.aws.amazon.com/auditmanager/home](https://console.aws.amazon.com/auditmanager/home).

1. In the navigation pane, choose **Assessments**.

1. Choose the name of the assessment to open it.

1. From the assessment page, choose the **Controls** tab, scroll down to the **Control sets** table, and then choose the name of a control to open it.

1. Choose **Update control status** at the top right of the page, and then choose a status:    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/change-assessment-control-status.html)

1. Choose **Update control status** to confirm your choice.

------
#### [ AWS CLI ]

**To change an assessment control status in the AWS CLI**

1. Run the [list-assessments](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/auditmanager/list-assessments.html) command.

   ```
    aws auditmanager list-assessments
   ```

   The response returns a list of assessments. Find the assessment that contains the control that you want to update, and take note of the assessment ID.

1. Run the [get-assessment](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/auditmanager/get-assessment.html) command and specify the assessment ID from step 1.

   In the following example, replace the *placeholder text* with your own information.

   ```
    aws auditmanager get-assessment --assessment-id 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4e5f6g
   ```

   In the response, find the control that you want to update and take note of the control ID and its control set ID.

1. Run the [update-assessment-control](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/auditmanager/update-assessment-control.html) command and specify the following parameters: 
   + `--assessment-id` – The assessment that the control belongs to.
   + `--control-set-id` – The control set that the control belongs to.
   + `--control-id` – The control that you want to update.
   + `--control-status` – Set this value to `UNDER_REVIEW`, `REVIEWED`, or `INACTIVE`.

   In the following example, replace the *placeholder text* with your own information.

   ```
   aws auditmanager update-assessment-control --assessment-id 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4e5f6g --control-set-id "My control set" --control-id 2b3c4d5e-2b3c-2b3c-2b3c-2b3c4d5f6g7h --control-status REVIEWED
   ```

------
#### [ Audit Manager API ]

**To change an assessment control status using the API**

1. Use the [ListAssessments](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_ListAssessments.html) operation. 

   In the response, find the assessment that contains the control that you want to update, and take note of the assessment ID.

1. Use the [GetAssessment](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_GetAssessment.html) operation and specify the assessment ID from step 1.

   In the response, find the control that you want to update and take note of the control ID and its control set ID.

1. Use the [UpdateAssessmentControl](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/auditmanager/update-assessment-control.html) operation and specify the following parameters: 
   + `[assessmentId](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_UpdateAssessmentControl.html#auditmanager-UpdateAssessmentControl-request-assessmentId)` – The assessment that the control belongs to.
   + `[controlSetId](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_UpdateAssessmentControl.html#auditmanager-UpdateAssessmentControl-request-controlSetId)` – The control set that the control belongs to.
   + `[controlId](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_UpdateAssessmentControl.html#auditmanager-UpdateAssessmentControl-request-controlId)` –The control that you want to update.
   + `[controlStatus](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_UpdateAssessmentControl.html#auditmanager-UpdateAssessmentControl-request-controlStatus)` – Set this value to `UNDER_REVIEW`, `REVIEWED`, or `INACTIVE`.

For more information about these API operations, choose any of the links in the previous procedure to read more in the *AWS Audit Manager API Reference*. This includes information about how to use these operations and parameters in one of the language-specific AWS SDKs.

------

## Next steps
<a name="change-assessment-control-status-next-steps"></a>

When you're ready to change the status of the assessment, see [Changing the status of an assessment to inactive in AWS Audit Manager](change-assessment-status-to-inactive.md).

# Changing the status of an assessment to inactive in AWS Audit Manager
<a name="change-assessment-status-to-inactive"></a>



When you no longer need to collect evidence for an assessment, you can change the assessment status to *Inactive*. When the status of an assessment changes to inactive, the assessment stops collecting evidence. As a result, you no longer incur any charges for that assessment.

In addition to stopping evidence collection, Audit Manager makes the following changes to the controls that are within the inactive assessment:
+ All control sets change to *Reviewed* status.
+ All controls that are *Under review* change to *Reviewed* status.
+ Delegates for the inactive assessment can no longer view or edit its controls and control sets.

## Prerequisites
<a name="change-assessment-status-to-inactive-prerequisites"></a>

The following procedure assumes that you have previously created an assessment, and its current status is active.

Make sure your IAM identity has appropriate permissions to manage an assessment in AWS Audit Manager. Two suggested policies that grant these permissions are [AWSAuditManagerAdministratorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSAuditManagerAdministratorAccess.html) and [Allow users management access to AWS Audit Manager](security_iam_id-based-policy-examples.md#management-access).

## Procedure
<a name="change-assessment-status-to-inactive-procedure"></a>

You can update an assessment status using the Audit Manager console, the Audit Manager API, or the AWS Command Line Interface (AWS CLI).

**Warning**  
This action is irreversible. We recommend that you proceed with caution and make sure that you want to mark your assessment as inactive. When an assessment is inactive, you have read-only access to its contents. This means that you can still review previously collected evidence and generate assessment reports. However, you can’t edit the inactive assessment, add comments, or upload any manual evidence.

------
#### [ Audit Manager console ]

**To change an assessment status to inactive on the Audit Manager console**

1. Open the AWS Audit Manager console at [https://console.aws.amazon.com/auditmanager/home](https://console.aws.amazon.com/auditmanager/home).

