AWS Audit Manager will no longer be open to new customers starting April 30, 2026. If you would like to use Audit Manager, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [AWS Audit Manager availability change](https://docs.aws.amazon.com/audit-manager/latest/userguide/audit-manager-availability-change.html). # Troubleshooting common issues in AWS Audit Manager Troubleshooting As you use AWS Audit Manager, you might encounter certain issues or challenges that require troubleshooting. Whether you're facing challenges with setting up assessments, collecting evidence, or any other aspect of the service, you can use this troubleshooting guide to find our recommendations that help you to help you resolve common problems quickly and efficiently. We encourage you to review the list of topics below, find the one that best matches your scenario, and follow the provided guidance to get back on track. By following the provided troubleshooting steps, you can likely resolve the issue independently and continue leveraging the full capabilities of Audit Manager. However, if your specific issue isn't covered here, or you're unable to resolve it after following the recommended steps, we recommend that you contact [Support](https://aws.amazon.com/contact-us) for further assistance. **Topics** + [ # Troubleshooting assessment and evidence collection issues ](evidence-collection-issues.md) + [ # Troubleshooting assessment report issues ](assessment-report-issues.md) + [ # Troubleshooting control and control set issues ](control-issues.md) + [ # Troubleshooting dashboard issues ](dashboard-issues.md) + [ # Troubleshooting delegated administrator and AWS Organizations issues ](delegated-admin-issues.md) + [ # Troubleshooting evidence finder issues ](evidence-finder-issues.md) + [ # Troubleshooting framework issues ](framework-issues.md) + [ # Troubleshooting notification issues ](notification-issues.md) + [ # Troubleshooting permission and access issues ](permissions-issues.md) # Troubleshooting assessment and evidence collection issues Troubleshooting assessments and evidence collection You can use the information on this page to resolve common assessment and evidence collection issues in Audit Manager. **Evidence collection issues** + [I created an assessment but I can’t see any evidence yet](#no-evidence-yet) + [My assessment isn’t collecting compliance check evidence from AWS Security Hub CSPM](#no-evidence-from-security-hub) + [My assessment isn’t collecting compliance check evidence from AWS Config](#no-evidence-from-config) + [My assessment isn’t collecting user activity evidence from AWS CloudTrail](#no-evidence-from-cloudtrail) + [My assessment isn’t collecting configuration data evidence for an AWS API call](#no-evidence-from-aws-api-calls) + [A common control isn’t collecting any automated evidence](#manual-common-control) + [My evidence is generated at different intervals, and I'm not sure how often it’s being collected](#evidence-collection-frequency) + [I disabled and then re-enabled Audit Manager, and now my pre-existing assessments are no longer collecting evidence](#no-evidence-from-preexisting-assessments-after-reregistering) + [On my assessment details page, I’m prompted to recreate my assessment](#recreate-assessment-post-common-controls) + [What’s the difference between a data source and an evidence source?](#data-source-vs-evidence-source) **Assessment issues** + [My assessment creation failed](#assessment-creation-failed) + [What happens if I remove an in-scope account from my organization?](#what-happens-if-account-is-removed) + [I can't see the services in scope for my assessment](#unable-to-view-services) + [I can't edit the services in scope for my assessment](#unable-to-edit-services) + [What's the difference between a service in scope and a data source type?](#data-source-vs-service-in-scope) ## I created an assessment but I can’t see any evidence yet If you can't see any evidence, it's likely that you either didn't wait at least 24 hours after you created the assessment or that there's a configuration error. We recommend that you check the following: 1. Make sure that 24 hours passed since you created the assessment. Automated evidence becomes available 24 hours after you create the assessment. 1. Make sure that you’re using Audit Manager in the same AWS Region as the AWS service that you’re expecting to see evidence for. 1. If you expect to see compliance check evidence from AWS Config and AWS Security Hub CSPM, make sure that both the AWS Config and Security Hub CSPM consoles display results for these checks. The AWS Config and Security Hub CSPM results should display in the same AWS Region that you use Audit Manager in. If you still can't see evidence in your assessment and it's not due to one of these issues, check the other potential causes that are described on this page. ## My assessment isn’t collecting compliance check evidence from AWS Security Hub CSPM If you don't see compliance check evidence for an AWS Security Hub CSPM control, this could be due to one of the following issues. **Missing configuration in AWS Security Hub CSPM ** This issue can be caused if you missed some configuration steps when you enabled AWS Security Hub CSPM. To fix this issue, make sure that you enabled Security Hub CSPM with the required settings for Audit Manager. For instructions, see [Enable and set up AWS Security Hub CSPM](setup-recommendations.md#securityhub-recommendations). **A Security Hub CSPM control name was entered incorrectly in your `ControlMappingSource`** When you use the Audit Manager API to create a custom control, you can specify a Security Hub CSPM control as a [data source mapping](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_ControlMappingSource.html) for evidence collection. To do this, you enter a control ID as the [https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_SourceKeyword.html#auditmanager-Type-SourceKeyword-keywordValue](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_SourceKeyword.html#auditmanager-Type-SourceKeyword-keywordValue). If you don't see compliance check evidence for a Security Hub CSPM control, it could be that the `keywordValue` was entered incorrectly in your `ControlMappingSource`. The `keywordValue` is case sensitive. If you enter it incorrectly, Audit Manager might not recognize that rule. As a result, you might not collect compliance check evidence for that control as expected. To fix this issue, [update the custom control](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_UpdateControl.html) and revise the `keywordValue`. The correct format of a Security Hub CSPM keyword varies. For accuracy, reference the list of [Supported Security Hub CSPM controls](control-data-sources-ash.md#security-hub-controls-for-custom-control-data-sources). **`AuditManagerSecurityHubFindingsReceiver` Amazon EventBridge rule is missing** When you enable Audit Manager, a rule named `AuditManagerSecurityHubFindingsReceiver` is automatically created and enabled in Amazon EventBridge. This rule enables Audit Manager to collect Security Hub CSPM findings as evidence. If this rule isn't listed and enabled in the AWS Region where you use Security Hub CSPM, Audit Manager can't collect Security Hub CSPM findings for that Region. To resolve this issue, go to the [EventBridge console](https://console.aws.amazon.com/events) and confirm that the `AuditManagerSecurityHubFindingsReceiver` rule exists in your AWS account. If the rule doesn't exist, we recommend that you [disable Audit Manager](https://docs.aws.amazon.com/audit-manager/latest/userguide/disable.html) and then re-enable the service. If this action doesn’t resolve the issue, or if disabling Audit Manager isn’t an option, [contact Support](https://aws.amazon.com/contact-us) for assistance. **Service-linked AWS Config rules created by Security Hub CSPM** Keep in mind that Audit Manager doesn’t collect evidence from the [service-linked AWS Config rules that Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-awsconfigrules.html) creates. This is a specific type of managed AWS Config rule that's enabled and controlled by the Security Hub CSPM service. Security Hub CSPM creates instances of these service-linked rules in your AWS environment, even if other instances of the same rules already exist. As a result, to prevent evidence duplication, Audit Manager doesn’t support evidence collection from the service-linked rules. ## I disabled a security control in Security Hub CSPM. Does Audit Manager collect compliance check evidence for that security control? Audit Manager doesn't collect evidence for disabled security controls. If you set the status of a security control to [disabled](https://docs.aws.amazon.com/securityhub/latest/userguide/controls-overall-status.html#controls-overall-status-values) in Security Hub CSPM, no security checks are performed for that control in the current account and Region. As a result, no security findings are available in Security Hub CSPM, and no related evidence is collected by Audit Manager. By respecting the disabled status that you set in Security Hub CSPM, Audit Manager ensures that your assessment accurately reflects the active security controls and findings that are relevant to your environment, excluding any controls that you intentionally disabled. ## I set the status of a finding to `Suppressed` in Security Hub CSPM. Does Audit Manager collect compliance check evidence about that finding? Audit Manager collects evidence for security controls that have suppressed findings. If you set the workflow status of a finding to [suppressed ](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-workflow-status.html)in Security Hub CSPM, this means that you reviewed the finding and do not believe that any action is needed. In Audit Manager, these suppressed findings are collected as evidence and attached to your assessment. The evidence details show the evaluation status of `SUPPRESSED` reported directly from Security Hub CSPM. This approach ensures that your Audit Manager assessment accurately represents the findings from Security Hub CSPM, while also providing visibility into any suppressed findings that may require further review or consideration in an audit. ## My assessment isn’t collecting compliance check evidence from AWS Config If you don't see compliance check evidence for an AWS Config rule, this could be due to one of the following issues. **The rule identifier was entered incorrectly in your `ControlMappingSource`** When you use the Audit Manager API to create a custom control, you can specify an AWS Config rule as a [data source mapping ](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_ControlMappingSource.html) for evidence collection. The [https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_SourceKeyword.html#auditmanager-Type-SourceKeyword-keywordValue](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_SourceKeyword.html#auditmanager-Type-SourceKeyword-keywordValue) that you specify depends on the type of rule. If you don't see compliance check evidence for an AWS Config rule, it could be that the `keywordValue` was entered incorrectly in your `ControlMappingSource`. The `keywordValue` is case sensitive. If you enter it incorrectly, Audit Manager might not recognize the rule. As a result, you might not collect compliance check evidence for that rule as intended. To fix this issue, [update the custom control](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_UpdateControl.html) and revise the `keywordValue`. + For custom rules, make sure that the `keywordValue` has the `Custom_` prefix followed by the custom rule name. The format of the custom rule name may vary. For accuracy, visit the [AWS Config console](https://console.aws.amazon.com/config/) to verify your custom rule names. + For managed rules, make sure that the `keywordValue` is the rule identifier in `ALL_CAPS_WITH_UNDERSCORES`. For example, `CLOUDWATCH_LOG_GROUP_ENCRYPTED`. For accuracy, reference the list of [supported managed rule keywords](https://docs.aws.amazon.com/audit-manager/latest/userguide/control-data-sources-config.html#aws-config-managed-rules). **Note** For some managed rules, the rule identifier is different from the rule name. For example, the rule identifier for [restricted-ssh](https://docs.aws.amazon.com/config/latest/developerguide/restricted-ssh.html) is `INCOMING_SSH_DISABLED`. Make sure to use the rule identifier, not the rule name. To find a rule identifier, choose a rule from the [list of managed rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html) and look for its **Identifier** value. **The rule is a service-linked AWS Config rule** You can use [managed rules](https://docs.aws.amazon.com/audit-manager/latest/userguide/control-data-sources-config.html#aws-config-managed-rules) and [custom rules](https://docs.aws.amazon.com/audit-manager/latest/userguide/control-data-sources-config.html#aws-config-custom-rules) as a data source mapping for evidence collection. However, Audit Manager doesn’t collect evidence from most [service-linked rules](https://docs.aws.amazon.com/config/latest/developerguide/service-linked-awsconfig-rules.html). There are only two types of service-linked rule that Audit Manager collects evidence from: + Service-linked rules from Conformance Packs + Service-linked rules from AWS Organizations Audit Manager doesn't collect evidence from other service-linked rules, specifically any rules with an Amazon Resource Name (ARN) that contains the following prefix: `arn:aws:config:*:*:config-rule/aws-service-rule/...