Vanta users with an AWS integration must create an IAM role granting permissions to a Vanta AWS account. Vanta has different AWS accounts in NA and EU, and any customer migrating from NA to EU or vice-versa will need to update their IAM role with Vanta’s other account. If this is not done, Vanta cannot integrate with AWS post-migration, resulting in potentially incorrect data and test results.
Instructions
- Open the AWS console and navigate to the vanta-auditor IAM role (https://console.aws.amazon.com/iamv2/home#/roles/details/vanta-auditor). This role should have been created when the Vanta integration was first set up.
-
Open the Trust relationships tab and click the Edit trust policy button. The trust policy should look something like:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXXXX:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "XXXXXXXXXXXXXXX"
}
}
}
]
} -
The Principal AWS value should be replaced like in the following example. Only the Principal AWS should be updated; the ExternalId should be left intact.
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":[
"arn:aws:iam::956993596390:root",
"arn:aws:iam::850507053895:root"
]
},
"Action":"sts:AssumeRole",
"Condition":{
"StringEquals":{
"sts:ExternalId":"XXXXXXXXXXXXXXX"
}
}
}
]
} - Repeat steps 1, 2 and 3 for every AWS account you have integrated with Vanta.