Create an Audit Manager assessment, define the scope and controls, and then use AWS Config rules to automatically collect evidence. Example: A security policy requiring all EC2 instances to have disk encryption enabled.

Create an Audit Manager assessment, define the scope and controls, and then manually review AWS resources to collect evidence. Example: A security policy requiring all RDS instances to be in a specific VPC.

Create an Audit Manager assessment, define the scope and controls, and then use AWS CloudTrail to automatically collect evidence. Example: A security policy requiring all Lambda functions to have a specific set of IAM permissions.