1. In the navigation pane, choose **Assessments**.

1. Choose the name of the assessment to open it.

1. On the upper-right corner of the page, choose **Update assessment status**, and then choose **Inactive**.

1. Choose **Update status** in the pop-up window to confirm that you want to change the status to inactive. 

The changes to the assessment and its controls take effect after approximately one minute.

------
#### [ AWS CLI ]

**To change an assessment status to inactive in the AWS CLI**

1. First, identify the assessment that you want to update. To do this, run the [list-assessments](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/auditmanager/list-assessments.html) command.

   ```
    aws auditmanager list-assessments
   ```

   The response returns a list of assessments. Find the assessment that you want to deactivate, and take note of the assessment ID.

1. Next, run the [update-assessment-status](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/auditmanager/update-assessment-status.html) command and specify the following parameters: 
   + `--assessment-id` – Use this parameter to specify the assessment that you want to deactivate.
   + `--status` – Set this value to `INACTIVE`.

   In the following example, replace the *placeholder text* with your own information.

   ```
   aws auditmanager update-assessment-status --assessment-id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 --status INACTIVE
   ```

The changes to the assessment and its controls take effect after approximately one minute.

------
#### [ Audit Manager API ]

**To change an assessment status to inactive using the API**

1. Use the [ListAssessments](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_ListAssessments.html) operation to find the assessment that you want to deactivate, and take note of the assessment ID.

1. Use the [UpdateAssessmentStatus](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_UpdateAssessmentStatus.html) operation and specify the following parameters: 
   + [assessmentId](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_UpdateAssessmentStatus.html#auditmanager-UpdateAssessmentStatus-request-assessmentId) – Use this parameter to specify the assessment that you want to deactivate.
   + [status](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_UpdateAssessmentStatus.html#auditmanager-UpdateAssessmentStatus-request-status) – Set this value to `INACTIVE`.

The changes to the assessment and its controls take effect after approximately one minute.

For more information about these API operations, choose any of the links in the previous procedure to read more in the *AWS Audit Manager API Reference*. This includes information about how to use these operations and parameters in one of the language-specific AWS SDKs.

------

## Next steps
<a name="change-assessment-status-to-inactive-next-steps"></a>

When you're certain that you no longer need your inactive assessment, you can clean up your Audit Manager environment by deleting the assessment. For instructions, see [Deleting an assessment in AWS Audit Manager](delete-assessment.md).

# Deleting an assessment in AWS Audit Manager
<a name="delete-assessment"></a>



When you no longer need an assessment, you can delete it from your Audit Manager environment. This enables you to clean up your workspace and focus on the assessments that are relevant to your current tasks and priorities. 

**Tip**  
If your goal is to reduce costs, consider [changing the assessment status to inactive](https://docs.aws.amazon.com/audit-manager/latest/userguide/change-assessment-status-to-inactive.html) instead of deleting it. This action stops evidence collection, and places your assessment in a read-only state where you can review the evidence that was previously collected. Inactive assessments don’t incur any charges.

## Prerequisites
<a name="delete-assessment-prerequisites"></a>

The following procedure assumes that you have previously created an assessment.

Make sure your IAM identity has appropriate permissions to delete an assessment in AWS Audit Manager. Two suggested policies that grant these permissions are [AWSAuditManagerAdministratorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSAuditManagerAdministratorAccess.html) and [Allow users management access to AWS Audit Manager](security_iam_id-based-policy-examples.md#management-access).

## Procedure
<a name="delete-assessment-procedure"></a>

You can delete assessments using the Audit Manager console, the Audit Manager API or the AWS Command Line Interface (AWS CLI).

**Warning**  
This action permanently deletes your assessment and all of the evidence that it collected. You cannot recover this data. As a result, we recommend that you proceed with caution and make sure that you want to delete your assessment. 

------
#### [ Audit Manager console ]

**To delete an assessment on the Audit Manager console**

1. Open the AWS Audit Manager console at [https://console.aws.amazon.com/auditmanager/home](https://console.aws.amazon.com/auditmanager/home).

1. In the navigation pane, choose **Assessments**.

1. Select the assessment that you want to delete, and choose **Delete**.

------
#### [ AWS CLI ]

**To delete an assessment in the AWS CLI**

1. First, identify the assessment that you want to delete. To do this, run the [list-assessments](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/auditmanager/list-assessments.html) command.

   ```
    aws auditmanager list-assessments
   ```

   The response returns a list of assessments. Find the assessment that you want to delete, and take note of the assessment ID.

1. Next, use the [delete-assessment](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/auditmanager/delete-assessment.html) command and specify the `--assessment-id` of the assessment that you want to delete.

   In the following example, replace the *placeholder text* with your own information.

   ```
   aws auditmanager delete-assessment --assessment-id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
   ```

------
#### [ Audit Manager API ]

**To delete an assessment using the API**

1. Use the [ListAssessments](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_ListAssessments.html) operation to find the assessment that you want to delete. 

   In the response, take note of the assessment ID.

1. Use the [DeleteAssessment](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_DeleteAssessment.html) operation and specify the [assessmentId](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_DeleteAssessment.html#auditmanager-DeleteAssessment-request-assessmentId) of the assessment that you want to delete.

For more information about these API operations, choose any of the previous links to read more in the *AWS Audit Manager API Reference*. This includes information about how to use these operations and parameters in one of the language-specific AWS SDKs.

------

## Additional resources
<a name="delete-assessment-additional-resources"></a>

For information about data retention in Audit Manager, see [Deletion of Audit Manager data](data-protection.md#data-deletion-and-retention).