` The reason that Audit Manager doesn't collect evidence from most service-linked AWS Config rules is to prevent duplicate evidence in your assessments. A service-linked rule is a specific type of managed rule that enables other AWS services to create AWS Config rules in your account. For example, [some Security Hub CSPM controls use an AWS Config service-linked rule to run security checks](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-awsconfigrules.html). For each Security Hub CSPM control that uses a service-linked AWS Config rule, Security Hub CSPM creates an instance of the required AWS Config rule in your AWS environment. This happens even if the original rule already exists in your account. Therefore, to avoid collecting the same evidence from the same rule twice, Audit Manager ignores the service-linked rule and doesn't collect evidence from it. **AWS Config isn't enabled** AWS Config must be enabled in your AWS account. After you've set up AWS Config in this way, Audit Manager collects evidence each time the evaluation of an AWS Config rule occurs. Make sure that you enabled AWS Config in your AWS account. For instructions, see [Enable and set up AWS Config](https://docs.aws.amazon.com/audit-manager/latest/userguide/setup-recommendations.html#config-recommendations). **The AWS Config rule evaluated a resource configuration before you set up your assessment** If your AWS Config rule is set up to evaluate configuration changes for a specific resource, you might see a mismatch between the evaluation in AWS Config and the evidence in Audit Manager. This happens if the rule evaluation occurred before you set up the control in your Audit Manager assessment. In this case, Audit Manager doesn't generate evidence until the underlying resource changes state again and triggers a re-evaluation of the rule. As a workaround, you can navigate to the rule in the AWS Config console and [manually re-evaluate the rule](https://docs.aws.amazon.com/config/latest/developerguide/evaluating-your-resources.html#evaluating-your-resources-console). This invokes a new evaluation of all of the resources that pertain to that rule. ## My assessment isn’t collecting user activity evidence from AWS CloudTrail When you use the Audit Manager API to create a custom control, you can specify a CloudTrail event name as a [data source mapping ](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_ControlMappingSource.html) for evidence collection. To do so, you enter the event name as the [https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_SourceKeyword.html#auditmanager-Type-SourceKeyword-keywordValue](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_SourceKeyword.html#auditmanager-Type-SourceKeyword-keywordValue). If you don't see user activity evidence for a CloudTrail event, it could be that the `keywordValue` was entered incorrectly in your `ControlMappingSource`. The `keywordValue` is case sensitive. If you enter it incorrectly, Audit Manager might not recognize the event name. As a result, you might not collect user activity evidence for that event as intended. To fix this issue, [update the custom control](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_UpdateControl.html) and revise the `keywordValue`. Make sure that the event is written as `serviceprefix_ActionName`. For example, `cloudtrail_StartLogging`. For accuracy, review the AWS service prefix and action names in the [Service Authorization Reference](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html). ## My assessment isn’t collecting configuration data evidence for an AWS API call When you use the Audit Manager API to create a custom control, you can specify an AWS API call as a [data source mapping ](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_ControlMappingSource.html) for evidence collection. To do so, you enter the API call as the [https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_SourceKeyword.html#auditmanager-Type-SourceKeyword-keywordValue](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_SourceKeyword.html#auditmanager-Type-SourceKeyword-keywordValue). If you don't see configuration data evidence for an AWS API call, it could be that the `keywordValue` was entered incorrectly in your `ControlMappingSource`. The `keywordValue` case sensitive. If you enter it incorrectly, Audit Manager might not recognize the API call. As a result, you might not collect configuration data evidence for that API call as intended. To fix this issue, [update the custom control](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_UpdateControl.html) and revise the `keywordValue`. Make sure that the API call is written as `serviceprefix_ActionName`. For example, `iam_ListGroups`. For accuracy, reference the list of [AWS API calls supported by AWS Audit Manager](control-data-sources-api.md). ## A common control isn’t collecting any automated evidence When you review a common control, you might see the following message: **This common control doesn’t collect automated evidence from core controls**. This means that no AWS managed evidence sources can currently support this common control. As a result, the **Evidence sources** tab is empty and no core controls are displayed. When a common control doesn’t collect automated evidence, it’s referred to as a *manual common control*. Manual common controls typically require the provision of physical records and signatures, or details about events that occur outside of your AWS environment. For this reason, there are often no AWS data sources that can produce evidence to support the control’s requirements. If a common control is manual, you can still use it as an evidence source for a custom control. The only difference is that the common control won’t collect any evidence automatically. Instead, you’ll need to manually upload your own evidence to support the requirements of the common control. **To add evidence to a manual common control** 1. **Create a custom control** + Follow the steps to [create](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-controls.html) or [edit](https://docs.aws.amazon.com/audit-manager/latest/userguide/edit-controls.html) a custom control. + When you specify evidence sources in step 2, choose the manual common control as an evidence source. 1. **Create a custom framework ** + Follow the steps to [create](https://docs.aws.amazon.com/audit-manager/latest/userguide/custom-frameworks.html) or [edit](https://docs.aws.amazon.com/audit-manager/latest/userguide/edit-custom-frameworks.html) a custom framework. + When you specify a control set in step 2, include your new custom control. 1. **Create an assessment ** + Follow the steps to [create an assessment](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-assessments.html) from your custom framework. + At this point, the manual common control is now an evidence source in an active assessment control. 1. **Upload manual evidence** + Follow the steps to [add manual evidence](https://docs.aws.amazon.com/audit-manager/latest/userguide/upload-evidence.html#how-to-upload-manual-evidence-files) to the control in your assessment. **Note** As more AWS data sources become available in the future, it’s possible that AWS might update the common control to include core controls as evidence sources. In this case, if the common control is an evidence source in one or more of your active assessment controls, you’ll benefit from these updates automatically. No further set up is needed from your side, and you’ll start to collect automated evidence that supports the common control. ## My evidence is generated at different intervals, and I'm not sure how often it’s being collected The controls in Audit Manager assessments are mapped to various data sources. Each data source has a different evidence collection frequency. As a result, there’s no one-size-fits-all answer for how often evidence is collected. Some data sources evaluate compliance, whereas others only capture resource state and change data without a compliance determination. The following is a summary of the different data source types and how often they collect evidence. | Data source type | Description | Evidence collection frequency | When this control is active in an assessment | | --- | --- | --- | --- | | AWS CloudTrail | Tracks a specific user activity. | Continual | Audit Manager filters your CloudTrail logs based on the keyword that you choose. The processed logs are imported as **User activity** evidence. | | AWS Security Hub CSPM | Captures a snapshot of your resource security posture by reporting findings from Security Hub CSPM. | Based on the schedule of the Security Hub CSPM check (typically around every 12 hours) | Audit Manager retrieves the security finding directly from Security Hub CSPM. The finding is imported as **Compliance check** evidence. | | AWS Config | Captures a snapshot of your resource security posture by reporting findings from AWS Config. | Based on the settings that are defined in the AWS Config rule | Audit Manager retrieves the rule evaluation directly from AWS Config. The evaluation is imported as Compliance check evidence. | | AWS API calls | Takes a snapshot of your resource configuration directly through an API call to the specified AWS service. | Daily, weekly, or monthly | Audit Manager makes the API call based on the frequency that you specify. The response is imported as Configuration data evidence. | Regardless of the evidence collection frequency, new evidence is collected automatically for as long as the assessment is active. For more information, see [Evidence collection frequency](how-evidence-is-collected.md#frequency). To learn more, see [Supported data source types for automated evidence](control-data-sources.md) and [Changing how often a control collects evidence](change-evidence-collection-frequency.md). ## I disabled and then re-enabled Audit Manager, and now my pre-existing assessments are no longer collecting evidence When you disable Audit Manager and choose not to delete your data, your existing assessments move into a dormant state and stop collecting evidence. This means that when you re-enable Audit Manager, the assessments that you previously created remain available. However, they don't automatically resume evidence collection. To start collecting evidence again for a pre-existing assessment, [edit the assessment](https://docs.aws.amazon.com/audit-manager/latest/userguide/edit-assessment.html) and choose **Save** without making any changes. ## On my assessment details page, I’m prompted to recreate my assessment ![\[Screenshot of the pop-up message that prompts you to recreate your assessment.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/troubleshooting-recreate-assessment-post-common-controls-console.png) If you see a message that says **Create new assessment to collect more comprehensive evidence**, this indicates that Audit Manager now provides a new definition of the standard framework that your assessment was created from. In the new framework definition, all of the framework’s standard controls can now collect evidence from [AWS managed sources](https://docs.aws.amazon.com/audit-manager/latest/userguide/concepts.html#aws-managed-source). This means that whenever there’s an update to the underlying data sources for a common or core control, Audit Manager automatically applies the same update to all related standard controls. To benefit from these AWS managed sources, we recommend that you [create a new assessment](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-assessments.html) from the updated framework. After you do this, you can then [change the old assessment status to inactive](https://docs.aws.amazon.com/audit-manager/latest/userguide/change-assessment-status-to-inactive.html). This action helps to ensure that your new assessment collects the most accurate and comprehensive evidence that’s available from AWS managed sources. If you take no action, your assessment continues to use the old framework and control definitions to collect evidence exactly as it did before. ## What’s the difference between a data source and an evidence source? An *evidence source* determines where evidence is collected from. This can be an individual data source, or a predefined grouping of data sources that maps to a core control or a common control. A *data source* is the most granular type of evidence source. A data source includes the following details that tell Audit Manager where exactly to collect evidence data from: + [Data source type](https://docs.aws.amazon.com/audit-manager/latest/userguide/control-data-sources.html) (for example, AWS Config) + [Data source mapping](https://docs.aws.amazon.com/audit-manager/latest/userguide/concepts.html#control-data-source) (for example, a specific AWS Config rule such as `s3-bucket-public-write-prohibited`) ## My assessment creation failed If your assessment creation fails, this could be due to one of the following issues. **You selected too many AWS accounts in your assessment scope** If you're using AWS Organizations, Audit Manager can support up to 200 member accounts in the scope of a single assessment. If you exceed this number, the assessment creation will fail. As a workaround, you can run multiple assessments with different accounts in scope for each assessment up to 250 unique member accounts across all assessments. **An account in your scope is already being assessed by another active assessment** If you try to create an assessment that includes an account that's already in scope for another active assessment, the assessment creation fails. This can happen when multiple teams or organizations are trying to assess the same account simultaneously. You might see an error message similar to: `Scope: AWS Account [account-id] has assessments in progress`. To resolve this issue, you can take one of the following actions: + **Coordinate with other teams** - Contact other teams in your organization to determine which assessments are currently using the account in question. You can then coordinate to avoid overlapping assessment scopes. + **Modify your assessment scope** - Remove the conflicting account from your assessment scope and create the assessment with the remaining accounts. You can assess the conflicting account separately once the other assessment is complete. + **Wait for the other assessment to complete** - If the other assessment is temporary or nearing completion, you can wait for it to finish before creating your assessment with the desired scope. This restriction helps ensure that evidence collection doesn't conflict between multiple assessments and that audit results remain accurate and consistent. ## What happens if I remove an in-scope account from my organization? When an in-scope account is removed from your organization, Audit Manager no longer collects evidence for that account and it will be removed from all assessments where the account is in scope. Removing a member account from all assessments will also reduce the total number of unique accounts in scope, allowing you to add a new account from your organization. ## I can't see the services in scope for my assessment If you don't see the **AWS services** tab, this means that the services in scope are managed for you by Audit Manager. When you create a new assessment, Audit Manager manages the services in scope for you from that point onwards. If you have an older assessment, it’s possible that you saw this tab previously in your assessment. However, Audit Manager automatically removes this tab from your assessment and takes over the management of services in scope when either of the following events occur: + You edit your assessment + You edit one of the custom controls that’s used in your assessment Audit Manager infers the services in scope by examining your assessment controls and their data sources, and then mapping this information to the corresponding AWS services. If an underlying data source changes for your assessment, we automatically update the scope as needed to reflect the correct services. This ensures that your assessment collects accurate and comprehensive evidence about all of the relevant services in your AWS environment. ## I can't edit the services in scope for my assessment The [Editing an assessment in AWS Audit Manager](edit-assessment.md) workflow no longer has an **Edit services** step. This is because Audit Manager now manages which AWS services are in scope for your assessment. If you have an older assessment, it’s possible that you manually defined the services in scope when you created that assessment. However, you can’t edit these services moving forward. Audit Manager automatically takes over the management of services in scope for your assessment when either of the following events occur: + You edit your assessment + You edit one of the custom controls that’s used in your assessment Audit Manager infers the services in scope by examining your assessment controls and their data sources, and then mapping this information to the corresponding AWS services. If an underlying data source changes for your assessment, we automatically update the scope as needed to reflect the correct services. This ensures that your assessment collects accurate and comprehensive evidence about all of the relevant services in your AWS environment. ## What's the difference between a service in scope and a data source type? A [](concepts.md#service-in-scope) is an AWS service that's included in the scope of your assessment. When a service is in scope, Audit Manager collects evidence about your usage of that service and its resources. **Note** Audit Manager manages which AWS services are in scope for your assessments. If you have an older assessment, it’s possible that you manually specified the services in scope in the past. Moving forward, you can’t specify or edit services in scope. A [data source type](https://docs.aws.amazon.com/audit-manager/latest/userguide/control-data-sources.html) indicates where exactly the evidence is collected from. If you upload your own evidence, the data source type is *Manual*. If Audit Manager collects the evidence, the data source can be one of four types. 