Compliance Frameworks
BETA// Beta Mapping Disclaimer
Framework mappings are currently in beta. These references are generated based on technical specifications and common industry alignments. Mappings may be incomplete or inaccurate; always consult with a qualified auditor for official compliance validation.
Overview
Maintain comprehensive documentation of the Landing Zone configuration, policies, and procedures in a centralized repository (e.g., Confluence, Git) and automate evidence collection via AWS Audit Manager.
Detailed documentation is critical for compliance audits, operational continuity, and disaster recovery. It must cover the OU structure, SCP/RCP catalog, network architecture, and security baselines. Integrating this with AWS Audit Manager allows for automated mapping of these configurations to compliance frameworks, reducing manual audit effort.
Without a central 'Source of Truth' and automated evidence collection, proving compliance is resource-intensive and error-prone. Documentation ensures institutional knowledge is preserved and audits are streamlined.
Remediation Strategy
Establish a centralized documentation hub (Confluence/Wiki or Git) and configure AWS Audit Manager for automated evidence collection.
Create a dedicated Confluence space or Git repository for Landing Zone documentation.
Document the OU hierarchy, account baseline standards, and network design.
Catalog all Service Control Policies (SCPs) and Resource Control Policies (RCPs).
Enable AWS Audit Manager and create an assessment targeting the Landing Zone accounts to automate evidence collection.
aws auditmanager create-assessment \
--name "LandingZone-Compliance" \
--framework-id "custom-framework-id" \
--scope "awsAccounts=[{id=123456789012}]" \
--roles "roleType=PROCESS_OWNER,roleArn=<role-arn>" \
--assessment-reports-destination "destinationType=S3,destination=s3://audit-manager-reports-bucket"Enforcement Logic
Check for the existence of an active AWS Audit Manager assessment and verify that the documentation repository has been updated within the last quarter.
aws auditmanager list-assessments --status ACTIVEAWS Audit Manager is transitioning to maintenance mode. From April 30th 2026, customers will no longer be able to set up the service in new accounts. Existing customers can continue to use the service in previously enabled accounts and regions, including creating new Assessments and adding organizational accounts to existing management account setups. However, no new regions, organizations, or major features/frameworks will be supported. Documentation in Confluence/Git remains the primary non-service-dependent source of truth.