AWS Audit Manager will no longer be open to new customers starting April 30, 2026. If you would like to use Audit Manager, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see AWS Audit Manager availability change.
AWS Audit Manager availability change
AWS Audit Manager is a service that enables you to view and report on the compliance posture of your AWS resources with control frameworks such as SOC2, PCI DSS, and HIPAA. Audit Manager is transitioning to maintenance mode and from April 30th 2026 customers will no longer be able to set up the service in new accounts. Existing customers who have set up Audit Manager for a single account within a region can continue to use the service for that account within that region, including creating new Assessments; but they will not be able to set up Audit Manager for additional regions or new accounts. Customers who have set up Audit Manager within the management account of an organization will be able to add accounts from that organization to assessments; but they will not be able to extend usage to additional regions or set up Audit Manager for new organizations.
While in maintenance mode, the service team will continue to support the service. This includes code fixes and maintaining the data source mappings for the currently supported frameworks. However, the service team will not build new features, nor add support for new frameworks or new versions of existing frameworks, nor add new region support.
Customers seeking compliance management solutions are encouraged to explore the Conformance Packs in AWS Config. Conformance Packs provide a means to deploy and monitor detective controls, in form of Config Rules, across multiple accounts and regions. They offer pre-built templates for common frameworks (like HIPAA, NIST, PCI-DSS) and allow custom rule creation. Conformance Packs can be managed at the level of a single account or across all member accounts in an organization in AWS Organizations.
Having deployed a Conformance Pack, you can view the compliance status of your resources within the associated dashboard. Alternatively, you can use the Config Resource Compliance Dashboard to view an inventory of your AWS resources, along with their compliance status, across multiple AWS accounts and Regions.
Limitations of Conformance Packs for Audit Manager customers
AWS Config does not currently offer Conformance Pack templates for all of the frameworks supported by Audit Manager, including SOC2 and GDPR. The table below provides a mapping, highlighting where gaps exist today. For updates on available Conformance Pack templates reference the product documentation.
AWS Config does not provide an audit reporting feature that is directly equivalent to the Audit Manager export. However, customers can export evidence to support Compliance Statuses from AWS Config using one or more of the mechanisms described in the section below.
From the Conformance Pack dashboards, customers can view the compliance status for each of the associated Config Rules. Customers can drill down on a rule and view the status of each individual resource and the evidence, in the form of the Configuration Item for that resource.
AWS Config records only Configuration Items (CIs) as evidence of compliance. Unlike Audit Manager it does not collect AWS CloudTrail logs, AWS Security Hub Controls or make API calls to target services. The evidence collected by AWS Config is less exhaustive, but easier to navigate. All of the evidence collected by AWS Config is mapped to a compliance status for an AWS resource, via a Config Rule. Consequently, unlike Audit Manager, AWS Config does not present 'inconclusive' evidence.
