AWS closed Audit Manager. Here's what replacing it with Config yourself actually costs.

Updated June 9, 2026 · by the BuriCloud team · 6 min read

TL;DR. As of April 30, 2026, AWS Audit Manager is closed to new accounts. AWS points you to Config Conformance Packs — which, by AWS's own documentation, have no SOC 2 or GDPR templates and no audit-report export. You can build the missing pieces yourself, but the bill isn't the Config charges (a few hundred dollars a month) — it's weeks of engineering, and you still don't get a signed, auditor-ready report. CloudProof gives you that in about ten minutes.

What changed

AWS Audit Manager was the native way to pull your AWS compliance posture into an auditor-ready report. In its own words, it is now winding down:

“Audit Manager is transitioning to maintenance mode and from April 30th 2026 customers will no longer be able to set up the service in new accounts… the service team will not build new features, nor add support for new frameworks or new versions of existing frameworks, nor add new region support.” — AWS Audit Manager availability change (AWS documentation)

If you adopted AWS after that date — or you're spinning up a new account or region — you cannot turn Audit Manager on. AWS's recommended path is Config Conformance Packs. The catch is that AWS itself is candid about what Config can't do.

The gap, in AWS's own words

No SOC 2 or GDPR. “AWS Config does not currently offer Conformance Pack templates for all of the frameworks supported by Audit Manager, including SOC2 and GDPR.” (ISO 27001 has no equivalent either.)
No audit report. “AWS Config does not provide an audit reporting feature that is directly equivalent to the Audit Manager export.”
Thinner evidence. “AWS Config records only Configuration Items… it does not collect AWS CloudTrail logs, AWS Security Hub Controls or make API calls to target services.”
And AWS sends you to a third party: for full compliance management it explicitly suggests “partner solutions, such as those from Vanta and Drata.”

So the honest options are: (1) build the missing rules and reporting on Config yourself, (2) buy a full GRC platform, or (3) use a focused AWS-evidence tool. Let's price option 1 — because it's the one that looks free.

“Can't I just build the Config rules myself?” — the real cost

1. The Config bill is the small number

AWS Config is usage-priced: $0.003 per configuration item recorded and $0.001 per conformance-pack rule evaluation (first 100k/region, cheaper above). For a single account with a few hundred resources across four enabled regions, running conformance packs for the frameworks that do have templates (PCI DSS, NIST 800-53, HIPAA) typically lands in the ~$150–$400/month range — and it scales linearly with every extra account, region and resource.

Illustrative estimate. Real cost depends on your resource count, change rate, regions and number of accounts. The point isn't that Config is expensive — it's that the dollar cost is the cheap part, and it still excludes SOC 2, GDPR and ISO 27001 entirely.

2. The engineering time is the big number

For the frameworks AWS doesn't template — SOC 2, GDPR, ISO 27001 — there is no pack to deploy. You author the control-to-rule mappings yourself, usually as custom (Lambda-backed) Config Rules, then build an evidence-export pipeline (Config Advanced Queries / Athena / get-resource-config-history) because there's no report. Realistically:

Templated frameworks (PCI, NIST, HIPAA): hours to deploy the pack, then days to build evidence export.
Untemplated (SOC 2, GDPR, ISO 27001): 2–6 weeks of senior AWS engineering to map controls, write & test custom rules, and package evidence — per framework — then ongoing maintenance as standards and your stack change.
Still missing: a signed, tamper-evident report an auditor or customer can independently verify. You'd build that too.

At a loaded engineering cost, that first SOC 2 + ISO evidence pipeline is comfortably $10,000–$25,000 of one-time work plus maintenance — to land roughly where a focused tool starts.

3. Side by side

	Build it yourself on AWS Config	CloudProof
SOC 2 / GDPR / ISO 27001	✗ No conformance-pack template (AWS's own words) — author every rule	✓ Mapped out of the box
Direct AWS cost	$0.003/config item + $0.001/rule eval — ~a few hundred $/mo for one multi-region account, growing per account/region/resource	Flat subscription
Time to first evidence	Days for templated frameworks; weeks to author custom rules + an export pipeline for SOC 2 / ISO	~10 minutes
Auditor-ready signed report	✗ Build it yourself (Athena / Config queries → CSV/JSON)	✓ Signed & verifiable at /verify
All regions	Deploy & pay per region	✓ Every enabled region, included
Upkeep as frameworks change	You own it	✓ Managed

What CloudProof does

CloudProof connects to your AWS account read-only (no write access, ever), runs 118 automated checks across 55 AWS services in every enabled region, and produces a signed, timestamped evidence report mapped to CIS, AWS FSBP, PCI DSS, NIST, SOC 2, HIPAA, ISO 27001 and more. Anyone — your auditor, your customer's security team — can confirm it's genuine and unedited at /verify.

It's EU-hosted, there's no sales call, and you can run a free scan and pay by card today. It covers the AWS infrastructure controls auditors actually check (access, encryption, logging) and lets you attest the policy/process controls — without the cost and onboarding of a full GRC suite you don't need yet.

It won't, by itself, make you “SOC 2 certified” — nothing can, not even Audit Manager did. What it gives you is the auditor-ready AWS evidence Config can't produce, in minutes instead of weeks.

Run a free scan →