AWS Audit Manager Is Closed to New Customers: What This Means for Compliance on AWS
In April 2026, AWS Audit Manager entered maintenance mode and is closed to all new accounts.
AWS Audit Manager Alternatives & Next Steps for Customers
Key Takeaways:
- Several industry frameworks previously supported by AWS have been cut, including GDPR, SOC 2, ISO 27001, and more.
- Existing Audit Manager customers can continue operating but the service will no longer be supported or updated.
- Security Hub and AWS Config Conformance Packs can replace some functionality, but only for select frameworks and do not produce audit-ready evidence like Audit Manager did.
- AWS documentation recommends third-party tools to fill the compliance gap, specifically pointing to Vanta or Drata, which are geared for GRC teams with established compliance programs.
- Seeking an alternative compliance solution? Kalos provides continious posture monitoring along with prioritized remediation recommendations to improve compliance scores.
AWS Audit Manager Reaches End of Support
On April 30, 2026, AWS Audit Manager entered maintenance mode and is no longer available to new customers. For teams currently building a compliance program on AWS, particularly those working toward SOC 2, HIPAA, or GDPR, the closure exposes a gap in AWS's native tooling that doesn't have a native replacement.
The gap is especially relevant for smaller engineering teams. AWS's recommendation to "use a third-party GRC platform" assumes budget and operational capacity that most SMBs and growth-stage startups don't have. The leading SOC 2 compliance software platforms AWS explicitly recommends, Vanta and Drata, start at $7,500–$12,000 per year at their entry tiers and commonly run $25,000–$55,000 per year for a growing company before the audit cost is factored in.
This article explains what Audit Manager was, why AWS stepped back from this category, and what the compliance landscape looks like today for teams evaluating an AWS Audit Manager alternative, particularly those that need SOC 2, ISO-27001, or GDPR coverage.
If you're an existing Audit Manager customer, there's also info on what maintenance mode means for your program over time.
What AWS Audit Manager Was Designed to Do
Audit Manager launched in 2020, positioned as a bridge between AWS's security posture tooling and the evidence requirements of formal audits. It addressed something that Security Hub and AWS Config, despite being powerful tools, were never built to handle: organizing proof of compliance into a format that auditors use.
In practice, Audit Manager pulled from four data sources simultaneously: AWS API calls, Security Hub compliance findings, CloudTrail event logs, and Config Rules. That evidence was then mapped to specific control requirements within a given framework. If a SOC 2 audit required evidence that encryption was enforced on S3 buckets during the audit period, Audit Manager collected configuration snapshots, timestamped them, and tied them to the relevant control. Teams could assign control sets to subject-matter experts, add review comments, and export formal assessment reports in PDF.
The important distinction for understanding Audit Manager's value: Security Hub generates operational alerts that tell engineers what to fix. Audit Manager collected and organized proof that issues were addressed, in a form structured for auditors, not engineers. The two tools were solving different problems. Security Hub alone cannot substitute for what Audit Manager provided.
Audit Manager also covered a meaningfully broader set of frameworks than Security Hub. Security Hub CSPM covers four standards: AWS Foundational Security Best Practices, CIS, PCI DSS, and NIST 800-53. Audit Manager covered 30 prebuilt frameworks, including SOC 2, HIPAA, GDPR, ISO/IEC 27001, FedRAMP, CIS, and NIST 800-171. That coverage is now unavailable to any new account.
Why AWS Stepped Back from the Compliance Evidence Category
AWS's decision to end support and close Audit Manager to new customers fits a pattern that has been visible since 2024. Starting that year, AWS began a systematic culling of services with low adoption or limited strategic alignment: CodeCommit and App Mesh were closed to new customers in 2024, and in October 2025 AWS moved more than 20 additional services to maintenance mode or sunset status across categories including developer tooling, IoT, and modernization services.
Too Niche
Independent AWS observers characterized the broader pattern as AWS clearing out services that were launched to solve specific problems but never achieved meaningful adoption. One widely-cited takeaway from the October 2025 announcement: "Don't build something integral to your product on a fringe service."
Too Complex
Audit Manager fits that characterization reasonably well. It was a specialized tool serving a specific workflow of formal audit evidence preparation. It required significant setup, ongoing management, and reliance on AWS Config running underneath it. The teams most likely to invest in configuring it properly were also the teams most likely to already have a GRC platform handling compliance workflows. For smaller teams without dedicated compliance staff, the operational complexity was a barrier.
Crossover with AWS' Own Compliance
There is also a structural reason why compliance evidence for frameworks like SOC 2 and GDPR sits awkwardly for AWS as a service provider. The AWS Shared Responsibility Model explains that AWS secures the infrastructure, and customers are responsible for how they configure services, manage access, and handle data.