Mapping AWS Audit Manager Frameworks to AWS Config Conformance Packs
| AWS Audit Manager Framework | AWS Config Conformance Pack Template |
|---|---|
| ACSC Essential Eight | Operational Best Practices for ACSC Essential 8 |
| ACSC ISM 02 March 2023 | Operational Best Practices for ACSC ISM - Part 1; Operational Best Practices for ACSC ISM - Part 2 |
| Audit Manager Sample Framework | -- No equivalent -- |
| AWS Control Tower Guardrails | AWS Control Tower Detective Guardrails Conformance Pack |
| AWS Generative AI Best Practices Framework v2 | Operational Best Practices for AI and ML |
| AWS License Manager | -- No equivalent -- |
| AWS Foundational Security Best Practices | Operational Best Practices for AWS Well-Architected Framework Security Pillar, plus Security Best Practice packs for multiple individual services |
| AWS Operational Best Practices | -- No equivalent -- |
| AWS Well-Architected Framework WAF v10 | Operational Best Practices for AWS Well-Architected Framework Reliability Pillar; Operational Best Practices for AWS Well-Architected Framework Security Pillar |
| CCCS Medium Cloud Control | Operational-Best-Practices-for-CCCS-Medium |
| CIS AWS Benchmark v1.2.0 | -- No equivalent -- |
| CIS AWS Benchmark v1.3.0 | -- No equivalent -- |
| CIS AWS Benchmark v1.4.0 | Operational-Best-Practices-for-CIS-AWS-v1.4-Level1; Operational-Best-Practices-for-CIS-AWS-v1.4-Level2 |
| CIS Controls v7.1, IG1 | -- No equivalent -- |
| CIS Critical Security Controls version 8.0, IG1 | Operational-Best-Practices-for-CIS-Critical-Security-Controls-v8-IG1 |
| FedRAMP Security Baseline Controls r4 | Operational-Best-Practices-for-FedRAMP(Low); Operational-Best-Practices-for-FedRAMP(Moderate); Operational-Best-Practices-for-FedRAMP(High Part 1); Operational-Best-Practices-for-FedRAMP(High Part 2) |
| GDPR 2016 | -- No equivalent -- |
| Gramm-Leach-Bliley Act | Operational-Best-Practices-for-Gramm-Leach-Bliley-Act |
| Title 21 CFR Part 11 | Operational-Best-Practices-for-FDA-21CFR-Part-11 |
| EU GMP Annex 11, v1 | Operational-Best-Practices-for-GxP-EU-Annex-11 |
| HIPAA Security Rule: Feb 2003 | Operational-Best-Practices-for-HIPAA-Security |
| HIPAA Omnibus Final Rule | Operational-Best-Practices-for-HIPAA-Security |
| ISO/IEC 27001:2013 Annex A | -- No equivalent -- |
| NIST SP 800-53 Rev 5 | Operational-Best-Practices-for-NIST-800-53-rev-5 |
| NIST Cybersecurity Framework v1.1 | Operational-Best-Practices-for-NIST-CSF |
| NIST SP 800-171 Rev 2 | Operational-Best-Practices-for-NIST-800-171 |
| PCI DSS V3.2.1 | Operational Best Practices for PCI DSS 3.2.1 |
| PCI DSS V4.0 | Operational-Best-Practices-for-PCI-DSS-v4.0 |
| SSAE-18 SOC 2 | -- No equivalent -- |
Exporting evidence from AWS Config
- AWS Config Advanced Query (Recommended for exporting individual resource Configuration Items as evidence)
-
You can use SQL queries in the AWS Config console to select specific resources and export their current configuration in CSV or JSON format.
-
How: Go to AWS Config > Advanced queries.
-
Query Example:
SELECT resourceId, resourceType, configuration, tags, compliance WHERE resourceType = 'AWS::EC2::Instance' AND resourceId = 'i-xxxxxxxxx' -
Export: Click "Run" and then "Export results" to CSV.
-
Best for: Curated reports on a subset of resources.
-
- GetResourceConfigHistory API (Recommended for full history)
-
If auditors need to see the compliance state of a resource over a specific time period (not just current state), use the CLI/API.
-
How: Use the
get-resource-config-historycommand in the AWS CLI. -
Command Example:
aws configservice get-resource-config-history \ --resource-typeAWS::EC2::Instance\ --resource-idi-xxxxxxxxx\ --regionus-east-1 -
Output: Returns a detailed JSON object of configuration changes, including compliance status at the time of each change.
-
- Amazon Athena and Amazon Quick (Recommended for filtered queries across multiple resources)
-
Customers can use Amazon Athena to build and run SQL-based queries against resource configuration data recorded by AWS Config. Customers can also import the data into Amazon Quick to create analyses and dashboards. For more information, see Visualizing AWS Config data using Amazon Athena and Amazon Quick
.