1. AWS Security Hub CSPM – Captures a snapshot of your resource security posture by reporting findings from Security Hub CSPM. 1. AWS Config – Captures a snapshot of your resource security posture by reporting findings from AWS Config. 1. AWS CloudTrail – Tracks a specific user activity for a resource. 1. AWS API calls – Takes a snapshot of your resource configuration directly through an API call to a specific AWS service. Here are two examples to illustrate the difference between a service in scope and a data source type. **Example 1** Let's say that you want to collect evidence for a control that's named *4.1.2 - Disallow public write access to S3 buckets*. This control checks the access levels of your S3 bucket policies. For this control, Audit Manager uses a specific AWS Config rule ([s3-bucket-public-write-prohibited](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-public-write-prohibited.html)) to look for an evaluation of your S3 buckets. In this example, the following is true: + The [](concepts.md#service-in-scope) is Amazon S3 + The [resources](https://docs.aws.amazon.com/audit-manager/latest/userguide/concepts.html#resource) that are being assessed are your S3 buckets + The [data source type](https://docs.aws.amazon.com/audit-manager/latest/userguide/control-data-sources.html) is AWS Config + The [data source mapping](https://docs.aws.amazon.com/audit-manager/latest/userguide/concepts.html#control-data-source) is a specific AWS Config rule (`s3-bucket-public-write-prohibited`) **Example 2** Let's say that you want to collect evidence for a HIPAA control that's named *164.308(a)(5)(ii)(C)*. This control requires a monitoring procedure for detecting inappropriate sign-ins. For this control, Audit Manager uses CloudTrail logs to look for all [AWS Management Console sign-in events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html). In this example, the following is true: + The [](concepts.md#service-in-scope) is IAM + The [resources](https://docs.aws.amazon.com/audit-manager/latest/userguide/concepts.html#resource) that are being assessed are your users + The [data source type](https://docs.aws.amazon.com/audit-manager/latest/userguide/control-data-sources.html) is CloudTrail + The [data source mapping](https://docs.aws.amazon.com/audit-manager/latest/userguide/concepts.html#control-data-source) is a specific CloudTrail event (`ConsoleLogin`) # Troubleshooting assessment report issues Troubleshooting assessment reports You can use the information on this page to resolve common assessment report issues in Audit Manager. **Topics** + [ ## My assessment report failed to generate ](#assessment-report-checklist) + [ ## I followed the checklist above, and my assessment report still failed to generate ](#assessment-report-failed) + [ ## I get an *access denied* error when I try to generate a report ](#assessment-report-access-denied-error) + [ ## I’m unable to unzip the assessment report ](#cannot-unzip-assessment-report) + [ ## When I choose an evidence name in a report, I’m not redirected to the evidence details ](#cannot-open-evidence-detail-links) + [ ## My assessment report generation is stuck in *In progress* status, and I'm not sure how this impacts my billing ](#assessment-report-billing) + [ ## Additional resources ](#assessment-report-see-also) ## My assessment report failed to generate Your assessment report might have failed to generate for a number of reasons. You can start to troubleshoot this issue by checking the most frequent causes. Use the following checklist to get started. 1. Check if any of your AWS Region information doesn't match up: 1. **Does the AWS Region of your customer managed key match the AWS Region of your assessment?** If you provided your own KMS key for Audit Manager data encryption, the key must be in the same AWS Region as your assessment. To resolve this issue, change the KMS key to one that’s in the same Region as your assessment. For instructions on how to change the KMS key, see [Configuring your data encryption settings](settings-KMS.md). 1. **Does the AWS Region of your customer managed key match the AWS Region of your S3 bucket?** If you provided your own KMS key for Audit Manager data encryption, the key must be in the same AWS Region as the S3 bucket that you use as your assessment report destination. To resolve this issue, you can change either the KMS key or the S3 bucket so that they’re both in the same Region as your assessment. For instructions on how to change the KMS key, see [Configuring your data encryption settings](settings-KMS.md). For instructions on how to change the S3 bucket, see [Configuring your default assessment report destination](settings-destination.md). 1. Check the permissions of the S3 bucket that you’re using as the assessment report destination: 1. **Does the IAM entity that’s generating the assessment report have the necessary permissions for the S3 bucket?** The IAM entity must have the required S3 bucket permissions to publish reports in that bucket. We provide an [example policy](https://docs.aws.amazon.com/audit-manager/latest/userguide/security_iam_id-based-policy-examples.html#full-administrator-access-assessment-report-destination) that you can use. 1. **Does the S3 bucket have a bucket policy that requires server-side encryption (SSE) using [SSE-KMS](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#require-sse-kms)?** If yes, the KMS key that's used in that bucket policy must match the KMS key that's specified in your Audit Manager data encryption settings. If you didn't configure a KMS key in your Audit Manager settings, and your S3 bucket policy requires SSE, ensure that the bucket policy allows [SSE-S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html). For instructions on how to change the KMS key, see [Configuring your data encryption settings](settings-KMS.md). For instructions on how to change the S3 bucket, see [Configuring your default assessment report destination](settings-destination.md). If you’re still unable to successfully generate an assessment report, review the following issues on this page. ## I followed the checklist above, and my assessment report still failed to generate Audit Manager limits how much evidence you can add to an assessment report. The limit is based on the AWS Region of your assessment, the Region of the S3 bucket that's used as your assessment report destination, and whether your assessment uses a customer managed AWS KMS key. 1. The limit is 22,000 for same-Region reports (where the S3 bucket and assessment are in the same AWS Region) 1. The limit is 3,500 for cross-Region reports (where the S3 bucket and assessment are in different AWS Regions) 1. The limit is 3,500 if the assessment uses a customer managed KMS key If you try to generate a report that contains more evidence than this, the operation might fail. As a workaround, you can generate multiple assessment reports rather than one larger assessment report. By doing this, you can export evidence from your assessment into more manageable-sized batches. ## I get an *access denied* error when I try to generate a report You will get an `access denied` error if your assessment was created by a delegated administrator account that the KMS key that's specified in your Audit Manager settings doesn't belong to. To avoid this error, when you designate a delegated administrator for Audit Manager, make sure that the delegated administrator account has access on the KMS key that you provided when setting up Audit Manager. You might also receive an `access denied` error if you don't have write permissions for the S3 bucket that you're using as your assessment report destination. If you get an `access denied` error, make sure that you meet the following requirements: + Your KMS key in your Audit Manager settings gives permissions to the delegated administrator. You can configure this by following the instructions in [Allowing users in other accounts to use a KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html) in the *AWS Key Management Service Developer Guide.* For instructions on how to review and change your encryption settings in Audit Manager, see [Configuring your data encryption settings](settings-KMS.md). + You have a permissions policy that grants you write access for the S3 bucket that you're using as the assessment report destination. More specifically, your permissions policy contains an `s3:PutObject` action, specifies the ARN of the S3 bucket, and includes the KMS key that's used to encrypt your assessment reports. For an example policy that you can use, see [Example 2 (Assessment report destination permissions)](security_iam_id-based-policy-examples.md#full-administrator-access-assessment-report-destination). **Note** If you change your Audit Manager data encryption settings, these changes apply to the new assessments that you create moving forward. This includes any assessment reports that you create from your new assessments. The changes don't apply to existing assessments that you created before you changed your encryption settings. This includes new assessment reports that you create from existing assessments, in addition to existing assessment reports. Existing assessments—and all their assessment reports—continue to use the old KMS key. If the IAM identity that’s generating the assessment report doesn’t have permissions to use the old KMS key, you can grant permissions at the key policy level. ## I’m unable to unzip the assessment report If you can't unzip the assessment report on Windows, it's likely that Windows Explorer can't extract it because its file path has several nested folders or long names. This is because, under the Windows file naming system, the folder path, file name, and file extension can’t exceed 259 characters. Otherwise, this results in a `Destination Path Too Long` error. To resolve this issue, try moving the zip file to the parent folder of its current location. You can then try again to unzip it from there. Alternatively, you can also try shortening the name of the zip file or extracting it to a different location that has a shorter file path. ## When I choose an evidence name in a report, I’m not redirected to the evidence details This issue might happen if you’re interacting with the assessment report in a browser, or using the default PDF reader that’s installed on your operating system. Some browser and system default PDF readers don’t allow the opening of relative links. This means that, although hyperlinks might work within the assessment report summary PDF (such as hyperlinked control names in the table of contents), hyperlinks are ignored when you attempt to navigate away from the assessment summary PDF to a separate evidence detail PDF. If you encounter this issue, we recommend that you use a dedicated PDF reader to interact with your assessment reports. For a reliable experience, we recommend that you install and use Adobe Acrobat Reader, which you can download at the [Adobe website](https://get.adobe.com/reader/). Other PDF readers are also available, but Adobe Acrobat Reader has been proven to work consistently and reliably with Audit Manager assessment reports. ## My assessment report generation is stuck in *In progress* status, and I'm not sure how this impacts my billing Assessment report generation has no impact on billing. You're only billed based on the evidence that your assessments collect. For more information about pricing, see [AWS Audit Manager Pricing](https://aws.amazon.com/audit-manager/pricing/). ## Additional resources The following pages contain troubleshooting guidance about generating an assessment report from evidence finder: + [I can’t generate multiple assessment reports from my search results](evidence-finder-issues.md#cannot-generate-multiple-reports-from-search-results) + [I can't include specific evidence from my search results](evidence-finder-issues.md#cannot-add-individual-evidence) + [Not all of my evidence finder results are included in the assessment report](evidence-finder-issues.md#not-all-results-present-in-report) + [I want to generate an assessment report from my search results, but my query statement is failing](evidence-finder-issues.md#querystatement-exceptions) # Troubleshooting control and control set issues Troubleshooting controls and control sets You can use the information on this page to resolve common issues with controls in Audit Manager. **General issues** + [I can’t see any controls or control sets in my assessment](#cannot-view-controls) + [I can’t upload manual evidence to a control](#cannot-upload-manual-evidence) + [What does it mean if a control says “Replacement available”?](#control-replacement-available) **AWS Config integration issues** + [I need to use multiple AWS Config rules as a data source for a single control](#need-to-use-multiple-rules) + [The custom rule option is unavailable when I’m configuring a control data source](#custom-rule-option-unavailable) + [The custom rule option is available, but no rules appear in the dropdown list](#no-custom-rules-displayed) + [Some custom rules are available, but I can’t see the rule that I want to use](#custom-rule-missing) + [I can’t see the managed rule that I want to use](#managed-rule-missing) + [I want to share a custom framework, but it has controls that use custom AWS Config rules as a data source. Can the recipient collect evidence for these controls?](#shared-frameworks-with-custom-aws-config-rules) + [What happens when a custom rule is updated in AWS Config? Do I need to take any action in Audit Manager?](#a-rule-is-updated) ## I can’t see any controls or control sets in my assessment In short, to view the controls for an assessment, you must be specified as an audit owner for that assessment. Moreover, you need the necessary IAM permissions to view and manage the related Audit Manager resources. If you need access to the controls in an assessment, ask one of the audit owners for that assessment to specify you as audit owner. You can specify audit owners when you're [creating](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-assessments.html#choose-audit-owners) or [editing](https://docs.aws.amazon.com/audit-manager/latest/userguide/edit-assessment.html#edit-choose-audit-owners) an assessment. Make sure also that you have the necessary permissions to manage the assessment. We recommend that audit owners use the [AWSAuditManagerAdministratorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSAuditManagerAdministratorAccess.html) policy. If you need help with IAM permissions, contact your administrator or [AWS Support](https://aws.amazon.com/contact-us/). For more information about how to attach a policy to an IAM identity, see [Adding Permissions to a User](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) and [Adding and removing IAM identity permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) in the *IAM User Guide*. ## I can’t upload manual evidence to a control If you can't manually upload evidence to a control, it's likely because the control is in *inactive* status. To upload manual evidence to a control, you must first change the control status to either *Under review* or *Reviewed*. For instructions, see [Changing the status of an assessment control in AWS Audit Manager](change-assessment-control-status.md). **Important** Each AWS account can only manually upload up to 100 evidence files to a control each day. Exceeding this daily quota causes any additional manual uploads to fail for that control. If you need to upload a large amount of manual evidence to a single control, upload your evidence in batches across several days. ## What does it mean if a control says “Replacement available”? ![\[Screenshot of the pop-up message that prompts you to recreate your assessment.