AWS's own compliance, covering its infrastructure and operations, is documented and accessible through AWS Artifact. But evidence that your workloads meet a given framework's requirements is inherently customer-specific. Building and maintaining a tool to collect and package that evidence, across dozens of frameworks that evolve over time with control mappings that must track every new AWS service, is a significant ongoing commitment for a service that competes directly with a well-funded third-party ecosystem, which AWS benefits from by hosting on its Marketplace. Both Vanta and Drata, the tools AWS explicitly named in its documentation as alternatives to Audit Manager, are sold through the AWS Marketplace.
Whether the decision came down primarily to adoption numbers, strategic focus on AI and core infrastructure, or the inherent awkwardness of AWS certifying customer compliance, the outcome is the same: a new team starting their compliance program on AWS today has no native path to SOC 2, ISO-27001, or GDPR coverage.
AWS Artifact: A Different Service That Often Gets Conflated with Audit Manager
Because both services have "compliance" in their descriptions and both surface in searches about AWS and SOC 2, Artifact and Audit Manager were frequently confused.
AWS Artifact is a repository of AWS's own compliance certifications, including SOC 2 reports for AWS infrastructure, ISO 27001, PCI DSS attestations, and similar documents. It answers the question of whether AWS is compliant. It's free, self-service, and unaffected by the Audit Manager news. Every AWS customer can access these reports from the Artifact console and share them with auditors to document the compliance posture of the platform they're running on.
Audit Manager addressed a different question: whether your workloads running on AWS are compliant. An AWS SOC 2 report from Artifact tells an auditor that Amazon's data centers and internal operations meet the relevant Trust Services Criteria. It says nothing about whether your application properly restricts access, logs activity, encrypts customer data, or handles incidents according to your own controls. That evidence is what Audit Manager helped collect.
Both are relevant to a comprehensive compliance program. AWS Artifact remains fully available and should still be referenced in any audit that includes AWS infrastructure. The gap left by Audit Manager's maintenance mode is entirely on the customer-side evidence collection.
What the AWS-Native Compliance Landscape Looks Like Today
For a team starting a compliance program on AWS, the available native tools cover different parts of the problem:
AWS Security Hub CSPM runs continuous automated checks against AWS resources using four standards: AWS Foundational Security Best Practices, CIS, PCI DSS, and NIST 800-53. It generates findings when configurations deviate from a standard and supports automated remediation through EventBridge.
Security Hub CSPM now bundled in "Security Hub Essentials" - A 2025 restructuring announced at re:Invent bundled CSPM with Amazon Inspector vulnerability scanning and partial GuardDuty coverage into "AWS Security Hub Essentials" at $3.75 per resource unit per month. Security Hub is well-suited for continuous posture monitoring, though it's most commonly deployed by larger security teams and enterprises. Smaller engineering teams often don't adopt it due to cost.
Note: Security Hub does not cover SOC 2, HIPAA, GDPR, ISO 27001, or FedRAMP, and it does not produce audit evidence.
AWS Config Conformance Packs deploy collections of Config rules across accounts and regions using prebuilt templates. AWS recommends these as an alternative to Audit Manager for configuration-based compliance monitoring. Teams can build custom mappings, but Conformance Packs provide rule deployment and monitoring, not evidence packaging, delegation workflows, or assessment reports.
Note: There are no AWS Conformance Pack templates for SOC 2, ISO-27001, or GDPR.
AWS Config itself remains available and is a dependency for both of the above options. Config's configuration item charges are often the largest cost component in any compliance monitoring stack built on native AWS tooling.
For SOC 2, HIPAA, GDPR, or ISO 27001 coverage, AWS documentation acknowledges the gap and points to third-party tools.
What Existing Audit Manager Customers Should Do Next
Existing customers can continue using Audit Manager in accounts and regions where it was already configured. Near-term: assessments continue to run, evidence collection continues, and existing framework mappings remain in place.
The longer-term concern is framework drift due to lack of support or updates. Audit Manager's compliance mappings reflect the state at the time the service was frozen, even as you add new AWS services to your environment. That gap is manageable short-term, but will become progressively harder to ignore.
You'll continue to be charged if you stay on Audit Manager. The charge of $1.25 per 1,000 resource assessments is modest, but you also incur costs from AWS Config, which Audit Manager depends on for evidence collection.
The bottom line is you'll need to find another tool (spreadsheet or software) to replace Audit Manager's evidence collection. AWS recommends Vanta or Drata, but if you're price sensitive, consider evaluating Strike Graph, Sprinto, or Scytale, which are designed for engineering-led teams rather than dedicated GRC staff.
