Skip to main content

Connecting Vanta & AWS Organization

S
Written by Shannon DeLange
Updated this week

As a part of the AWS cloud provider integration, Vanta supports the detection and linking of all your AWS accounts via your AWS Organization Management account.

  • When connecting via your AWS Organization, Vanta will scan all the AWS accounts associated with your AWS Organization and detect when AWS accounts are added or deleted in your organization - then automatically update your inventory in Vanta.

  • If you are migrating from connecting via individual AWS accounts, please complete Delete individual AWS accounts in Vanta first.

  • If this is your first time connecting Vanta with AWS, you can Prepare your AWS Environment.

Delete individual AWS accounts in Vanta

  • If you have already connected AWS with Vanta by adding individual AWS accounts, you must delete those accounts before you can connect via your AWS Organization.

  • If you've assigned owners or descriptions for resources within Vanta, these data will be erased when you delete your credentials. If this prevents you from migrating to AWS Organizations, don't hesitate to contact support.

  • To delete AWS accounts, go to Integrations, Cloud Providers, and Amazon Web Services.

  • Select Manage followed by Edit and then Delete (trash icon) or Delete all accounts.

Screen_Shot_2022-08-09_at_8.37.55_PM.png
Screen_Shot_2022-10-04_at_4.23.01_PM.png

Prepare your AWS environment

To prepare your AWS environment to integrate with Vanta, you need to do the following two things:

In Vanta, go to Integrations > Cloud providers and add AWS. In the connection flow, choose to connect with "Organization."

Screen_Shot_2022-10-26_at_2.46.27_PM.png

Configure each AWS account in your AWS Organization so Vanta can scan them

Select Products

During the first connection step, You'll be prompted to select the products from AWS you'd like to connect to Vanta. The products selected may change the Policy Permission generated on the Policy Creation step. For Example, Adding the AWS CodeCommit product generates the associated permissions needed in the Policy:

Policy creation

For each account, create a policy in AWS policy creator:

  • Navigate to the AWS policy creator.
    Once there, click on the JSON tab. Note: AWS inline policies are not supported.

  • Paste the policy: Take the snippet in the step below and paste it into the AWS Policy editor:

  • Review the policy and name the policy VantaAdditionalPermissions

  • Click Create policy

Role creation

For each account, create a role in AWS role creator:

After the policy is created in AWS, return to Vanta and click Next to proceed to the Role creation section:

  • You will be instructed to navigate back to AWS and head to roles page in IAM. This can be found by going to the left hand menu, and selecting roles under 'Access Management':

  • Click on the 'Create role' button on the top right:

  • Then select 'Custom trust policy' as the Trusted entity type :

  • A text editor will appear on the bottom of the page after the selection is made , delete all of the existing text:

  • Then head back into Vanta and copy the snippet below step 3 and head back into AWS and paste it into the editor. From there click Next on the bottom right of the page:

  • You will be taken to a page where you will grant the role specific permissions, those being the SecurityAudit permission set and the VantaAdditionalPermisisons you created in an earlier step. Both these permissions are required for the integration to work properly, do not omit either.

    • You can search for these permissions in the search box and click the box next to them to grant the permission to the role.

    • The searching and selecting process needs to be done one by one. You can click next when you have checked off both:

  • You will be taken to a page where you must grant the role a name, and a description. Name the role vanta-auditor and enter your desired description, then click Create role on the bottom right of the page:

    • You will see a green success banner stating the role has been created.


Configure your Management account and connect to Vanta

For your Aws Management Account, create a policy in AWS policy creator:

  • Navigate to the AWS policy creator. Once there, click on the JSON tab. Note: AWS inline policies are not supported

  • Paste the policy:
    Take the snippet in the step below and paste it into the AWS Policy editor:

  • Review the policy and name the policy VantaManagementAccountPermissions

  • Click Create policy

  • When prompted, enter the ARN of the “vanta-auditor” role you created in your Management account.

Screen_Shot_2022-10-26_at_2.47.47_PM.png

  • You can select all regions where you have the infrastructure. Vanta will scan your organization for resources in all your chosen regions.

    Screen_Shot_2022-10-26_at_2.49.47_PM.png

  • Vanta will scan your AWS Organization for accounts and resources. It can take up to 2 hours to finish scanning.

  • You can see your AWS accounts in Inventory after completing the scan.

  • To configure the scope of your scanned resources for each AWS account, go to Integrations > Configure scope.

Screen_Shot_2022-08-16_at_5.49.39_PM.png
Related Articles
Modifying the VantaAdditionalPermission Policy for Individual AWS Accounts
Connecting AWS with CloudFormation
Connecting Vanta & AWS account
How to fix "ASSUME_ROLE" warning from AWS Organization
Error: "Fetching_Disabled" on AWS organizations inventory page