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/troubleshooting-control-replacement-available-console.png) If you see this message, this means that an updated control definition is available for one or more of the standard controls in your custom framework. We recommend that you replace these controls so that you can benefit from the improved evidence sources that Audit Manager now provides. For instructions on how to proceed, see [On my custom framework details page, I’m prompted to recreate my custom framework](framework-issues.md#recreate-framework-post-common-controls). ## I need to use multiple AWS Config rules as a data source for a single control You can use a combination of managed rules and custom rules for a single control. To do this, define multiple evidence sources for the control, and select your preferred rule type for each one. You can define up to 100 customer managed data sources for a single custom control. ## The custom rule option is unavailable when I’m configuring a control data source The custom rule option is unavailable for my data source This means that you don't have permissions to view custom rules for your AWS account or organization. More specifically, you don't have permissions to perform the [DescribeConfigRules](https://docs.aws.amazon.com/config/latest/APIReference/API_DescribeConfigRules.html) operation in the Audit Manager console. To resolve this issue, contact your AWS administrator for help. If you're an AWS administrator, you can provide permissions for your users or groups by [managing your IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html). ## The custom rule option is available, but no rules appear in the dropdown list The dropdown list of custom rules is empty This means that no custom rules are enabled and available for use in your AWS account or organization. If you don’t have any custom rules yet in AWS Config, you can create one. For instructions, see [AWS Config custom rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html) in the *AWS Config Developer Guide*. If you're expecting to see a custom rule, check the following troubleshooting item. ## Some custom rules are available, but I can’t see the rule that I want to use I can’t see the custom rule that I want to use If you can’t see the custom rule that you’re expecting to find, this could be due to one of the following issues. **Your account is excluded from the rule** It's possible that the delegated administrator account that you're using is excluded from the rule. Your organization's management account (or one of the AWS Config delegated administrator accounts) can create custom organization rules using the AWS Command Line Interface (AWS CLI). When they do so, they can specify a [list of accounts to be excluded](https://docs.aws.amazon.com/config/latest/APIReference/API_PutOrganizationConfigRule.html#config-PutOrganizationConfigRule-request-ExcludedAccounts) from the rule. If your account is on this list, the rule isn’t available in Audit Manager. To resolve this issue, contact your AWS Config administrator for help. If you're an AWS Config administrator, you can update the list of excluded accounts by running the [put-organization-config-rule](https://docs.aws.amazon.com/cli/latest/reference/configservice/put-organization-config-rule.html) command. **The rule wasn’t successfully created and enabled in AWS Config** It’s also possible that the custom rule wasn't created and enabled successfully. If an [error occurred when creating the rule](https://docs.aws.amazon.com/config/latest/APIReference/API_PutConfigRule.html#API_PutConfigRule_Errors), or [the rule isn't enabled](https://docs.aws.amazon.com/config/latest/developerguide/setting-up-aws-config-rules-with-console.html), it doesn’t appear in the list of available rules in Audit Manager. For assistance with this issue, we recommend that you contact your AWS Config administrator. **The rule is a managed rule** If you can't find the rule that you're looking for under the dropdown list of custom rules, it’s possible that the rule is a managed rule. You can use the [AWS Config console](https://console.aws.amazon.com/config/) to verify if a rule is a managed rule. To do so, choose **Rules** in the left navigation menu and look for the rule in the table. If the rule is a managed rule, the **Type** column shows **AWS managed**. ![\[A managed rule as shown in the AWS Config console.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/rules-managed-console.png) After you've confirmed that it's a managed rule, return to Audit Manager and select **Managed rule** as the rule type. Then, look for the managed rule identifier keyword in the dropdown list of managed rules. ![\[The same rule that's found in the managed rule dropdown list in the Audit Manager console.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/control_data_source-managed_rule-console.png) ## I can’t see the managed rule that I want to use I can’t see the managed rule that I want to use Before you select a rule from the dropdown list in the Audit Manager console, make sure that you selected **Managed rule** as the rule type. ![\[The managed rule option selected in the Audit Manager console.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/ruletype-managed-console.png) If you still can’t see the managed rule that you’re expecting to find, it’s possible that you’re looking for the rule *name*. Instead, you must look for the rule *identifier*. If you're using a default managed rule, the name and the identifier are similar. The name is in lowercase and uses dashes (for example, `iam-policy-in-use`). The identifier is in uppercase and uses underscores (for example, `IAM_POLICY_IN_USE`). To find the identifier for a default managed rule, review the [list of supported AWS Config managed rule keywords](https://docs.aws.amazon.com/audit-manager/latest/userguide/control-data-sources-config.html#aws-config-managed-rules) and follow the link for the rule that you want to use. This takes you to the AWS Config documentation for that managed rule. From here, you can see both the name and the identifier. Look for the identifier keyword in the Audit Manager dropdown list. ![\[A managed rule name and identifier as shown in the AWS Config documentation.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/ruleidentifier-configdocs.png) If you're using a custom managed rule, you can use the [AWS Config console](https://console.aws.amazon.com/config/) to find the rule identifier. For example, let's say that you want to use the managed rule called `customized-iam-policy-in-use`. To find the identifier for this rule, go to the AWS Config console, choose **Rules** in the left navigation menu, and choose the rule in the table. ![\[A managed rule with a customized name in the rules table of the AWS Config console.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/managedrule-customname-configconsole.png) Choose **Edit** to open details about the managed rule. ![\[The edit rule option in the AWS Config console.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/editrule-configconsole.png) Under the **Details** section, you can find the source identifier that the managed rule was created from (`IAM_POLICY_IN_USE`). ![\[The managed rule details in the AWS Config console.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/ruledetails-configconsole.png) You can now return to the Audit Manager console and select the same identifier keyword from the dropdown list. ![\[A managed rule identifier as shown in the Audit Manager console.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/ruleidentifier-console.png) ## I want to share a custom framework, but it has controls that use custom AWS Config rules as a data source. Can the recipient collect evidence for these controls? I want to share a custom framework, but it has controls that use custom AWS Config rules as a data source Yes, the recipient can collect evidence for these controls, but a few steps are needed to achieve this. For Audit Manager to collect evidence using an AWS Config rule as a data source mapping, the following must be true. This applies to both managed rules and custom rules. 1. The rule must exist in the recipient’s AWS environment 1. The rule must be enabled in the recipient’s AWS environment Remember that the custom AWS Config rules in your account likely don’t exist already in the recipient’s AWS environment. Moreover, when the recipient accepts the share request, Audit Manager doesn’t recreate any of your custom rules in their account. For the recipient to collect evidence using your custom rules as a data source mapping, they must create the same custom rules in their instance of AWS Config. After the recipient [creates](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html) and then [enables](https://docs.aws.amazon.com/config/latest/developerguide/setting-up-aws-config-rules-with-console.html) the rules, Audit Manager can collect evidence from that data source. We recommend that you communicate with the recipient to let them know if any custom rules need to be created in their instance of AWS Config. ## What happens when a custom rule is updated in AWS Config? Do I need to take any action in Audit Manager? What happens when a custom rule is updated in AWS Config? **For rule updates within your AWS environment** If you update a custom rule within your AWS environment, no action is needed in Audit Manager. Audit Manager detects and handles the rule updates as described in the following table. Audit Manager doesn't notify you when a rule update is detected. | Scenario | What Audit Manager does | What you need to do | | --- | --- | --- | | A custom rule is **updated** in your instance of AWS Config | Audit Manager continues to report findings for that rule using the updated rule definition. | No action is needed. | | A custom rule is **deleted** in your instance of AWS Config | Audit Manager stops reporting findings for the deleted rule. | No action is needed. If you want to, you can [edit the custom controls](https://docs.aws.amazon.com/audit-manager/latest/userguide/edit-controls.html) that used the deleted rule as a data source mapping. Doing so helps to clean up your data source settings by removing the deleted rule. Otherwise, the deleted rule name remains as an unused data source mapping. | **For rule updates outside your AWS environment** If a custom rule is updated outside of your AWS environment, Audit Manager doesn’t detect the rule update. This is something to consider if you use shared custom frameworks. This is because, in this scenario, the sender and the recipient each work in separate AWS environments. The following table provides recommended actions for this scenario. | Your role | Scenario | Recommended action | | --- | --- | --- | | Sender | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/control-issues.html) | Let the recipient know about your update. That way, they can apply the same update and stay in sync with the latest rule definition. | | Recipient | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/control-issues.html) | Make the corresponding rule update in your own instance of AWS Config. | # Troubleshooting dashboard issues Troubleshooting the dashboard You can use the information on this page to resolve common dashboard issues in Audit Manager. **Topics** + [ ## There isn't any data on my dashboard ](#dashboard-no-data) + [ ## The CSV download option isn't available ](#dashboard-download-option-unavailable) + [ ## I don't see the downloaded file when trying to download a CSV file ](#dashboard-cant-find-downloaded-file) + [ ## A specific control or control domain is missing from the dashboard ](#dashboard-no-control-domain) + [ ## I see similar or duplicate controls appearing under the same control domain ](#dashboard-similar-or-duplicate-controls-in-the-same-control-domain) + [ ## The daily snapshot shows varying amounts of evidence each day. Is this normal? ](#dashboard-varying-evidence) ## There isn't any data on my dashboard If the numbers in the [Daily snapshot](dashboard.md#dashboard-daily-snapshot) widget display a hyphen (-), this indicates that no data is available. You must have at least one active assessment to see data in the dashboard. To get started, [create an assessment](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-assessments.html). After a 24-hour period, your assessment data will start to appear in the dashboard. **Note** If the numbers in the daily snapshot widget display a zero (0), this indicates that your active assessments (or your selected assessment) have no non-compliant evidence. ## The CSV download option isn't available This option is available for individual assessments only. Make sure that you applied an [Assessment filter](dashboard.md#dashboard-assessment-filters) to the dashboard, then try again. Keep in mind that you can only download one CSV file at a time. ## I don't see the downloaded file when trying to download a CSV file If a control domain contains a large number of controls, there might be a short delay while Audit Manager generates the CSV file. After the file is generated, it downloads automatically. If you still don’t see the downloaded file, make sure that your internet connection is working normally and you're using the most current version of your web browser. In addition, check your recent downloads folder. Files download into the default location that's determined by your browser. If this doesn't resolve your issue, try downloading the file using a different browser. ## A specific control or control domain is missing from the dashboard This likely means that your active assessments (or specified assessment) don't have any relevant data for that control or control domain. A control domain is displayed on the dashboard only if both of the following two criteria are met: + Your active assessments (or specified assessment) contain at least one control that's related to that domain + At least one control within that domain collected evidence on the date at the top of the dashboard A control is displayed within a domain only if it collected evidence on the date at the top of the dashboard. ## I see similar or duplicate controls appearing under the same control domain This issue can occur if your assessments collect evidence from different versions of the same standard control. This happens in the following scenarios: **Scenario 1: You have two assessments created from the same