Whichever evidence workflow you use, the underlying compliance posture data has to come from somewhere. Kalos runs continuous checks against your AWS environment across SOC 2, HIPAA, GDPR, ISO 27001, FedRAMP, and additional frameworks, with per-control pass/fail status and step-by-step remediation guidance.
I'm Building a New Compliance Program - Which Tool Is Best?
The right approach depends on which framework you're pursuing and whether you need to prove a point-in-time posture or ongoing compliance over a sustained period. For point-in-time attestations, such as SOC 2 Type I, ISO 27001 initial certification, or a one-time HIPAA risk assessment, a well-structured spreadsheet is a legitimate starting point. Free templates are widely available, and this walkthrough covers building a compliance audit tracker in a spreadsheet.
If you need ongoing compliance, such as in SOC 2 Type II, ISO 27001 surveillance audits, FedRAMP continuous monitoring, and GDPR, documentation requires demonstrating that controls are operated correctly across a period of months, not at a single point in time. This is what compliance software is designed to handle--see vendor suggestions above.
Ultimately, the compliance evidence layer, which is the part Audit Manager covered, now requires a separate tool. There is no longer an AWS native solution for evidence collection.
Why Kalos for Your Compliance Program?
Continuously monitor your AWS environment against SOC 2, HIPAA, GDPR, ISO 27001, FedRAMP, PCI, NIST, and CIS standards with Kalos, designed to be affordable for SMBs. Beyond compliance, Kalos includes cost optimization, waste reduction, and automation features that make ongoing infrastructure management sustainable for lean teams.
If you're evaluating compliance software after Audit Manager's closure and want to understand what coverage looks like for your specific AWS environment, use the form below to get in touch with us or check your compliance posture in a free trial >>
FAQs
Yes, with limitations. Existing customers can continue running assessments in the accounts and regions where Audit Manager was already configured before April 30, 2026. They cannot extend it to new accounts, new regions, or new AWS Organizations. The service remains functional but will not receive new features, framework updates, or support for new AWS services going forward.
No, not for new accounts since Audit Manager closed to new customers in mid-2026.
AWS Security Hub doesn't cover SOC 2. Config Conformance Packs have no first-party SOC 2 templates. AWS Artifact provides AWS's own SOC 2 certifications, which every customer should reference in an audit, but it documents AWS's compliance, not yours. For customer-side SOC 2 evidence, AWS's documentation points to third-party tools, such as Kalos.
At a minimum: continuous compliance checks across your AWS resources and timestamped evidence collection. The broader the framework coverage (SOC 2, HIPAA, GDPR, ISO 27001, etc.), the less you need to add separate tooling/fees as your compliance program matures. For SMBs without a GRC team, managed onboarding and clear remediation guidance matter as much as the feature set.

Further Reading
Overview of how cloud security posture management (CSPM) works in AWS.
Find your cloud waste, reinvest it into security. Same cloud spend, improved security posture, win-win.
These configuration gaps regularly surface in AWS environments, but standard tooling misses them.
Sources
- AWS. "Audit Manager Availability Change." AWS Documentation. https://docs.aws.amazon.com/audit-manager/latest/userguide/audit-manager-availability-change.html
- AWS. "What Is AWS Audit Manager." AWS Documentation. https://docs.aws.amazon.com/audit-manager/latest/userguide/what-is.html
- AWS. "AWS Products Lifecycle." https://aws.amazon.com/products/lifecycle/
- AWS. "AWS Config Conformance Packs." AWS Documentation. https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
- Wiggers, Steef-Jan. "AWS Culls Portfolio: Over 20 Services Shift to Maintenance or Sunset." InfoQ, October 29, 2025. https://www.infoq.com/news/2025/10/aws-service-portfolio-cull/
- Southwick, Kevin. "AWS Audit Manager vs Security Hub 2026: Key Differences." AWSight Blog, April 16, 2026. https://awsight.com/blog.html?p=audit-manager-vs-security-hub
- Moncada, Oscar. "The Pros and Cons of AWS Audit Manager." Substack, January 1, 2026. https://oscarmoncada.substack.com/p/the-pros-and-cons-of-aws-audit-manager
- "Vanta Pricing 2026: Real Costs, Plans & How to Negotiate." SecureLeap. https://www.secureleap.tech/blog/vanta-review-pricing-top-alternatives-for-compliance-automation
- "Drata Pricing 2026: 4 Plans from $15,000–$100,000/year." CostBench. https://costbench.com/software/compliance-management/drata/
- "SOC 2 Software Pricing Comparison (2026): 12 Platforms." SOC 2 Auditors. https://soc2auditors.org/insights/soc-2-software-pricing-comparison/
Whether you're just starting out on your compliance journey or seeking Audit Manager alternatives, we can help you reach your security and compliance goals.