Connecting Vanta & AWS account

  • Updated
Vanta allows the integration of either a single or multiple AWS accounts. If you're wanting to connect an AWS Organization please refer to Connecting Vanta & AWS Organization 

Prerequisites

  • The user in Vanta connecting must be an editor or an admin in Vanta
  • The user must also have admin access to AWS, or permissions to create Roles and Policies in IAM

Connect an AWS Account (Initial)

  • Navigate to Vanta Integrations page and select the Available tab
  • Search for Amazon Web Services
  • Click the purple Connect button

  • You will be taken to a page prompting you to choose the type of account you wish to connect for the integration. There are two account types, Account and Organization:



  • Select Account , for the Organization connection flow, please navigate to Connecting Vanta & AWS Organization
     
     


  • You will then be prompted to select your preferred method.  The option you choose will depend on how you manage instances and resources active on your AWS account. There are three options available:

    1.  Console - we'll continue with Console in this article,  please select Console under the preferred method and then next: 



    2. CloudFormation - See,  Connecting AWS with CloudFormation
    3. Terraform

Account Type

  • You will be taken to a menu where you must select your account type. Select Yes, if the AWS Account you are connecting is an AWS GovCloud Account, or No if it is not; then click Next

Selecting Products 

  • You will be taken to a menu where you can select the products used within your organization. You can click the toggle button to enable the desired product on the integration:



    The available products on this menu are:

    1.   AWS Web Services (On by Default, Cannot be Disabled) 
    2.  AWS CodeCommit
    3.  AWS IAM Identity Center
    4.  Amazon Inspector/Basic Scanning

    • The products you enable here determine what permissions need to be granted in the policy that is created in later steps.
    • If you enable a product after connecting the integration you will need to update your VantaAdditionalPermisisons policy. - See (Modifying the VantaAdditionalPermission Policy for Individual AWS Accounts
    • These features also may incur additional costs within AWS if they are not already in use. You can hover over the tooltip (i) to see more details about how this feature works in Vanta:



  •  After enabling the desired products, click the next button to move on to policy creation.  

Policy Creation

  • You will be presented with a page displaying JSON of the permissions you need to grant Vanta in order for the integration to work. The permissions displayed depend on the products enabled in the previous menu. You will need to add these permissions to a customer-managed policy in AWS. 




  • Sign into AWS, and once on the home page, use the search bar to search for IAM, and click 'policies' in the Top Features sub-menu:



  • Next click create policy, and then click JSON button on the Policy editor table. From there delete the existing text in the editor:



  • Navigate back to Vanta and click the copy button:



    Then, head back over to the policy editor in AWS, and paste the copied JSON into the editor. Ensure there are no extra spaces or additional characters, then click next:



  • After you  click the Next button

  • You will be taken to a page where you must enter policy details such as name and description. Name the policy VantaAdditionalPermissions and enter your desired description, then click Create policy:

Please Note: "VantaAdditionalPermissions" must be created as a Customer Managed policy type to be detected successfully. If the policy was created as an 'Inline policy' please see AWS documents on how to convert the type here: Converting an inline policy to a managed policy

Role creation

After the policy is created in AWS, return to Vanta and click Next to proceed to the Role creation section:

 

  • You will be instructed to navigate back to AWS and head to roles page in IAM. This can be found by going to the left hand menu, and selecting roles under 'Access Management':


  • Click on the 'Create role' button on the top right:




  • Then select 'Custom trust policy' as the Trusted entity type :



  • A text editor will appear on the bottom of the page after the selection is made , delete all of the existing text:

  • Then head back into Vanta and copy the snippet below step 3 and head back into AWS and paste it into the editor. From there click Next on the bottom right of the page:



  • You will be taken to a page where you will grant the role specific permissions, those being the SecurityAudit permission set and the VantaAdditionalPermisisons you created in an earlier step. Both these permissions are required for the integration to work properly, do not omit either. 
    • You can search for these permissions in the search box and click the box next to them to grant the permission to the role.


    • The searching and selecting process needs to be done one by one. You can click next when you have checked off both:



  • You will be taken to a page where you must grant the role a name, and a description. Name the role vanta-auditor and enter your desired description, then click  Create role on the bottom right of the page:


    • You will see a green success banner stating the role has been created.




    • Click the View Role button 



    • Copy the ARN of the role you just created:


Role ARN:

  • Head back to Vanta and click Next twice to head to the 'Role ARN' section:




  • Next, paste the ARN you copied from AWS into the text box under step 2 and click next:

Selecting Regions:

  • In the Region selection step, you will be able to add additional regions outside of the default by clicking on Select regions box

Screenshot 2024-07-11 at 12.40.16 PM.png

  • You can click the "X" to remove any regions that you do not wish to be connected. If removed, Vanta will not pull in any resources within that region on the account.
  • Clicking Next will complete the linking process.
    If it's successful, you will receive the message "All your resources have finished loading."

Please note: if your AWS environment has a large number of resources, it might take Vanta a few minutes to fetch all the resources.
You can click Done to exit the Configure Scope step without affecting the connection process

Screenshot_2023-01-05_at_2.27.02_PM.png

  • After you are done with the initial account connection, you can add additional AWS accounts by:
    • Navigate to the Integrations page
    • Under Amazon Web Services
    • Click ManageEdit, then Add new account to repeat the connection workflow 

add-new-account-aws.png

(Optional): Adding Permissions to S3 Bucket Policies

  • If you're not using S3 Bucket policies, you will not need to modify any policy for Vanta to read in S3 Buckets. If your account is using S3 buckets, you may be using S3 Bucket Policies. If so, you'll need to also modify these permissions to let Vanta fetch your buckets, since S3 bucket policies override the default permissions. 
  • To do this, grant further permissions to `vanta-auditor` on the bucket policy itself by following instructions under "Granting cross-account bucket access to a specific IAM role" in AWS's guide. The permissions should be those from the `SecurityAudit` policy. Here is an example of what you would add to the bucket policy:

{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:role/Vanta-Auditor"
},
"Action": [
"s3:GetAccelerateConfiguration",
"s3:GetAccessPoint",
"s3:GetAccessPointPolicy",
"s3:GetAccessPointPolicyStatus",
"s3:GetAccountPublicAccessBlock",
"s3:GetAnalyticsConfiguration",
"s3:GetBucket*",
"s3:GetEncryptionConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetObjectAcl",
"s3:GetObjectVersionAcl",
"s3:GetReplicationConfiguration",
"s3:ListAccessPoints",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::MyExampleBucket/*"
},