Connecting Vanta & AWS Organization

  • Updated

As a part of the AWS cloud provider integration Vanta supports detection and linking of all your AWS accounts via your AWS Organization Management account. 

  • When connecting via your AWS Organization, Vanta will scan all the AWS accounts associated with your AWS Organization and detect when AWS accounts are added or deleted in your Organization - then automatically update your inventory in Vanta. 
  • If you are migrating from connecting via individual AWS accounts please complete Delete individual AWS accounts in Vanta first.
  • If this is the first time you are connecting Vanta with AWS you can proceed to Prepare your AWS Environment.
  • Note: We currently don’t support connecting an AWS Organization together with individual AWS accounts (it’s either or), and we also don’t support connecting multiple AWS Organizations.

Delete individual AWS accounts in Vanta

  • If you have already connected AWS with Vanta by adding individual AWS accounts, you will have to delete those accounts before you can start connecting via your AWS Organization.
  • If you've assigned owners or descriptions for resources within Vanta, these data will get erased when you delete your credentials. If this is preventing you from migrating to AWS Organizations, please reach out to support.
  • To delete AWS accounts go to Integrations > Cloud Providers > Amazon Web Services > Manage > Edit > Delete (trash icon) or Delete all accounts.

Screen_Shot_2022-08-09_at_8.37.55_PM.png

Screen_Shot_2022-10-04_at_4.23.01_PM.png

Prepare your AWS environment

To prepare your AWS environment to integrate with Vanta you need to do the following two things:

In Vanta go to Integrations > Cloud providers and add AWS. In the connection flow choose to connect with "Organization"

Screen_Shot_2022-10-26_at_2.46.27_PM.png

Configure each AWS account in your AWS Organization so Vanta can scan them

Policy creation

For each account create a policy in AWS policy creator:

  • Navigate to the AWS policy creator. Once there, click on the JSON tab. Note: AWS inline policies are not supported
  • Paste the policy: Take the snippet below and paste it into the editor
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Action": [
    "codecommit:GetApprovalRuleTemplate"
    ],
    "Resource": "*"
    },
    {
    "Effect": "Deny",
    "Action": [
    "datapipeline:EvaluateExpression",
    "datapipeline:QueryObjects",
    "rds:DownloadDBLogFilePortion"
    ],
    "Resource": "*"
    }
    ]
    }

     

  • Optional: If your organization uses AWS CodeCommit, includecodecommit:GetApprovalRuleTemplateto the Action allow list above
  • Review the policy and name the policy VantaAdditionalPermissions
  • Click Create policy

Role creation

For each account create a role in AWS role creator:

    • Navigate to the AWS role creator. Click "AWS Account" for "Trusted entity type" and select "Another AWS Account" for "An AWS account"
    • Paste the following value into the Account ID field
      956993596390
    • Select Require external ID and paste the following value into the field
      Get this value in the AWS connection flow in Vanta
    • Confirm that Require MFA is not selected
    • Click Next on the bottom right
    • Select policies: Search for SecurityAudit and select the checkbox for this policy. Do the same for the VantaAdditionalPermissions policy that we just created.
    • Click Next on the bottom right
    • Name the role vanta-auditor
      • Note: Vanta expects the roles you create for accounts in your AWS Organization to be named vanta-auditor. Other role names may prevent Vanta from being able to scan the account.
    • Click Create role
  • Follow the steps in the connection flow to create a policy and role in your Management account
    • Because Vanta scans for resources in your Management Account, you'll need to add resource scanning permissions and the SecurityAudit role to Vanta's role in your management account.

       

Configure your Management account and connect to Vanta

For your Aws Management Account, create a policy in AWS policy creator:

  • Navigate to the AWS policy creator. Once there, click on the JSON tab. Note: AWS inline policies are not supported
  • Paste the policy: Take the snippet below and paste it into the editor
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Action": [
    "codecommit:GetApprovalRuleTemplate"
    ],
    "Resource": "*"
    },
    {
    "Effect": "Deny",
    "Action": [
    "datapipeline:EvaluateExpression",
    "datapipeline:QueryObjects",
    "rds:DownloadDBLogFilePortion"
    ],
    "Resource": "*"
    }
    ]
    }

     

  • Review the policy and name the policy VantaManagementAccountPermissions
  • Click Create policy

Enter the ARN of the “vanta-auditor” role you created in your Management account when prompted

Screen_Shot_2022-10-26_at_2.47.47_PM.png

  • Select all regions where you have infrastructure. Vanta will scan your Organization for resources in all of the regions you select.
    Screen_Shot_2022-10-26_at_2.49.47_PM.png
  • Vanta will scan your AWS Organization for accounts and resources. It can take up to 2 hours to finish scanning
  • When the scan has completed you will be able to see your AWS accounts in Inventory
  • To configure the scope of your scanned resources for each AWS account go to Integrations > Configure scope

Screen_Shot_2022-08-16_at_5.49.39_PM.png

 

 

 

 

 

 

Was this article helpful?

Have more questions? Submit a request