There's a gap between a secure AWS environment and one that passes a CPS 234 review, and it's not about controls. It's about evidence. Two teams can have identical security postures; the one that can produce the right export on demand passes in a week, and the one that can't spends a month reconstructing it.
After enough of these, the auditor's questions are predictable. Here's what they actually ask, and the precise AWS artifact that answers it.
Practitioner guidance, not legal or audit advice. Your auditor's specific asks will vary — use this to be ready, not as a checklist of sufficiency.
"Show me this control held across the period"
The most important word in an audit is "across." Auditors don't care that S3 encryption is on today — they want it demonstrated for the whole review period.
- A console screenshot fails. It's a point in time and trivially staged.
- What works: the AWS Config compliance timeline for the relevant rule (e.g.
s3-bucket-server-side-encryption-enabled), exported for the period. It shows the control's compliant/non-compliant state over time, with timestamps.
This single distinction — timeline, not screenshot — is what most engineering teams get wrong.
"How do you know who did what?"
- The ask: an auditable record of privileged actions.
- The export: CloudTrail (organization trail, multi-region) with log file validation enabled — the validation digest is what proves the logs weren't altered. For investigations, a CloudTrail Lake query result is cleaner than raw logs.
"Prove your logs can't be tampered with"
- The export: the CloudTrail log file validation digest, plus the bucket's Object Lock / versioning configuration. This is a specific, common ask — and
cloud-trail-log-file-validation-enabledfailing in your conformance pack is a direct red flag here.
"Show me your access is least-privilege"
- The export: the IAM credential report (CSV of every user, key age, MFA status) and IAM Access Analyzer findings showing no unintended external access. The credential report is the fastest way to answer "do all human users have MFA and rotated keys."
"How do you find and fix misconfigurations?"
- The export: your Security Hub security score over time plus a Prowler assessment report, and — critically — remediation history showing findings getting closed. CPS 234 wants testing effectiveness; the evidence is the trend line going down, not a single clean scan.
"What happens when there's an incident?"
- The export: a documented notification runbook and the EventBridge → SNS delivery logs proving the 72-hour APRA notification path actually fires. An untested runbook is not evidence.
The pattern
| Auditor asks | The export that answers it |
|---|---|
| Did this control hold across the period? | Config compliance timeline |
| Who did what? | CloudTrail (validated) / CloudTrail Lake query |
| Are logs tamper-proof? | Log file validation digest + Object Lock config |
| Is access least-privilege? | IAM credential report + Access Analyzer |
| How do you find/fix misconfig? | Security Hub score trend + Prowler + remediation history |
| What's your incident path? | Runbook + EventBridge→SNS delivery logs |
Build the evidence layer before you need it
Every artifact above is something Audit Manager can collect continuously against a custom CPS 234 framework. The teams that pass quickly turned that on early; the teams that struggle are reconstructing six months of history the week before the review.
The full clause-to-evidence mapping is in the CPS 234 → AWS Controls cheatsheet. And if you want someone to assemble this evidence pack for your estate — board-ready, paragraph-mapped — that's the core deliverable of a CPS 234 on AWS readiness assessment.
Primary sources: Security Hub CloudTrail controls · Security Hub FSBP standard · APRA CPS 234