Comparing compliance solutions
| Feature | AWS Audit Manager | AWS Config – Conformance Packs |
|---|---|---|
| Managed Controls | Provides 35 managed frameworks, including regulatory and industry frameworks, such as SOC2, PCI DSS, and HIPAA, and AWS best practice frameworks. | Provides over 100 pre-defined Conformance Pack templates - including regulatory and industry packs, such as PCI DSS, and HIPAA, and AWS Operational Best practice packs. |
| Customization | Create custom Controls and custom Frameworks. | Create custom Rules and self-defined templates. |
| Set up | Create Assessments based on a framework. | Deploy a Conformance Pack. |
| Evidence collection | Collects evidence from four data sources: (1) Service API calls, (2) AWS Security Hub controls, (3) AWS CloudTrail events, (4) Config Rules. Customers must first deploy Rules using AWS Config or AWS Control Tower. | Records evidence as Configuration Items supporting Config Rule evaluations. |
| Compliance dashboards | Assessment dashboards provide daily snapshot and view of controls with non-compliant evidence. | Conformance Pack dashboards provide overall compliance score, compliance timeline, and view by Rule. Drill down to view compliance posture by resource and supporting evidence, in the form of Configuration Items. |
| Remediation of non-compliant resources | Not supported. | Customers can define and initiate remediation plans. |
| Evidence formats | Config Rule evaluation results; Results of individual API calls, e.g. iam.getPolicy; AWS Security Hub findings. | Config Rule evaluation results; Configuration Items. |
| Audit Reporting | Evidence can be selected for inclusion in an Audit Report, which can be exported in PDF format. Also, supports CSV format exports from the evidence finder tool. | Individual Configuration Items can be exported through the Config Advance Query tool. Customers can create CLI scripts to export evidence via the service APIs. |
Disabling AWS Audit Manager
Disabling Audit Manager ceases the collection of new evidence, but it does not delete your existing evidence, unless you explicitly select this option. Evidence will be retained for two years from the date of its collection. As an existing customer, you can re-enable the service to gain access to evidence and restart evidence collection.
Customers can disable Audit Manager for the account, through either the settings tab in the console or the CLI.
Customers who have deployed Audit Manager for an Organization should disable the service from the Organization’s Management Account. By default, the delegated administrator account does not have the necessary permissions to disable Audit Manager for the Organization.
Additional resources
-
AWS Config – Conformance Packs documentation
-
AWS Audit Manager – Evidence Finder documentation
FAQ
- Is the AWS Audit Manager service being shutdown?
-
No. The Audit Manager Service is being moved to maintenance mode. Existing customers can continue to use the service as normal.
- Why is AWS moving Audit Manager to maintenance mode?
-
We can deliver a better and more integrated customer experience by investing in AWS Config for Compliance Management.
- Can I use AWS Config for Compliance Management today?
-
Yes. Conformance Packs in AWS Config can be used as a tool for managing AWS resource compliance with frameworks such as PCI DSS, FedRAMP, and HIPAA. Conformance Packs allow customers to collectively deploy detective controls for different frameworks and provide a dashboard that shows resource level compliance.
- What are the benefits of migrating to use AWS Config for Compliance Management?
-
For customers seeking a solution for monitoring the compliance of AWS resources with frameworks such as PCI DSS, Conformance Packs within AWS Config provides a more complete and actionable solution. Customers can (1) deploy detective controls for an individual account or an entire organization, (2) access a dashboard that displays a compliance score, (3) drill down and view the compliance status of individual resources, (4) access a timeline for a resource showing how the compliance posture changed over time, (4) pull evidence, in the form of Configuration Items, that supports the compliance status of a resource for a control.
- Are Conformance Packs in AWS Config a direct replacement for frameworks in Audit Manager?
-
No. Conformance Packs are a powerful tool that customers can use to manage the compliance posture of their AWS resources. However, Conformance Packs are not equivalent to Audit Manager Frameworks. The Conformance Pack templates provided for frameworks such as PCI DSS contain only the technical Core Controls that can be evaluated as Config Rules. A Conformance Pack template does not contain the full set of audit controls that an organization must meet to pass a PCI DSS Audit; there is no Config Rule that verifies that the organization has documented its Security Policies and Operational procedures. While Compliance Pack dashboards provide a clear signal of the compliance posture of your AWS resources evaluated by Config Rules, AWS Config does not offer a general compliance management solution to capture, organize, and share evidence for the full set of controls required by framework such as PCI DSS. Customers seeking a solution to this problem are encouraged instead to consider partner solutions, such as those from Vanta and Drata, which can be used in conjunction with AWS Config to provide an end-to-end compliance automation solution.
