You can connect one, or many AWS (Amazon Web Services) accounts to Vanta.

 

Add an Account to Vanta

  • Navigate to your integrations page, click + Add under Cloud Providers, and select Amazon Web Services

connect_aws_3.jpg

 

  • After clicking Connect Amazon Web Services, you will be prompted with the following message:

connect_aws_2.jpg

  • If you are adding an additional AWS account, you can instead select the (...) menu, then click edit. This will give you the option to add an additional account by selecting Add new account.


connect_aws_4.jpg

connect_aws_5.jpg

 

 

Vanta Linking Page 1, Policy Creation:

  • Clicking Get Started will bring you to the following page for instructions on setup:

connect_aws_6.jpg


To set up the policy in AWS

connect_aws_7.jpg

  • Paste the policy from Vanta into the editor:

    connect_aws_8.jpg

  • Click Review Policy and name the policy VantaAdditionalPermissions

  • Then, click Next: Tag from the screenshot above which will bring you to this page.


connect_aws_9.jpg

  • There is no need to modify anything on this page, you can select "Next: Review"
  • On the following page, you will perform the listed steps to name the policy, "VantaAdditionalPermissions"
  • Entering the name is the only required information on this page:

connect_aws_10.jpg

  • Click "Create Policy"

 

Vanta Linking Page 2, Role Creation:

  • After the policy is created in AWS, return to Vanta and click "Next" in the bottom right of the page to see to the second linking page instructions for AWS:

connect_aws_11.jpg

  • To Set the AWS Role Creator

  1. Navigate to the AWS role creator and make sure Another AWS Account is selected
  2. Paste the Account ID value from Vanta into the account ID field in AWS
  3. Select "Require External ID" and enter the value from that field in Vanta
  4. Confirm that Require MFA is not selected
  5. Click Next: Permissions

Here's a screenshot of what these steps look like in AWS:

connect_aws_12.jpg

 

Next,

  • Search for SecurityAudit and check the box next to the SecurityAudit Policy. Do the same for the VantaAdditionalPermissions policy that we just created.
  • Click Next: Tags

Adding SecurityAudit permissions:

connect_aws_13.jpg

 

Adding VantaAdditionalPermissions and selecting Next:Tags:

connect_aws_14.jpg

  • Click Next: Review and name the role vanta-auditor

There is no need to make any changes on this page:

connect_aws_15.jpg

Next,

  • Click "Create Role":

connect_aws_16.jpg

Vanta Linking Page 3, Copying the Role ARN:

  • After the Role is created in AWS, you will return to Vanta and click "Next" in the bottom right of the page to get to the third linking page for AWS:

connect_aws_17.jpg

 

To obtain the Role ARN from AWS

  • Navigate to the vanta-auditor role that you just created:

connect_aws_18.jpg

  • Copy the entire Role ARN from AWS, and paste it into Vanta:

    connect_aws_19.jpg

 

Vanta Linking Page 4, Selecting Regions:

  • After selecting "Choose Regions" in the screenshot above, you will be brought to the following page where you can select which regions from the specified account that you would like to monitor:

connect_aws_20.jpg

  • By default, Vanta will select all regions that you are currently using, but you can select the "X" to remove any regions that you don't wish to be monitored. If removed, Vanta will not monitor any resources within that region in the account.

  • Clicking "Finish" will complete the linking process. If it's successful, you will receive the message "AWS connection created":

connect_aws_21.jpg


  • If you're not using S3 Bucket policies, you will not need to modify any policy for Vanta to read in S3 Buckets. If your account is using S3 buckets, you may be using S3 Bucket Policies. If so, you'll need to also modify these permissions to let Vanta fetch your buckets, since S3 bucket policies override the default permissions. 

  • To do this, grant further permissions to `vanta-auditor` on the bucket policy itself by following instructions under "Granting cross-account bucket access to a specific IAM role" in AWS's guide. The permissions should be those from the `SecurityAudit` policy. Here is an example of what you would add to the bucket policy:

 

{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:role/Vanta-Auditor"
},
"Action": [
"s3:GetAccelerateConfiguration",
"s3:GetAccessPoint",
"s3:GetAccessPointPolicy",
"s3:GetAccessPointPolicyStatus",
"s3:GetAccountPublicAccessBlock",
"s3:GetAnalyticsConfiguration",
"s3:GetBucket*",
"s3:GetEncryptionConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetObjectAcl",
"s3:GetObjectVersionAcl",
"s3:GetReplicationConfiguration",
"s3:ListAccessPoints",
"s3:ListAllMyBuckets",
],
"Resource": "arn:aws:s3:::MyExampleBucket/*"
},
 

Adding Permissions for AWS CodeCommit

  • If you're not using AWS CodeCommit, this section does not apply. If your account is using AWS CodeCommit, you'll need to modify role permissions to allow Vanta to fetch your CodeCommit repositories metadata. 
  • To do this, grant an additional permission to `vanta-auditor` on the `VantaAdditionalPermissions` policy: `codecommit:GetApprovalRuleTemplate`.
  • The policy should look something like this:
{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "ecr:BatchGetRepositoryScanningConfiguration",
            "ecr:DescribeImageScanFindings",
            "ecr:DescribeImages",
            "dynamodb:ListTagsOfResource",
            "ecr:ListTagsForResource",
            "inspector2:BatchGet*",
            "inspector2:Get*",
            "inspector2:Describe*",
            "inspector2:List*",
            "sqs:ListQueueTags",
            "codecommit:GetApprovalRuleTemplate"
        ],
        "Resource": "*"
    },
    {
        "Effect": "Deny",
        "Action": [
            "datapipeline:EvaluateExpression",
            "datapipeline:QueryObjects",
            "rds:DownloadDBLogFilePortion"
        ],
        "Resource": "*"
    }
]
}