AWS Audit Manager will no longer be open to new customers starting April 30, 2026. If you would like to use Audit Manager, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [AWS Audit Manager availability change](https://docs.aws.amazon.com/audit-manager/latest/userguide/audit-manager-availability-change.html). 

# Making an editable copy of a control in AWS Audit Manager
<a name="customize-control-from-existing"></a>



Instead of creating a custom control from scratch, you can use an existing standard control or custom control as a starting point and make an editable copy that meets your needs. When you do this, the existing standard control remains in the control library, and a new control is created with your custom settings.

## Prerequisites
<a name="from-existing-prerequisites"></a>

Make sure your IAM identity has appropriate permissions to create a custom framework in AWS Audit Manager. Two suggested policies that grant these permissions are [AWSAuditManagerAdministratorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSAuditManagerAdministratorAccess.html) and [Allow users management access to AWS Audit Manager](security_iam_id-based-policy-examples.md#management-access).

To successfully collect evidence from AWS Config and Security Hub CSPM, make sure that you do the following:
+ [Enable AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/getting-started.html), then apply the [required settings for using AWS Config with Audit Manager](https://docs.aws.amazon.com/audit-manager/latest/userguide/setup-recommendations.html#setup-recommendations-services).
+ [Enable Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html), then apply the [required settings for using Security Hub CSPM with Audit Manager](https://docs.aws.amazon.com/audit-manager/latest/userguide/setup-recommendations.html#set-up-securityhub).

 Audit Manager can then collect evidence each time an evaluation occurs for a given AWS Config rule or Security Hub CSPM control. 

## Procedure
<a name="customize-control-from-existing-procedure"></a>

**Topics**
+ [Step 1: Specify control details](#from-existing-step-1)
+ [Step 2: Specify evidence sources](#from-existing-step-2)
+ [Step 3: (Optional): Define an action plan](#from-existing-step-3)
+ [Step 4: Review and create the control](#from-existing-step-4)

### Step 1: Specify control details
<a name="from-existing-step-1"></a>

The control details are inherited from the original control. Review and modify these details as needed.

**Important**  
We strongly recommend that you never put sensitive identifying information into free-form fields such as **Control details** or **Testing information**. If you create custom controls that contain sensitive information, you can’t share any of your custom frameworks that contain these controls.

**To specify control details**

1. Open the AWS Audit Manager console at [https://console.aws.amazon.com/auditmanager/home](https://console.aws.amazon.com/auditmanager/home).

1. In the navigation pane, choose **Control library**.

1. Select the standard control or custom control that you want to make changes to, and then choose **Make a copy**. 

1. Specify the new name of the control, and choose **Continue**. 

1. Under **Control details**, customize the control details as needed.

1. Under **Testing information**, make changes to the instructions as needed.

1. Under **Tags**, customize the tags as needed. 

1. Choose **Next**.

### Step 2: Specify evidence sources
<a name="from-existing-step-2"></a>

Evidence sources are inherited from the original control. You can change, add, or remove evidence sources as needed.

#### To specify an AWS managed source (recommended)
<a name="customize-using-aws-managed-evidence-sources"></a>

**Tip**  
We recommend that you start by choosing one or more common controls. If you have more fine-grained compliance requirements, you can also choose one or more specific core controls.

**To specify an AWS managed source**

1. Under **AWS managed sources**, review the current selections and make changes as needed.

1. To add a common control, follow these steps:

   1. Select **Use a common control that matches your compliance goal**.

   1. Choose a common control from the dropdown list.

   1. (Optional) Repeat step 2 as needed. You can add up to five common controls.

1. To remove a common control, choose the **X** next to the control name.

1. To add a core control, follow these steps: 

   1. Select **Use a core control that matches a prescriptive AWS guideline**.

   1. Choose a common control from the dropdown list.

   1. (Optional) Repeat step 4 as needed. You can add up to 50 core controls.

1. To remove a core control, choose the **X** next to the control name.

1. To edit customer managed data sources, use the following procedure. Otherwise, choose **Next**.

#### To specify a customer managed source
<a name="customize-using-customer-managed-data-sources"></a>

To collect automated evidence from a data source, you must choose a data source type and a data source mapping. These details map to your AWS usage, and tell Audit Manager where to collect the evidence from. If you want to provide your own evidence, you’ll choose a manual data source instead.

**Note**  
You're responsible for maintaining the data source mappings that you create in this step.

**To specify a customer managed source**

1. Under **Customer managed sources**, review the current data sources and make changes as needed.

1. To remove a data source, select a data source from the table and choose **Remove**.

1. To add a new data source, follow these steps:

   1. Select **Use a data source to collect manual or automated evidence**.

   1. Choose **Add**.

   1. Choose one of the following options:
      + Choose **AWS API calls**, then choose an API call and an evidence collection frequency.
      + Choose **AWS CloudTrail event**, then choose an event name.
      + Choose **AWS Config managed rule**, then choose a rule identifier.
      + Choose **AWS Config custom rule**, then choose a rule identifier.
      + Choose **AWS Security Hub CSPM control**, then choose a Security Hub CSPM control.
      + Choose **Manual data source**, then choose an option:
        + **File upload** – Use this option if the control requires documentation as evidence.
        + **Text response** – Use this option if the control requires an answer to a risk assessment question. 
**Tip**  
For information about automated data source types and troubleshooting tips, see [Supported data source types for automated evidence](control-data-sources.md).  
If you need to validate your data source setup with an expert, choose **Manual data source** for now. That way, you can create the control and add it to a framework now, and then [edit the control](https://docs.aws.amazon.com/audit-manager/latest/userguide/edit-controls.html) as needed later.

   1. Under **Data source name**, provide a descriptive name.

   1. (Optional) Under **Additional details**, enter a data source description and a troubleshooting description.

   1. Choose **Add data source**.

   1. (Optional) To add another data source, choose **Add** and repeat step 3. You can add up to 100 data sources.

1. When you're finished, choose **Next**.

### Step 3: (Optional): Define an action plan
<a name="from-existing-step-3"></a>

The action plan is inherited from the original control. You can edit this action plan as needed.

**Important**  
We strongly recommend that you never put sensitive identifying information into free-form fields such as **Action plan**. If you create custom controls that contain sensitive information, you can’t share any of your custom frameworks that contain these controls.

**To specify instructions**

1. Under **Title**, review the title and make changes as needed.

1. Under **Instructions**, review the instructions and make changes as needed.

1. Choose **Next**.

### Step 4: Review and create the control
<a name="from-existing-step-4"></a>

Review the information for the control. To change the information for a step, choose **Edit**. When you're finished, choose **Create custom control**.

## Next steps
<a name="from-existing-whatnow"></a>

After you create a new custom control, you can add it to a custom framework. To learn more, see [Creating a custom framework in AWS Audit Manager](custom-frameworks.md) or [Editing a custom framework in AWS Audit Manager](edit-custom-frameworks.md). 

After you add a custom control to a custom framework, you can create an assessment and start collecting evidence. To learn more, see [Creating an assessment in AWS Audit Manager](create-assessments.md).

To revisit your custom control at a later date, see [Finding the available controls in AWS Audit Manager](access-available-controls.md). You can follow these steps to locate your custom control so that you can view, edit, or delete it.

## Additional resources
<a name="customize-control-from-existing-additional-resources"></a>

For solutions to control issues in Audit Manager, see [Troubleshooting control and control set issues](control-issues.md).