standard framework** + You created an assessment from a standard framework before the launch of the common controls library. This assessment collects evidence using outdated standard controls. + You also created an assessment from the same standard framework after the launch of the common controls library. This assessment collects evidence using the new versions of the standard controls. + As a result, your assessments collect evidence from different versions of the same standard controls. **Scenario 2: You have two assessments created from a custom framework that uses standard controls** + You created an assessment from your custom framework before the launch of the common controls library. This assessment collects evidence using outdated standard controls. + You also created an assessment from the same custom framework after the launch of the common controls library. This assessment collects evidence using the new versions of the standard controls. + As a result, your assessments collect evidence from different versions of the same standard controls. **Example:** Let’s say you have a pre-existing assessment that you created from the PCI DSS standard framework before June 6th, 2024. Additionally, you created a new assessment from the PCI DSS standard framework after June 6th, 2024. As a result, the first assessment collects evidence using the outdated version of the standard controls for PCI DSS. The second assessment collects evidence using the new version of the standard controls for PCI DSS. Because both versions of the PCI DSS controls are actively collecting evidence in your assessments, you’ll likely see both of sets of controls appear in the dashboard under the same control domain. However, in rare cases, the outdated control and the new control might appear under different control domains on the dashboard. You can continue to collect evidence and view dashboard insights for outdated standard controls and frameworks. However, we encourage you to use the new controls and frameworks that Audit Manager provides following the launch of the common controls library on June 6, 2024. The new standard controls can collect evidence from [](concepts.md#aws-managed-source)s. This means that whenever there’s an update to the underlying data sources for a common or core control, Audit Manager automatically applies the same update to all related standard controls. ## The daily snapshot shows varying amounts of evidence each day. Is this normal? Not all evidence is collected on a daily basis. The controls in Audit Manager assessments are mapped to different data sources, and each one can have a different evidence collection schedule. As a result, it's expected that the daily snapshot displays a varying amount of evidence each day. For more information, see [Evidence collection frequency](how-evidence-is-collected.md#frequency). # Troubleshooting delegated administrator and AWS Organizations issues Troubleshooting delegated administrators and AWS Organizations You can use the information on this page to resolve common delegated administrator issues in Audit Manager. **Topics** + [ ## I can't set up Audit Manager with my delegated administrator account ](#delegated-admin-setup) + [ ## When I create an assessment, I can't see the accounts from my organization under *Accounts in scope* ](#cannot-see-accounts-from-organization) + [ ## I get an *access denied* error when I try to generate an assessment report using my delegated administrator account ](#delegated-admin-access-denied-error) + [ ## What happens in Audit Manager if I unlink a member account from my organization? ](#delegated-admin-unlink-account) + [ ## What happens if I relink a member account to my organization? ](#delegated-admin-relink-account) + [ ## What happens if I migrate a member account from one organization to another? ](#delegated-admin-migrate-account) ## I can't set up Audit Manager with my delegated administrator account Although multiple delegated administrators are supported in AWS Organizations, Audit Manager allows only one delegated administrator. If you attempt to designate multiple delegated administrators in Audit Manager, you receive the following error message: + Console: `You have exceeded the allowed number of delegated administrators for the delegated service` + CLI: `An error occurred (ValidationException) when calling the RegisterAccount operation: Cannot change delegated Admin for an active account 11111111111 from 2222222222222 to 333333333333` Choose the one individual account that you want to use as your delegated administrator in Audit Manager. Make sure that you register the delegated administrator account in Organizations first, and then [add the same account as a delegated administrator](https://docs.aws.amazon.com/audit-manager/latest/userguide/add-delegated-admin.html) in Audit Manager. ## When I create an assessment, I can't see the accounts from my organization under *Accounts in scope* If you want your Audit Manager assessment to include multiple accounts from your organization, you must specify a delegated administrator. Make sure that you configured a delegated administrator account for Audit Manager. For instructions, see [Adding a delegated administrator](add-delegated-admin.md). Some issues to keep in mind: + You can't use your AWS Organizations management account as a delegated administrator in Audit Manager. + If you want to enable Audit Manager in more than one AWS Region, you must designate a delegated administrator account separately in each Region. In your Audit Manager settings, designate the same delegated administrator account across all Regions. + When you designate a delegated administrator, make sure that the delegated administrator account has access on the KMS key that you provide when setting up Audit Manager. To learn how to review and change your encryption settings, see [Configuring your data encryption settings](settings-KMS.md). ## I get an *access denied* error when I try to generate an assessment report using my delegated administrator account You will get an `access denied` error if your assessment was created by a delegated administrator account that the KMS key that's specified in your Audit Manager settings doesn't belong to. To avoid this error, when you designate a delegated administrator for Audit Manager, make sure that the delegated administrator account has access on the KMS key that you provided when setting up Audit Manager. You might also receive an `access denied` error if you don't have write permissions for the S3 bucket that you're using as your assessment report destination. If you get an `access denied` error, make sure that you meet the following requirements: + Your KMS key in your Audit Manager settings gives permissions to the delegated administrator. You can configure this by following the instructions in [Allowing users in other accounts to use a KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html) in the *AWS Key Management Service Developer Guide.* For instructions on how to review and change your encryption settings in Audit Manager, see [Configuring your data encryption settings](settings-KMS.md). + You have a permissions policy that grants you write access for the assessment report destination. More specifically, your permissions policy contains an `s3:PutObject` action, specifies the ARN of the S3 bucket, and includes the KMS key that's used to encrypt your assessment reports. For an example policy that you can use, see [Example 2 (Assessment report destination permissions)](security_iam_id-based-policy-examples.md#full-administrator-access-assessment-report-destination). **Note** If you change your Audit Manager data encryption settings, these changes apply to the new assessments that you create moving forward. This includes any assessment reports that you create from your new assessments. The changes don't apply to existing assessments that you created before you changed your encryption settings. This includes new assessment reports that you create from existing assessments, in addition to existing assessment reports. Existing assessments—and all their assessment reports—continue to use the old KMS key. If the IAM identity that’s generating the assessment report doesn’t have permissions to use the old KMS key, you can grant permissions at the key policy level. ## What happens in Audit Manager if I unlink a member account from my organization? When you unlink a member account from an organization, Audit Manager receives a notification about this event. Audit Manager then automatically removes that AWS account from the *accounts in scope* lists of your existing assessments. When you specify the scope of new assessments moving forward, the unlinked account no longer appears in the list of eligible AWS accounts. When Audit Manager removes an unlinked member account from the *accounts in scope* lists of your assessments, you aren't notified of this change. Moreover, the unlinked member account isn't notified that Audit Manager is no longer enabled on their account. ## What happens if I relink a member account to my organization? When you relink a member account to your organization, that account isn't automatically added to the scope of your existing Audit Manager assessments. However, the relinked member account now appears as an eligible AWS account when you specify the *accounts in scope* of your assessments. + For existing assessments, you can manually edit the assessment scope to add the relinked member account. For instructions, see [Step 2: Edit AWS accounts in scope](edit-assessment.md#edit-accounts). + For new assessments, you can add the relinked account during assessment setup. For instructions, see [Step 2: Specify AWS accounts in scope](create-assessments.md#specify-accounts). ## What happens if I migrate a member account from one organization to another? If a member account has Audit Manager enabled in organization 1 and then migrates to organization 2, Audit Manager is not enabled for organization 2 as a result. # Troubleshooting evidence finder issues Troubleshooting evidence finder Use the information on this page to resolve common evidence finder issues in Audit Manager. **General evidence finder issues** + [I can't enable evidence finder](#cannot-enable-evidence-finder) + [I enabled evidence finder, but I don't see past evidence in my search results](#cannot-see-past-evidence) + [I can't disable evidence finder](#cannot-disable-evidence-finder) + [My search query fails](#cannot-start-query) + [I see that a control domain is marked as “outdated”. What does this mean?](#outdated-control-domains) **Evidence finder assessment report issues** + [I can’t generate multiple assessment reports from my search results](#cannot-generate-multiple-reports-from-search-results) + [I can't include specific evidence from my search results](#cannot-add-individual-evidence) + [Not all of my evidence finder results are included in the assessment report](#not-all-results-present-in-report) + [I want to generate an assessment report from my search results, but my query statement is failing](#querystatement-exceptions) + [Additional resources](#evidence-finder-assessment-report-see-also) **Evidence finder CSV export issues** + [My CSV export failed](#export-checklist) + [I can't export specific evidence from my search results](#cannot-include-individual-evidence) + [I can’t export multiple CSV files at once](#cannot-export-multiple-files-from-search-results) ## I can't enable evidence finder Common reasons why you can't enable evidence finder include the following situations: **You're missing permissions** If you’re trying to enable evidence finder for the first time, make sure that you have the [required permissions to enable evidence finder](https://docs.aws.amazon.com/audit-manager/latest/userguide/security_iam_id-based-policy-examples.html#full-administrator-access-enable-evidence-finder). These permissions allow you to create and manage an event data store in CloudTrail Lake, which is necessary to support evidence finder search queries. The permissions also allow you to run search queries in evidence finder. If you need help with permissions, contact your AWS administrator. If you’re an AWS administrator, you can copy the required permission statement and [attach it to an IAM policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html#add-policies-console). **You're using your Organizations management account** Keep in mind that you can't use your management account to enable evidence finder. Sign in as the delegated administrator account, and try again. **You previously disabled evidence finder** Re-enabling evidence finder isn't currently supported. If you previously disabled evidence finder, you can't enable it again. ## I enabled evidence finder, but I don't see past evidence in my search results When you enable evidence finder, it takes up to 7 days for all of your past evidence data to become available. During this 7-day period, an event data store is backfilled with your past two years’ worth of evidence data. This means that if you use evidence finder immediately after you enable it, not all results are available until the backfill is complete. For instructions on how to check the status of the data backfill, see [Confirming the status of evidence finder](confirm-status-of-evidence-finder.md). ## I can't disable evidence finder This could be caused by one of the following reasons. **You're missing permissions** If you’re trying to disable evidence finder, make sure that you have the [required permissions to disable evidence finder](https://docs.aws.amazon.com/audit-manager/latest/userguide/security_iam_id-based-policy-examples.html#full-administrator-access-disable-evidence-finder). These permissions allow you to update and delete an event data store in CloudTrail Lake, which is necessary to disable evidence finder. If you need help with permissions, contact your AWS administrator. If you’re an AWS administrator, you can copy the required permission statement and [attach it to an IAM policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html#add-policies-console). **A request to enable evidence finder is still in progress** When you request to enable evidence finder, we create an event data store to support evidence finder queries. You can't disable evidence finder while the event data store is being created. To proceed, wait until the event data store is created, and try again. For more information, see [Confirming the status of evidence finder](confirm-status-of-evidence-finder.md). **You already requested to disable evidence finder** When you request to disable evidence finder, we delete the event data store that's used for evidence finder queries. If you try again to disable evidence finder while the event data store is being deleted, you get an error message. In this case, no action is needed. Wait for the event data store to be deleted. As soon as this is complete, evidence finder is disabled. For more information, see [Confirming the status of evidence finder](confirm-status-of-evidence-finder.md). ## My search query fails A failed search query could be caused by one of the following reasons. **You're missing permissions** Verify that the user has the [required permissions to run search queries](https://docs.aws.amazon.com/audit-manager/latest/userguide/security_iam_id-based-policy-examples.html#evidence-finder-query-access) and access the search results. Specifically, you need permissions for the following