You can connect one, or many AWS (Amazon Web Services) accounts to Vanta.
Add an Account to Vanta
- Navigate to your Integrations page -> Available
- Search for Amazon Web Services
- Click Connect
- You will be prompted to choose a connection type:
- Choose Account -> Console
- Click Next
- After you are done with the initial account connection, you can add additional AWS accounts by:
- Navigate to the Integrations page
- Under Amazon Web Services
- Click Manage -> Edit -> Add new account
- Repeat the connection workflow
Policy creation:
- Navigate to the AWS policy creator and click on the JSON tab:
- Paste the following policy from Vanta into the editor:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "datapipeline:EvaluateExpression", "datapipeline:QueryObjects", "rds:DownloadDBLogFilePortion" ], "Resource": "*" } ] }
- Optional:
If your organization uses AWS CodeCommit, includecodecommit:GetApprovalRuleTemplate
as an Action allow list, like below:{ "Effect": "Allow", "Action": [ "codecommit:GetApprovalRuleTemplate" ], "Resource": "*" }
- Optional:
If your organization uses AWS IAM Identity Center, include the following permissions as an Action allow list, like below:{ "Effect": "Allow", "Action": [ "identitystore:Describe*",
"identitystore:Get*",
"identitystore:IsMemberInGroups",
"identitystore:List*"
], "Resource": "*" }
- Optional:
- Then, click Next: Tag
- There is no need to add any tags to the policy, you can click Next: Review:
- On the following page, name the policy: "VantaAdditionalPermissions" and click Save. The completed policy should look similar to below (CodeCommit and Identity Store permissions may differ):
Important Note: "VantaAdditionalPermissions" must be created as a Customer Managed policy type to be detected successfully. If the policy was created as an 'Inline policy' please see AWS documents on how to convert the type here: Converting an inline policy to a managed policy
Role creation:
After the policy is created in AWS, return to Vanta and click Next to proceed to the Role creation step 4:
- Navigate to the AWS role creator and make sure Another AWS Account is selected
- Paste the Account ID value from Vanta into the account ID field in AWS
- Select "Require External ID" and enter the value from that field in Vanta
- Confirm that Require MFA is not selected
- Click Next: Permissions
- Search for
SecurityAudit
and check the box.
Do the same for theVantaAdditionalPermissions
policy that we just created.
---- - Click Next: Tags
- Click Next: Review and name the role "vanta-auditor"
- Click Create Role:
Role ARN:
- After the Role is created in AWS, you will return to Vanta and click Next
- Navigate to the vanta-auditor role in AWS that we just created:
- Copy the Role ARN from AWS, and paste it into Vanta:
Selecting Regions:
- In the Region selection step, you will be able to add additional regions outside of the default by clicking on Select regions box
- You can click the "X" to remove any regions that you do not wish to be connected. If removed, Vanta will not pull in any resources within that region on the account.
- Clicking Next will complete the linking process.
If it's successful, you will receive the message "All your resources have finished loading." - NOTE: if your AWS environment has a large number of resources, it might take Vanta a few minutes to fetch all the resources.
You can click Done to exit the Configure Scope step without affecting the connection process
(Optional): Adding Permissions to S3 Bucket Policies
- If you're not using S3 Bucket policies, you will not need to modify any policy for Vanta to read in S3 Buckets. If your account is using S3 buckets, you may be using S3 Bucket Policies. If so, you'll need to also modify these permissions to let Vanta fetch your buckets, since S3 bucket policies override the default permissions.
- To do this, grant further permissions to `vanta-auditor` on the bucket policy itself by following instructions under "Granting cross-account bucket access to a specific IAM role" in AWS's guide. The permissions should be those from the `SecurityAudit` policy. Here is an example of what you would add to the bucket policy:
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:role/Vanta-Auditor"
},
"Action": [
"s3:GetAccelerateConfiguration",
"s3:GetAccessPoint",
"s3:GetAccessPointPolicy",
"s3:GetAccessPointPolicyStatus",
"s3:GetAccountPublicAccessBlock",
"s3:GetAnalyticsConfiguration",
"s3:GetBucket*",
"s3:GetEncryptionConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetObjectAcl",
"s3:GetObjectVersionAcl",
"s3:GetReplicationConfiguration",
"s3:ListAccessPoints",
"s3:ListAllMyBuckets",
],
"Resource": "arn:aws:s3:::MyExampleBucket/*"
},
Updated