Connecting Vanta & AWS account

  • Updated
 

You can connect one, or many AWS (Amazon Web Services) accounts to Vanta.

 

Add an Account to Vanta

Screenshot_2023-01-05_at_1.44.34_PM.png

 

  • You will be prompted to choose a connection type:
  • Choose Account -> Console
  • Click Next

Screenshot_2023-01-05_at_1.48.32_PM.png

  • Once you are done with the initial account connection, you can add additional AWS accounts by:
    • Navigate to the Integrations page
    • Under Amazon Web Services
    • Click Manage -> Edit -> Add new account
    • Repeat the connection workflow 

 

Policy creation:

  1. Navigate to the AWS policy creator and click on the JSON tab:
    1. connect_aws_7.jpg
  2. Paste the following policy from Vanta into the editor:
    1. {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "ecr:DescribeImageScanFindings", 
      	"ecr:DescribeImages", 
      	"ecr:ListTagsForResource", 
      	"ecr:BatchGetRepositoryScanningConfiguration", 
      	"inspector2:BatchGet*", 
      	"inspector2:Get*", 
      	"inspector2:Describe*", 
      	"inspector2:List*", 
      	"dynamodb:ListTagsOfResource", 
      	"sqs:ListQueueTags"
            ],
            "Resource": "*"
          },
          {
            "Effect": "Deny",
            "Action": [
              "datapipeline:EvaluateExpression", 
      	"datapipeline:QueryObjects", 
      	"rds:DownloadDBLogFilePortion"
            ],
            "Resource": "*"
          }
        ]
      }
  3. Optional: If your organization uses AWS CodeCommit, includecodecommit:GetApprovalRuleTemplateto the Action allow list above.
  4. Click Review Policy and name the policy VantaAdditionalPermissions
  5. Then, click Next: Tag from the screenshot above which will bring you to this page.
  6. There is no need to modify anything on this page, you can select "Next: Review"
    1. connect_aws_9.jpg
  7. On the following page, you will perform the listed steps to name the policy, "VantaAdditionalPermissions"
  8. Entering the name is the only required information on this page:
    1. Screenshot_2023-01-05_at_2.01.50_PM.png
  9. Click "Create Policy"

 

 

Role creation:

  • After the policy is created in AWS, return to Vanta and click Next to proceed to the Role creation instruction page:

 

  1. Navigate to the AWS role creator and make sure Another AWS Account is selected
  2. Paste the Account ID value from Vanta into the account ID field in AWS
  3. Select "Require External ID" and enter the value from that field in Vanta
  4. Confirm that Require MFA is not selected
  5. Click Next: Permissions
    1. aws_role_select_entity.1995e249__1_.png
  6. Search for SecurityAudit and check the box next to the SecurityAudit Policy. Do the same for the VantaAdditionalPermissions policy that we just created.
    1. connect_aws_13.jpg
    2. connect_aws_14.jpg
  7. Click Next: Tags
  8. Click Next: Review and name the role "vanta-auditor"
  9. Click "Create Role":
    1. connect_aws_16.jpg

 

 

Role ARN:

  1. After the Role is created in AWS, you will return to Vanta and click Next
    1. Screenshot_2023-01-05_at_2.15.31_PM.png
  2. Navigate to the vanta-auditor role on AWS that you just created:
    1. connect_aws_18.jpg
  3. Copy the entire Role ARN from AWS, and paste it into Vanta:
    1. Screenshot_2023-01-05_at_2.19.28_PM.png

 

 

Selecting Regions:

  • After getting to the Region selection, you will able to add additional regions outside of the preset ones by clicking on Select region box

Screenshot_2023-01-05_at_2.21.20_PM.png

  • You can select the "X" to remove any regions that you don't wish to be monitored. If removed, Vanta will not monitor any resources within that region in the account.
  • Clicking Next will complete the linking process. If it's successful, you will receive the message "All your resources have finished loading."
  • NOTE: if your AWS account has a large number of resources, it might takes Vanta a few minutes to fetch all resources. You can click Done to exit out of the integration flow without affecting the process

Screenshot_2023-01-05_at_2.27.02_PM.png


  • If you're not using S3 Bucket policies, you will not need to modify any policy for Vanta to read in S3 Buckets. If your account is using S3 buckets, you may be using S3 Bucket Policies. If so, you'll need to also modify these permissions to let Vanta fetch your buckets, since S3 bucket policies override the default permissions. 

  • To do this, grant further permissions to `vanta-auditor` on the bucket policy itself by following instructions under "Granting cross-account bucket access to a specific IAM role" in AWS's guide. The permissions should be those from the `SecurityAudit` policy. Here is an example of what you would add to the bucket policy:

 

{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:role/Vanta-Auditor"
},
"Action": [
"s3:GetAccelerateConfiguration",
"s3:GetAccessPoint",
"s3:GetAccessPointPolicy",
"s3:GetAccessPointPolicyStatus",
"s3:GetAccountPublicAccessBlock",
"s3:GetAnalyticsConfiguration",
"s3:GetBucket*",
"s3:GetEncryptionConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetObjectAcl",
"s3:GetObjectVersionAcl",
"s3:GetReplicationConfiguration",
"s3:ListAccessPoints",
"s3:ListAllMyBuckets",
],
"Resource": "arn:aws:s3:::MyExampleBucket/*"
},

Was this article helpful?

Have more questions? Submit a request