CloudTrail actions: + [StartQuery](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StartQuery.html) + [DescribeQuery](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DescribeQuery.html) + [CancelQuery](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CancelQuery.html) + [GetQueryResults](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_GetQueryResults.html) If you need help with permissions, contact your AWS administrator. If you’re an AWS administrator, you can copy the required permission statement and [attach it to an IAM policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html#add-policies-console). **You're running the maximum number of queries** You can run up to 5 queries at a time. If you're running the maximum number of concurrent queries, this results in a `MaxConcurrentQueriesException` error. If you get this error message, wait a minute for some queries to finish, and then run the query again. **Your query statement has a validation error** If you're using the API or CLI to perform the CloudTrail Lake [StartQuery](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StartQuery.html) operation, make sure that your `queryStatement` is valid. If the query statement has validation errors, incorrect syntax, or unsupported keywords, this results in an `InvalidQueryStatementException`. For more information about writing a query, see [Create or edit a query](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-create-edit-query.html) in the *AWS CloudTrail User Guide*. For examples of valid syntax, review the following query statement examples that can be used to query an Audit Manager event data store. **Example 1: Investigate evidence and its compliance status** This example finds evidence with any compliance status across all assessments in account, within a specified date range. ``` SELECT eventData.evidenceId, eventData.resourceArn, eventData.resourceComplianceCheck FROM $EDS_ID WHERE eventTime > '2022-11-02 00:00:00.000' AND eventTime < '2022-11-03 00:00:00.000' ``` **Example 2: Determine non-compliant evidence for a control** This example finds all non-compliant evidence in a specified date range for a specific assessment and control. ``` SELECT * FROM $EDS_ID WHERE eventData.assessmentId = '11aa33bb-55cc-77dd-99ee-ff22gg44hh66' AND eventTime > '2022-10-27 22:05:00.000' AND eventTime < '2022-11-03 22:05:00.000' AND eventData.resourceComplianceCheck IN ('NON_COMPLIANT','FAILED','WARNING') AND eventData.controlId IN ('aa11bb22-cc33-dd44-ee55-ff66gg77hh88') ``` **Example 3: Count evidence by name** This example lists the total evidence for an assessment in a specified date range, grouped by name and ordered by evidence count. ``` SELECT eventData.eventName as eventName, COUNT(*) as totalEvidence FROM $EDS_ID WHERE eventData.assessmentId = '11aa33bb-55cc-77dd-99ee-ff22gg44hh66' AND eventTime > '2022-10-27 22:05:00.000' AND eventTime < '2022-11-03 22:05:00.000' GROUP BY eventData.eventName ORDER BY totalEvidence DESC ``` **Example 4: Explore evidence by data source and service** This example finds all evidence in a specified date range for a specific data source and service. ``` SELECT * FROM $EDS_ID WHERE eventTime > '2022-10-27 22:05:00.000' AND eventTime < '2022-11-03 22:05:00.000' AND eventData.service IN ('dynamodb') AND eventData.dataSource IN ('AWS API calls') ``` **Example 5: Explore compliant evidence by data source and control domain** This example finds compliant evidence for specific control domains, where the evidence comes from a data source that isn't AWS Config. ``` SELECT * FROM $EDS_ID WHERE eventData.resourceComplianceCheck IN ('PASSED','COMPLIANT') AND eventData.controlDomainName IN ('Logging and monitoring','Data security and privacy') AND eventData.dataSource NOT IN ('AWS Config') ``` **Other API exceptions** The [StartQuery](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StartQuery.html) API might fail for several other reasons. For a complete list of possible errors and descriptions, see [StartQuery Errors](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StartQuery.html#API_StartQuery_Errors) in the *AWS CloudTrail API Reference.* ## I see that a control domain is marked as “outdated”. What does this mean? When you apply a control domain filter in evidence finder, you might notice that some available control domains are described as **Outdated**. ![\[Screenshot of an outdated control domain filter in evidence finder.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/troubleshooting-outdated-control-domain-filter-console.png) As of June 6, 2024, Audit Manager supports a new set of control domains provided by AWS Control Catalog. To fetch a list of these control domains, see [ListDomains](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListDomains.html) in the *AWS Control Catalog API Reference*. If a control domain is marked as **Outdated**, this means that the control domain you’re viewing isn’t one of the new control domains provided by AWS Control Catalog. Audit Manager continues to support these outdated control domains so that you can still use them as criteria when you search for evidence. Although we continue to support the outdated control domains, we encourage you to use the new control domains instead. The new control domains are mapped to the updated standard controls that were launched as part of the common controls library on June 6, 2024. On this date, we released updated standard controls that can collect evidence from [AWS managed sources](https://docs.aws.amazon.com/audit-manager/latest/userguide/concepts.html#aws-managed-source). This means that whenever there’s an update to the underlying data sources for a common or core control, Audit Manager automatically applies the same update to all related standard controls. ## I can’t generate multiple assessment reports from my search results This error is caused by running too many CloudTrail Lake queries at the same time. This error can happen if you group your search results and attempt to immediately generate assessment reports for each line item in your grouped results. When you get your search results and generate an assessment report, each action invokes a query. You can only run up to 5 queries at one time. If you’re running the maximum number of concurrent queries, a `MaxConcurrentQueriesException` error is returned. To prevent this error, make sure that you aren’t generating too many assessment reports at one time. If you’re running the maximum number of concurrent queries, a `MaxConcurrentQueriesException` error is returned. If you get this error message, wait a few minutes for your in-progress assessment reports to complete. You can check the status of your assessment reports from the download center page in the Audit Manager console. After your reports are complete, return to your grouped results in evidence finder. You can then continue to get the results and generate an assessment report for each line item. ## I can't include specific evidence from my search results All of your search results are included in the assessment report. You can't selectively add individual rows from your set of search results. If you only want to include specific search results in the assessment report, we recommend that you [edit your current search filters](https://docs.aws.amazon.com/audit-manager/latest/userguide/search-for-evidence-in-evidence-finder.html#editing-a-search). This way, you can narrow down your results to target only the evidence that you want to include in the report. ## Not all of my evidence finder results are included in the assessment report When you generate an assessment report, there are limits for how much evidence you can add. The limit is based on the AWS Region of your assessment, the Region of the S3 bucket that's used as your assessment report destination, and whether your assessment uses a customer managed AWS KMS key. 1. The limit is 22,000 for same-Region reports (where the S3 bucket and assessment are in the same AWS Region) 1. The limit is 3,500 for cross-Region reports (where the S3 bucket and assessment are in different AWS Regions) 1. The limit is 3,500 if the assessment uses a customer managed KMS key If you exceed this limit, the report is still created. However, Audit Manager adds only the first 3,500 or 22,000 evidence items to the report. To prevent this issue, we recommend that you [edit your current search filters](https://docs.aws.amazon.com/audit-manager/latest/userguide/search-for-evidence-in-evidence-finder.html#editing-a-search). This way, you can reduce your search results by targeting a smaller amount of evidence. If needed, you can repeat this method and generate multiple assessment reports instead of one larger report. ## I want to generate an assessment report from my search results, but my query statement is failing If you're using the [CreateAssessmentReport](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_CreateAssessmentReport.html) API and your query statement returns a validation exception, check the table below for guidance on how to fix it. **Note** Even if a query statement works in CloudTrail, the same query might not be valid for assessment report generation in Audit Manager. This is because of some differences in query validation between the two services. | Clause | Issue | Solution | Notes | | --- | --- | --- | --- | | `SELECT` | The `SELECT` clause contains a column name | Remove the `SELECT` clause and replace with `SELECT eventJson`. | Only `SELECT eventJson` is supported. This validation is handled by Audit Manager. | | `FROM` | The `FROM` clause contains an invalid event data store ID or The provided event data store ID doesn’t match the event data store ID in your Audit Manager settings | Remove the `FROM` clause and replace with `FROM edsID`, where the value of `edsID` matches the event data store ID that's specified in your Audit Manager settings. You can retrieve the ARN of the event data store from your Audit Manager settings. For more information, see [GetSettings](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_GetSettings.html) in the *AWS Audit Manager API Reference*. | This validation is handled by Audit Manager. | | `GROUP BY` | A `GROUP BY` clause is present in the query | Remove the `GROUP BY` clause. | This validation is handled by Audit Manager. | | `HAVING` | A `HAVING` clause is present in the query | Remove the `HAVING` clause. | This validation is handled by Audit Manager. | | `LIMIT` | The `LIMIT` clause contains a value that exceeds the maximum allowed limit | If the `LIMIT` clause exists, ensure that its value is equal to or less than the maximum supported limit: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/evidence-finder-issues.html) | In the console, there’s no limit to the number of evidence results that can be returned. However, when generating an assessment report, a limit applies to the amount of evidence that you can include.If no `LIMIT` value is provided in your query statement, the default maximum limits are applied.This validation is handled by Audit Manager. | | `ORDER BY` | The `ORDER BY` clause contains [Aggregate functions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-limitations.html#query-aggregates-condition-operators) or [Aliases](https://www.w3schools.com/sql/sql_alias.asp) that aren’t present in the `SELECT` clause | Ensure that the `ORDER BY` clause doesn’t contain any conditions using [Aggregate functions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-limitations.html#query-aggregates-condition-operators) or [Aliases](https://www.w3schools.com/sql/sql_alias.asp). | This validation is handled by the CloudTrail [StartQuery API.](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StartQuery.html) | | `WHERE` | The `WHERE` clause contains more than one `assessmentId` or The `WHERE` clause contains an `assessmentId` that doesn’t match the `assessmentId` in your `createAssessmentReport` request or The `WHERE` clause contains an unsupported column name | Ensure that only one assessmentID is specified, and that it matches the [assessmentId parameter](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_CreateAssessmentReport.html#auditmanager-CreateAssessmentReport-request-assessmentId) that you specified in the `createAssessmentReport` API request. Remove any unsupported column names. | This validation is handled by the CloudTrail [StartQuery API.](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StartQuery.html) | ### Examples The following examples show how you can use the `queryStatement` parameter when calling the [CreateAssessmentReport](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_CreateAssessmentReport.html) operation. Before you use these queries, replace the *placeholder text* with your own `edsId` and `assessmentId` values. **Example 1: Create a report (same-Region limit applies)** This example creates a report that includes results for S3 buckets created between January 22-23rd, 2022. ``` SELECT eventJson FROM 12345678-abcd-1234-abcd-123456789012 WHERE eventData.assessmentId = '11aa33bb-55cc-77dd-99ee-ff22gg44hh66' AND eventTime > '2022-01-22 00:00:00.000' AND eventTime < '2022-01-23 00:00:00.000' AND eventName='CreateBucket' LIMIT 22000 ``` **Example 2: Create a report (cross-Region limit applies)** This example creates a report that includes all results for the specified event data store and assessment, with no date range specified. ``` SELECT eventJson FROM 12345678-abcd-1234-abcd-123456789012 WHERE eventData.assessmentId = '11aa33bb-55cc-77dd-99ee-ff22gg44hh66' LIMIT 7000 ``` **Example 3: Create a report (under the default limit)** This example creates a report that includes all results for the specified event data store and assessment, with a limit that’s under the default maximum. ``` SELECT eventJson FROM 12345678-abcd-1234-abcd-123456789012 WHERE eventData.assessmentId = '11aa33bb-55cc-77dd-99ee-ff22gg44hh66' LIMIT 2000 ``` ## Additional resources The following page contains general troubleshooting guidance about assessment reports: + [Troubleshooting assessment report issues](assessment-report-issues.md) ## My CSV export failed Your CSV export might fail for a number of reasons. You can troubleshoot this issue by checking the most frequent causes. First, make sure that you meet the prerequisites for using the CSV export feature: **You successfully enabled evidence finder** If you haven’t [enabled evidence finder](https://docs.aws.amazon.com/audit-manager/latest/userguide/evidence-finder-settings-enable.html), you can’t run a search query and export your search results. **The backfill of your event data store is complete** If you use evidence finder immediately after you enable it, and the [evidence backfill](https://docs.aws.amazon.com/audit-manager/latest/userguide/evidence-finder.html#understanding-evidence-finder) is still in progress, there may be some results that aren't available. To check the backfill status, see [Confirming the status of evidence finder](confirm-status-of-evidence-finder.md). **Your search query succeeded** Audit Manager can't export the results of a failed query. To troubleshoot a failed query, see [My search query fails](#cannot-start-query). After you've confirmed that you meet the prerequisites, use the following checklist to check for potential issues: 1. Check the status of your search query: 1. **Was the query cancelled?** Evidence finder displays partial results that were processed before the query was cancelled. However, Audit Manager doesn't export partial results to your S3 bucket or the download center. 