- Are there Conformance Packs for all frameworks supported by Audit Manager?
-
No, there are currently a number of frameworks in Audit Manager for which there is no corresponding Conformance Pack in AWS Config. The table above provides a mapping from Audit Manager frameworks to Config Conformance Packs. The most notable gaps are SOC2 and GDPR. Please monitor AWS Config 'What's New' announcements for updates on new Conformance Pack releases. In addition to the pre-defined Conformance Pack templates provided by AWS, customers can define their own Conformance Pack templates that group together with Config Rules and allow customers to define remediation actions for non-compliant resources.
- Can customers export evidence for auditors using AWS Config?
-
AWS Config provides some tooling for exporting evidence of resource compliance. See Availability Change Page for guidance on using this tooling.
- As an existing customer can I continue to use Audit Manager as normal?
-
Yes. As an existing customer you can continue to use Audit Manager as normal, including creating and maintaining Assessments, reviewing evidence, and generating Audit Reports. Customers who have deployed Audit Manager across their organization can extend Assessments to include new Accounts from the Organization.
- As an existing customer with a single account deployment, can I deploy Audit Manager for my Organization?
-
No. As of April 30, 2026, customers with single account deployments will not be able to deploy Audit Manager across an Organization.
- How do I check whether Audit Manager is set up within an account?
-
For single account deployments, customers can log into the account and navigate within the console to the Audit Manager service to see whether Audit Manager is set up within that account. For Organizations, customers should do this from within the Management Account.
- How do I disable Audit Manager?
-
Customers can disable Audit Manager for the account, through either the settings tab in the console or the CLI. Customers who have deployed Audit Manager for an Organization should disable the service from the Organization's management Account; by default the delegated Administrator account for Audit Manager does not have the necessary permissions. Disabling Audit Manager ceases the collection of new evidence, but it does not delete your existing evidence, unless you explicitly select this option. Evidence will be retained for two years from the date of its collection. As an existing customer, you can re-enable the service to gain access to evidence and restart evidence collection.
- How can I continue to access evidence once I've disabled Audit Manager?
-
The easiest way to continue to access the evidence collected by Audit Manager is to first enable Evidence Finder, prior to disabling the service. When you enable Evidence Finder Audit Manager exports evidence to a CloudTrail data lake, which you will be able to continue to access after you have disabled Audit Manager.
- How can I use AWS Control Tower for compliance management?
-
AWS Control Tower provides a catalog of preventative, proactive, and detective controls (implemented as Config Rules) that are keyed by framework. It allows you to deploy all controls relevant to these frameworks to one or more OUs within your organization. With the new controls-only experience, it is no longer a pre-requisite that the organization was created as a Landing Zone. The benefits of AWS Control Tower are that it provides you with an OU-level view of non-compliant resources. AWS Control Tower does not use Conformance Packs to deploy Config Rules and therefore you will not see the Conformance Pack unless you also deploy the Conformance Pack. Nor does it support remediation workflows.
- How can I use AWS Security Hub CSPM for compliance management?
-
For those frameworks that are mapped to a security standard, AWS Security Hub CSPM provides an alternative to AWS Config for Compliance Management and remediation within a single account. Enabling the standard from within the Security Hub CSPM console deploys a set of service-linked rules for the associated framework. Customers can view a compliance dashboard that shows the overall compliance score and the status for each control, with the option to drill down to the level of the individual resources. Security Hub CSPM allows customers to download the finding for the rule in a json format and adds a severity rating for the control that helps customers prioritize remediation plans. With central configuration you can configure Security Hub CSPM across multiple Regions, accounts, and organizational units (OUs). However, Security Hub CSPM provides security standards for only a limited number of frameworks, including NIST 800-53 and PCI-DSS.
