AWS Audit Manager will no longer be open to new customers starting April 30, 2026. If you would like to use Audit Manager, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [AWS Audit Manager availability change](https://docs.aws.amazon.com/audit-manager/latest/userguide/audit-manager-availability-change.html). # Changing how often a control collects evidence Changing evidence collection frequency AWS Audit Manager can collect evidence from various data sources. The frequency of evidence collection depends on the type of data source that the control uses. The following sections provide more information about the evidence collection frequency for each control data source type, and how to change it (if applicable). **Topics** + [ ## Key points ](#change-evidence-collection-frequency-key-points) + [Configuration snapshots from API calls](#change-evidence-collection-frequency-api-calls) + [Compliance checks from AWS Config](#change-evidence-collection-frequency-config) + [Compliance checks from Security Hub CSPM](#change-evidence-collection-frequency-security-hub) + [User activity logs from AWS CloudTrail](#change-evidence-collection-frequency-cloudtrail) ## Key points + For **AWS API calls**, Audit Manager collects evidence using a describe API call to another AWS service. You can specify the evidence collection frequency directly in Audit Manager (for custom controls only). + For **AWS Config**, Audit Manager reports the result of a compliance check directly from AWS Config. The frequency follows the triggers that are defined in the AWS Config rule. + For **AWS Security Hub CSPM**, Audit Manager reports the result of a compliance check directly from Security Hub CSPM. The frequency follows the schedule of the Security Hub CSPM check. + For **AWS CloudTrail**, Audit Manager collects evidence continuously from CloudTrail. You can’t change the frequency for this evidence type. ## Configuration snapshots from AWS API calls Configuration snapshots from API calls **Note** The following applies only to custom controls. You can't change the evidence collection frequency for a standard control. If a custom control uses AWS API calls as a data source type, you can change the evidence collection frequency in Audit Manager by following these steps. **To change the evidence collection frequency for a custom control with an API call data source** 1. Open the AWS Audit Manager console at [https://console.aws.amazon.com/auditmanager/home](https://console.aws.amazon.com/auditmanager/home). 1. In the navigation pane, choose **Control library**, and then choose the **Custom** tab. 1. Choose the custom control that you want to edit, and then choose **Edit**. 1. On the **Edit control details** page, choose **Next**. 1. Under **Customer managed sources**, look for the API call data source that you want to update. 1. Select the data source from the table, then choose **Remove**. 1. Choose **Add**. 1. Choose **AWS API calls**. 1. Choose the same API call that you removed in step 5, and then select your preferred evidence collection frequency. 1. Under **Data source name**, provide a descriptive name. 1. (Optional) Under **Additional details**, enter a data source description and a troubleshooting description. 1. Choose **Next**. 1. On the **Edit an action plan** page, choose **Next**. 1. On the **Review and update** page, review the information for the custom control. To change the information for a step, choose **Edit**. 1. When you're finished, choose **Save changes**. After you edit a control, the changes take effect at 00:00 UTC the following day in all active assessments that include the control. ## Compliance checks from AWS Config Compliance checks from AWS Config **Note** The following applies to both standard controls and custom controls that use AWS Config Rules as a data source. If a control uses AWS Config as a data source type, you can’t change the evidence collection frequency directly in Audit Manager. This is because the frequency follows the triggers that are defined in the AWS Config rule. There are two types of triggers for AWS Config Rules: 1. **Configuration changes** - AWS Config runs evaluations for the rule when certain types of resources are created, changed, or deleted. 1. **Periodic** - AWS Config runs evaluations for the rule at a frequency that you choose (for example, every 24 hours). To learn more about the triggers for AWS Config Rules, see [Trigger types](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config-rules.html#aws-config-rules-trigger-types) in the *AWS Config Developer Guide*. For instructions on how to manage AWS Config Rules, see [Managing your AWS Config rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_manage-rules.html). ## Compliance checks from Security Hub CSPM Compliance checks from Security Hub CSPM **Note** The following applies to both standard controls and custom controls that use Security Hub CSPM checks as a data source. If a control uses Security Hub CSPM as a data source type, you can’t change the evidence collection frequency directly in Audit Manager. This is because the frequency follows the schedule of the Security Hub CSPM checks. + **Periodic checks** run automatically within 12 hours after the most recent run. You cannot change the periodicity. + **Change-triggered checks** run when the associated resource changes state. Even if the resource doesn't change state, the updated at time for change-triggered checks is refreshed every 18 hours. This helps to indicate that the control is still enabled. In general, Security Hub CSPM uses change-triggered rules whenever possible. To learn more, see [Schedule for running security checks](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-schedule.html) in the *AWS Security Hub CSPM User Guide*. ## User activity logs from AWS CloudTrail User activity logs from AWS CloudTrail **Note** The following applies to both standard controls and custom controls that use AWS CloudTrail user activity logs as a data source. You can’t change the evidence collection frequency for controls that use activity logs from CloudTrail as a data source type. Audit Manager collects this evidence type from CloudTrail in a continuous manner. The frequency is continuous because user activity can happen at any time of the day.