1. **Has the query been running for over one hour?** Queries that run for longer than one hour might time out. Evidence finder displays partial results that were processed before the query timed out. However, Audit Manager doesn’t export partial results. To avoid a timeout, you can reduce the amount of evidence that’s scanned by [Editing search filters](search-for-evidence-in-evidence-finder.md#editing-a-search) to specify a narrower time range. 1. Check the name and the URI of your export destination S3 bucket: 1. **Does the bucket that you specified exist?** If you manually entered a bucket URI, make sure that you didn't mistype anything. A typo or an incorrect URI can result in a `RESOURCE_NOT_FOUND` error when Audit Manager attempts to export the CSV file to Amazon S3. 1. Check the permissions of your export destination S3 bucket: 1. **Do you have write permissions for the S3 bucket?** You must have write access for the S3 bucket that you're using as the export destination. More specifically, the IAM permissions policy must include an `s3:PutObject` action and the bucket ARN, and list CloudTrail as the service principal. We provide an [example policy](https://docs.aws.amazon.com/audit-manager/latest/userguide/security_iam_resource-based-policy-examples.html) that you can use. 1. Check if any of your AWS Region information doesn't match up: 1. **Does the AWS Region of your customer managed key match the AWS Region of your assessment?** If you provided a customer managed key for data encryption, it must be in the same AWS Region as your assessment. For instructions on how to change the KMS key, see [Configuring your data encryption settings](settings-KMS.md). 1. Check the permissions of your delegated administrator account: 1. **Does the customer managed key in your Audit Manager settings grant permissions to your delegated administrator?** If you're using a delegated administrator account and you specified a customer managed key for data encryption, make sure the delegated administrator has access on that KMS key. For instructions, see [Allowing users in other accounts to use a KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html) in the *AWS Key Management Service Developer Guide.* To review and change your encryption settings in Audit Manager, see [Configuring your data encryption settings](settings-KMS.md). **Note** If you change your Audit Manager data encryption settings, these changes apply to new assessments that you create moving forward. This includes any CSV files that you export from your new assessments. The changes don't apply to existing assessments that you created before you changed your encryption settings. This includes new CSV exports from existing assessments, in addition to existing CSV exports. Existing assessments—and all their CSV exports—continue to use the old KMS key. If the IAM identity that’s exporting the CSV file doesn’t have permissions to use the old KMS key, you can grant permissions at the key policy level. ## I can't export specific evidence from my search results All of your search results are included in the results. If you want to include only specific evidence in the CSV file, we recommend that you [edit your current search filters](https://docs.aws.amazon.com/audit-manager/latest/userguide/search-for-evidence-in-evidence-finder.html#editing-a-search). This way, you can narrow your results to target only the evidence that you want to export. ## I can’t export multiple CSV files at once This error is caused by running too many CloudTrail Lake queries at the same time. This can happen if you group your search results and attempt to immediately export a CSV file for each line item in your grouped results. When you get your search results and export a CSV file, each of these actions invokes a query. You can run only up to five queries at one time. If you’re running the maximum number of concurrent queries, a `MaxConcurrentQueriesException` error is returned. To prevent this error, make sure that you aren’t exporting too many CSV files at one time. To resolve this error, wait for your in-progress CSV exports to complete. Most exports take a few minutes. However, if you're exporting a very large amount of data, it might take up to an hour to complete the export. Feel free to navigate away from evidence finder while the export is in progress. You can check the export status from the download center in the Audit Manager console. After your exported files are ready, return to your grouped results in evidence finder. You can then continue to get the results and export a CSV file for each line item. # Troubleshooting framework issues Troubleshooting frameworks You can use the information on this page to resolve common framework issues in Audit Manager. **General framework issues** + [On my custom framework details page, I’m prompted to recreate my custom framework](#recreate-framework-post-common-controls) + [I can’t make a copy of my custom framework](#cannot-use-custom-framework) **Framework sharing issues** + [My sent share request status displays as *Failed*](#framework-sharing-error) + [My share request has a blue dot next to it. What does this mean?](#framework-sharing-blue-dot) + [My shared framework has controls that use custom AWS Config rules as a data source. Can the recipient collect evidence for these controls?](#framework-sharing-custom-config-rules) + [I updated a custom rule that's used in a shared framework. Do I need to take any action?](#framework-sharing-what-happens-when-a-rule-is-updated) ## On my custom framework details page, I’m prompted to recreate my custom framework ![\[Screenshot of the pop-up message that prompts you to recreate your assessment.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/troubleshooting-recreate-framework-post-common-controls-console.png) If you see a message that says **Updated control definitions are available**, this indicates that Audit Manager now provides newer definitions for some of the standard controls that are in your custom framework. Standard controls can now collect evidence from [](concepts.md#aws-managed-source). This means that whenever Audit Manager updates the underlying data sources for a common or core control, the same update is automatically applied to the related standard controls. This helps you to ensure continuous compliance as the cloud compliance environment changes. To make sure that you benefit from these AWS managed sources, we recommend that you replace the controls in your custom framework. In your custom framework, Audit Manager indicates which controls have replacements available. You’ll need to replace these controls before you can make a copy of your custom framework. The next time that you edit your custom framework, we’ll prompt you to replace these controls along with any other edits you’d like to make. There are two ways to replace the controls in your custom framework: **1. Recreate your custom framework** If a large number of controls have replacements available, we recommend that you recreate your custom framework. This is likely to be the best option if your custom framework is based on a standard framework. + For example, let’s say you created your custom framework using [NIST SP 800-53 Rev 5](NIST800-53r5.md) as the starting point. This standard framework has 1007 standard controls, and you added 20 custom controls. + In this case, the most efficient option is to find `NIST 800-53 (Rev. 5) Low-Moderate-High` in the framework library and [make an editable copy of that framework](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-custom-frameworks-from-existing.html). During this process, you can add the same 20 custom controls that you used before. Because you’re now using the latest definition of the standard framework as your starting point, your custom framework automatically inherits the latest definitions for all of the 1007 standard controls. **2. Edit your custom framework** If a small number of controls have replacements available, we recommend that you edit your custom framework and replace the controls manually. + For example, let’s say you created your custom framework from scratch. In your custom framework, you added 20 custom controls that you created yourself, and eight standard controls from the [ACSC Essential Eight](essential-eight.md) standard framework. + In this case, because a maximum of eight controls would have updates available, the most efficient option is to edit your custom framework and replace those controls one by one. For instructions, see the following procedure. ### To manually replace controls in your custom framework **To manually replace controls in your custom framework** 1. Open the AWS Audit Manager console at [https://console.aws.amazon.com/auditmanager/home](https://console.aws.amazon.com/auditmanager/home). 1. In the left navigation pane, choose **Framework library**, then choose the **Custom frameworks** tab. 1. Select the framework that you want to edit, choose **Actions**, and then choose **Edit**. 1. On the **Edit framework details** page, choose **Next**. 1. On the **Edit control sets** page, review the name of each control set to see if any of its controls have replacements available. 1. Choose an affected control set to expand it and identify which of its controls need to be replaced. **Tip** To more quickly identify controls, enter **Replacement available** in the search box. 1. Remove affected controls by selecting the check box and choosing **Remove from control set**. 1. Re-add the same controls. This action replaces the controls that you just removed with the latest control definition. 1. Under **Add controls**, use the **Control type** dropdown list and select **Standard controls**. 1. Find the replacement for the control that you just removed. **Tip** In some cases, the replacement control name might not be exactly the same as the original. In this event, the replacement control name is likely to be very similar to the original. In rare cases, one control might be replaced by two controls (or the other way around). If you can't find a replacement control, we recommend that you do a partial search. To do this, enter part of the original control name or a keyword that represents what you're looking for. You can also search by compliance type to further narrow the list of results. 1. Select the check box next to a control and choose **Add to control set**. 1. In the pop-up window that appears, choose **Add** to confirm. 1. Repeat steps 6-8 as needed until you have replaced all controls. 1. Choose **Next**. 1. On the **Review and save** page, choose **Save changes**. ## I can’t make a copy of my custom framework If the **Make a copy** button is unavailable on the framework details page, this means that you need to replace some of the controls in your custom framework. For instructions on how to proceed, see [On my custom framework details page, I’m prompted to recreate my custom framework](#recreate-framework-post-common-controls). ## My sent share request status displays as *Failed* If you try to share a custom framework and the operation fails, we recommend that you check the following: 1. Make sure that Audit Manager is enabled in the recipient's AWS account and in the specified Region. For a list of supported AWS Audit Manager Regions, see [AWS Audit Manager endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/audit-manager.html) in the *Amazon Web Services General Reference*. 1. Make sure that you entered the correct AWS account ID when you specified the recipient account. 1. Make sure that you didn't specify an AWS Organizations management account as the recipient. You can share a custom framework with a delegated administrator, but if you try to share a custom framework with a management account, the operation fails. 1. If you use a customer managed key to encrypt your Audit Manager data, make sure that your KMS key is enabled. If your KMS key is disabled and you try to share a custom framework, the operation fails. For instructions on how to enable a disabled KMS key, see [Enabling and disabling keys](https://docs.aws.amazon.com/kms/latest/developerguide/enabling-keys.html) in the *AWS Key Management Service Developer Guide*. ## My share request has a blue dot next to it. What does this mean? A blue dot notification indicates that a share request needs your attention. ### Blue dot notifications for senders Sender notifications A blue notification dot appears next to sent share requests with a status of *Expiring*. Audit Manager displays the blue dot notification so that you can remind the recipient to take action on the share request before it expires. For the blue notification dot to disappear, the recipient must accept or decline the request. The blue dot also disappears if you revoke the share request. You can use the following procedure to check for any expiring share requests, and send an optional reminder to the recipient to take action. **To view notifications for sent requests** 1. Open the AWS Audit Manager console at [https://console.aws.amazon.com/auditmanager/home](https://console.aws.amazon.com/auditmanager/home). 1. If you have a share request notification, Audit Manager displays a red dot next to the navigation menu icon. ![\[Screenshot of the minimized navigation menu icon, with a red dot that indicates a notification.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/framework_sharing-navigation_minimized_notification-console.png) 1. Expand the navigation pane and look next to **Share requests**. A notification badge indicates the number of share requests that need attention. ![\[Screenshot of the expanded navigation menu, with Shared framework requests highlighted and a notification badge showing 1 notification.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/framework_sharing-navigation_expanded_notification-console.png) 1. Choose **Share requests**, and then choose the **Sent requests** tab. 1. Look for the blue dot to identify share requests that expire within the next 30 days. Alternatively, you can also view expiring share requests by selecting **Expiring** from the **All statuses** filter dropdown. ![\[Screenshot of a received share request with a blue dot next to the framework name.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/framework_sharing-blue_dot_notification-sent_requests-console.png) 1. (Optional) Remind the recipient that they need to take action on the share request before it expires. This step is optional, as Audit Manager sends a notification in the console to inform the recipient when a share request is active or expiring. However, you can also send your own reminder to the recipient using your preferred communication channel. ### Blue dot notifications for recipients Recipient notifications A blue notification dot appears next to received share requests with a status of *Active* or *Expiring*. Audit Manager displays the blue dot notification to remind you to take action on the share request before it expires. For the blue notification dot to disappear, you must [accept or decline](https://docs.aws.amazon.com/audit-manager/latest/userguide/responding-to-shared-framework-requests.html#responding-to-shared-framework-requests-step-2) the request. The blue dot also disappears if the sender revokes the share request. You can use the following procedure to check for active and expiring share requests. **To view notifications for received requests** 1. Open the AWS Audit Manager console at [https://console.aws.amazon.com/auditmanager/home](https://console.aws.amazon.com/auditmanager/home). 