AWS Audit Manager will no longer be open to new customers starting April 30, 2026. If you would like to use Audit Manager, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [AWS Audit Manager availability change](https://docs.aws.amazon.com/audit-manager/latest/userguide/audit-manager-availability-change.html). 

# Filter and grouping options for evidence finder
<a name="evidence-finder-filters-and-groups"></a>



On this page, you can see a list of the filter and grouping options that are available for you to use in evidence finder.

## Filter reference
<a name="filters"></a>

You can use the following filters to find evidence that matches specific criteria, such as an assessment, control, or AWS service.

**Topics**
+ [Required filters](#required-filters)
+ [Additional filters (optional)](#additional-filters)
+ [Combining filters](#combining-filters)

### Required filters
<a name="required-filters"></a>

Use these filters to get started with a high-level overview of the evidence in an assessment.


| Filter name | Description | Notes | 
| --- | --- | --- | 
|  **Assessment**  |  Returns evidence for a specific assessment.  |  You can filter by one assessment only.  | 
|  **Date range**  |  Returns evidence for a specific time period.  |  Either, you can use a *Relative range* to define a range that’s relative to today’s date (for example, **Last 30 days**).  Or, you can use an *Absolute range* to specify a specific date range (for example, **June 27th – July 4th**).  | 
| Resource compliance | Returns resources with a specific compliance check evaluation.  |  Audit Manager collects [compliance check evidence](https://docs.aws.amazon.com/audit-manager/latest/userguide/concepts.html#evidence) for controls that use AWS Config and Security Hub CSPM as a data source type. Multiple resources might be assessed during evidence collection. As a result, a single piece of compliance check evidence can include one or more resources. You can use this filter to explore compliance status at the resource level. You can choose one or more of the following options:  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/evidence-finder-filters-and-groups.html)  | 

### Additional filters (optional)
<a name="additional-filters"></a>

Use these filters to narrow the scope of your search query. For example, use **Service** to see all evidence that's related to Amazon S3. Use **Resource type** to focus just on S3 buckets. Or, use **Resource ARN** to target a specific S3 bucket.

You can create additional filters using one or more of the following criteria.


| Criteria name | Description | When to use this criteria | 
| --- | --- | --- | 
| Account ID |  Drill down by AWS account.  | Use this criteria to find evidence that's related to a specific AWS account. | 
| Control |  Drill down by control name.  |  Use this criteria to find evidence that's related to a specific control.  | 
| Control domain |  Drill down by control domain.  |  Use this criteria to focus on a specific subject area as you prepare for an audit. You can filter by control domain if you're querying an assessment that was created from a standard framework.  Examples of control domains include network security, identity and access management, and data protection. Some control domains might be marked as **Outdated** following Audit Manager's transition to a new set of control domains provided by AWS Control Catalog. For more information, see [I see that a control domain is marked as “outdated”. What does this mean?](evidence-finder-issues.md#outdated-control-domains).  | 
| Data source type |  Drill down by the type of data source.  |  Use this criteria to focus on a specific data source.  Set the value to `Manual` to find evidence that you uploaded manually. Otherwise, you can filter automated evidence based on where it came from (for example, `AWS Config`, `CloudTrail`, `Security Hub CSPM`, or `AWS API calls`).  | 
| Event name |  Drill down by event name.  |  Use this criteria to focus on a specific event that the evidence is related to. An event is a record of an activity in an AWS account.  For example, you can search for the name of an API call, such as the IAM `AttachRolePolicy` operation that's used to configure permissions. Or, search for a CloudTrail keyword, such as the `ConsoleLogin` event that's logged by CloudTrail when a user signs in to your account.  | 
| Resource ARN |  Drill down by Amazon Resource Name (ARN).  |  Use this criteria to find evidence that's related to a specific AWS resource.  | 
| Resource type |  Drill down by resource type.  | Use this criteria to focus on the type of resource that's being assessed, such as an Amazon EC2 instance or an S3 bucket. | 
| Service |  Drill down by AWS service name.  | Use this criteria to find evidence that's related to a specific AWS service, such as Amazon EC2, Amazon S3, or AWS Config. | 
| Service category |  Drill down by AWS service category.  | Use this criteria to focus on a specific category of AWS service. Examples include security, identity and compliance, database, and storage. | 

### Combining filters
<a name="combining-filters"></a>



#### Criteria behavior
<a name="criteria-behavior"></a>

When you specify more than one criteria, Audit Manager applies the `AND` operator to your selections. This means that all of the criteria are grouped into a single query, and the results must match all of the combined criteria. 

**Example**  
In the following filter setup, evidence finder returns non-compliant resources from the last 7 days for the assessment that’s called **MySOC2Assessment**. Additionally, the results relate to both an IAM policy and the specified control.

![\[A selection of applied filters, with the AND operator highlighted.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/evidence-finder-filter_description-console.png)


#### Criteria value behavior
<a name="criteria-value-behavior"></a>

When you specify more than one criteria value, the values are linked with an `OR` operator. Evidence finder returns results that match any of these criteria values. 

**Example**  
In the following filter setup, evidence finder returns search results that come from either AWS CloudTrail, AWS Config, or AWS Security Hub CSPM.

![\[An example filter setup that shows multiple values defined for a single criteria.\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/evidence-finder-filter_description-multiple_values-console.png)


## Grouping reference
<a name="groups"></a>

You can group your search results for quicker navigation. Grouping shows you the breadth of your search results, and how they're distributed across a specific dimension.

You can use any of the following group by values.


| Group by | Description  | 
| --- | --- | 
| Account ID | Group results by AWS account. | 
| Control | Group results by control name. | 
| Data source type | Group results by the type of data source where the evidence came from. | 
| Event name | Group results by an event name. | 
| Resource ARN | Group results by Amazon Resource Name (ARN). | 
| Resource type | Group results by resource type. | 
| Service | Group results by AWS service name. | 
| Service category | Group results by AWS service category. |