1. If you have a share request notification, Audit Manager displays a red dot next to the navigation menu icon. ![\[Screenshot of the minimized navigation menu icon, with a red dot that indicates a notification.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/framework_sharing-navigation_minimized_notification-console.png) 1. Expand the navigation pane and look next to **Share requests**. A notification badge indicates the number of share requests that need your attention. ![\[Screenshot of the expanded navigation menu, with Share requests highlighted and a notification badge showing one notification.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/framework_sharing-navigation_expanded_notification-console.png) 1. Choose **Share requests**. By default, this page opens on the **Received requests** tab. 1. Identify the share requests that need your action by looking for items with a blue dot. ![\[Screenshot of a received share request with a blue dot next to the framework name.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/framework_sharing-blue_dot_notification-console.png) 1. (Optional) To view only requests that expire in the next 30 days, find the **All statuses** dropdown list and select **Expiring**. ## My shared framework has controls that use custom AWS Config rules as a data source. Can the recipient collect evidence for these controls? Yes, your recipient can collect evidence for these controls, but a few steps are needed to achieve this. For Audit Manager to collect evidence using an AWS Config rule as a data source mapping, the following must be true. These criteria apply to both managed rules and custom rules. + The rule must exist in the recipient’s AWS environment. + The rule must be enabled in the recipient’s AWS environment. Remember that the AWS Config rules in your account likely don’t exist already in the recipient’s AWS environment. Moreover, when the recipient accepts the share request, Audit Manager doesn’t recreate any of your custom rules in their account. For the recipient to collect evidence using your custom rules as a data source mapping, they must create the same custom rules in their instance of AWS Config. After the recipient [creates](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules_nodejs.html) and then [enables](https://docs.aws.amazon.com/config/latest/developerguide/setting-up-aws-config-rules-with-console.html) the rules in AWS Config, Audit Manager can collect evidence from that data source. We recommend that you communicate with the recipient to let them know if any custom AWS Config rules should be created in their instance of AWS Config. ## I updated a custom rule that's used in a shared framework. Do I need to take any action? **For rule updates within your AWS environment** When you update a custom rule within your AWS environment, no action is needed in Audit Manager. Audit Manager detects and handles rule updates in the way that's described in the following table. Audit Manager doesn't notify you when a rule update is detected. | Scenario | What Audit Manager does | What you need to do | | --- | --- | --- | | A custom rule is **updated** in your instance of AWS Config. | Audit Manager continues to report findings for that rule using the updated rule definition. | No action is needed. | | A custom rule is **deleted** in your instance of AWS Config. | Audit Manager stops reporting findings for the deleted rule. | No action is needed. If you want to, you can [edit the custom controls](https://docs.aws.amazon.com/audit-manager/latest/userguide/edit-controls.html) that used the deleted rule as a data source mapping. You can then remove the deleted rule to clean up your control's data source settings. Otherwise, the deleted rule name remains as an unused data source mapping. | **For rule updates outside your AWS environment** In the recipient’s AWS environment, Audit Manager doesn’t detect the rule update. This is because senders and recipients each work in separate AWS environments. The following table provides recommended actions for this scenario. | Your role | Scenario | Recommended action | | --- | --- | --- | | Sender | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/framework-issues.html) | Contact the recipient to let them know about the update. That way, they can make the same update and stay in sync with the latest rule definition. | | Recipient | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/framework-issues.html) | Make the corresponding rule update in your own instance of AWS Config. | # Troubleshooting notification issues Troubleshooting notifications You can use the information on this page to resolve common notification issues in Audit Manager. **Topics** + [ ## I specified an Amazon SNS topic in Audit Manager, but I'm not receiving any notifications ](#missing-notifications) + [ ## I specified a FIFO topic, but I'm not receiving notifications in the expected order ](#wrong-order-notifications) ## I specified an Amazon SNS topic in Audit Manager, but I'm not receiving any notifications If your Amazon SNS topic uses AWS KMS for server-side encryption (SSE), you might be missing the required permissions for your AWS KMS key policy. You might also fail to receive notifications if you didn't subscribe an endpoint to your topic. If you aren't receiving notifications, make sure that you did the following: + You attached the required permissions policy to your KMS key. For an example policy that you can use, see [Example 2 (Permissions for the KMS key that's attached to the SNS topic)](security_iam_id-based-policy-examples.md#sns-key-permissions). + You subscribed an endpoint to the topic that the notifications are sent through. When you subscribe an email endpoint to a topic, you receive an email asking you to confirm your subscription. You must confirm your subscription to start receiving email notifications. For more information, see [Getting Started](https://docs.aws.amazon.com/sns/latest/dg/sns-getting-started.html) in the Amazon SNS Developer Guide. ## I specified a FIFO topic, but I'm not receiving notifications in the expected order Audit Manager supports sending notifications to FIFO SNS topics. However, the order in which Audit Manager sends notifications to your FIFO topics isn't guaranteed. # Troubleshooting permission and access issues Troubleshooting permissions and access You can use the information on this page to resolve common permission issues in Audit Manager. **Topics** + [ ## I followed the Audit Manager setup procedure, but I don't have enough IAM privileges ](#insufficient-iam-privileges) + [ ## I specified someone as an audit owner, but they still don’t have full access to the assessment. Why is this? ](#audit-owner-missing-access) + [ ## I can't perform an action in Audit Manager ](#cannot-perform-action) + [ ## I want to allow people outside of my AWS account to access my Audit Manager resources ](#want-to-allow-access-to-resources) + [ ## I see an Access Denied error, despite having the required Audit Manager permissions ](#access-denied-due-to-scp) + [ ## Additional resources ](#permissions-see-also) ## I followed the Audit Manager setup procedure, but I don't have enough IAM privileges The user, role, or group that you use to access Audit Manager must have the required permissions. Moreover, your identity-based policy shouldn't be too restrictive. Otherwise, the console won't function as intended. This guide provides an example policy that you can use to [Allow the minimum permissions required to enable Audit Manager](security_iam_id-based-policy-examples.md#security_iam_id-based-policy-examples-console). Depending on your use case, you might need broader, less restrictive permissions. For example, we recommend that audit owners have [administrator access](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSAuditManagerAdministratorAccess.html). This is so that they can modify Audit Manager settings and manage resources such as assessments, frameworks, controls, and assessment reports. Other users, such as delegates, might only need [management access](https://docs.aws.amazon.com/audit-manager/latest/userguide/security_iam_id-based-policy-examples.html#management-access) or [read-only](https://docs.aws.amazon.com/audit-manager/latest/userguide/security_iam_id-based-policy-examples.html#read-only) access. Make sure that you add the appropriate permissions for your user, role, or group. For audit owners, the recommended policy is [AWSAuditManagerAdministratorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSAuditManagerAdministratorAccess.html). For delegates, you can use [the management access example policy](https://docs.aws.amazon.com/audit-manager/latest/userguide/security_iam_id-based-policy-examples.html#management-access) that's provided on the [IAM policy examples](https://docs.aws.amazon.com/audit-manager/latest/userguide/security_iam_id-based-policy-examples.html) page. You can use these example policies as a starting point, and make changes as necessary to fit your requirements. We recommend that you take time to customize your permissions to meet your specific requirements. If you need help with IAM permissions, contact your administrator or [AWS Support](https://aws.amazon.com/contact-us/). ## I specified someone as an audit owner, but they still don’t have full access to the assessment. Why is this? Specifying someone as an audit owner alone doesn't provide them with full access to an assessment. Audit owners must also have the necessary IAM permissions to access and manage Audit Manager resources. In other words, in addition to [specifying a user as an audit owner](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-assessments.html#choose-audit-owners), you must also attach the [necessary IAM policies](https://docs.aws.amazon.com/audit-manager/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-personas) to that user. The idea behind this is that, by requiring both, Audit Manager ensures that you have full control over all of the specifics of each assessment. **Note** For audit owners, we recommend that you use the [AWSAuditManagerAdministratorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSAuditManagerAdministratorAccess.html) policy. For more information, see [Recommended policies for user personas in AWS Audit Manager](security_iam_service-with-iam.md#security_iam_service-with-iam-id-based-policies-personas). ## I can't perform an action in Audit Manager If you don't have the necessary permissions to use the AWS Audit Manager console or Audit Manager API operations, you will likely encounter an `AccessDeniedException` error. To resolve this issue, you must contact your administrator for assistance. Your administrator is the person that provided you with your sign-in credentials. ## I want to allow people outside of my AWS account to access my Audit Manager resources You can create a role that users in other accounts or people outside of your organization can use to access your resources. You can specify who is trusted to assume the role. For services that support resource-based policies or access control lists (ACLs), you can use those policies to grant people access to your resources. To learn more, consult the following: + To learn whether Audit Manager supports these features, see [How AWS Audit Manager works with IAM](security_iam_service-with-iam.md). + To learn how to provide access to your resources across AWS accounts that you own, see [Providing access to an IAM user in another AWS account that you own](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html) in the *IAM User Guide*. + To learn how to provide access to your resources to third-party AWS accounts, see [Providing access to AWS accounts owned by third parties](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html) in the *IAM User Guide*. + To learn how to provide access through identity federation, see [Providing access to externally authenticated users (identity federation)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html) in the *IAM User Guide*. + To learn the difference between using roles and resource-based policies for cross-account access, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*. ## I see an Access Denied error, despite having the required Audit Manager permissions If your account is a part of an organization, it’s possible that the `Access Denied` error is caused by a [service control policy (SCP)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html). SCPs are policies that are used to manage permissions for an organization. When an SCP is in place, it can deny specific permissions to all member accounts, including the delegated administrator account that you use in Audit Manager. For example, if your organization has an SCP in place that denies permissions for AWS Control Catalog APIs, you can't view the resources that are provided by Control Catalog. This is true even if you otherwise have the required permissions for Audit Manager, such as the [AWSAuditManagerAdministratorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSAuditManagerAdministratorAccess.html) policy. The SCP overrides the managed policy permissions by explicitly denying access to the Control Catalog APIs. Here’s an example of such an SCP. With this SCP in place, your delegated administrator account is denied access to the common controls, control objectives, and control domains that are needed to use the common controls feature in Audit Manager. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "controlcatalog:ListCommonControls", "controlcatalog:ListObjectives", "controlcatalog:ListDomains" ], "Resource": "*" } ] } ``` ------ To resolve this issue, we recommend that you take the following steps: 1. Confirm if an SCP is attached to your organization. For instructions, see [Getting information about your organization's policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_info-operations.html) in the *AWS Organizations User Guide*. 1. Identify if the SCP is causing the `Access Denied` error. 1. Update the SCP to ensure that your delegated administrator account has the necessary access for Audit Manager. For instructions, see [Updating an SCP](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_create.html#update_policy) in the *AWS Organizations User Guide*. ## Additional resources The following pages contain troubleshooting guidance for other issues that can be caused by missing permissions: + [I can’t see any controls or control sets in my assessment](control-issues.md#cannot-view-controls) + [The custom rule option is unavailable when I’m configuring a control data source](control-issues.md#custom-rule-option-unavailable) + [I get an *access denied* error when I try to generate a report](assessment-report-issues.md#assessment-report-access-denied-error) + [I get an *access denied* error when I try to generate an assessment report using my delegated administrator account](delegated-admin-issues.md#delegated-admin-access-denied-error) + [I can't enable evidence finder](evidence-finder-issues.md#cannot-enable-evidence-finder) + [I can't disable evidence finder](evidence-finder-issues.md#cannot-disable-evidence-finder) + [My search query fails](evidence-finder-issues.md#cannot-start-query) + [I specified an Amazon SNS topic in Audit Manager, but I'm not receiving any notifications](notification-issues.md#missing-notifications)