Which resources does Vanta fetch from GCP?
- Artifact Registry repositories
- Bigquery datasets
- Bigtable instances
- CloudSQL instances
- Cloud Task Queues
- Compute instances
- Container repositories
- Datastore projects
- Firestore projects
- Log buckets
- Log sinks
- Monitoring policies
- Networks
- Role grants
- Roles
- Spanner instances
- Storage buckets
- Subnets
- Subscriptions
- Topics
Which APIs need to be enabled on the Vanta-scanner project for the Integration?
The following APIs are required for the Integration:
- bigquery.googleapis.com
- cloudresourcemanager.googleapis.com
- containeranalysis.googleapis.com
- firestore.googleapis.com
- iam.googleapis.com
- logging.googleapis.com
- monitoring.googleapis.com
- pubsub.googleapis.com
- serviceusage.googleapis.com
- sqladmin.googleapis.com
- storage-api.googleapis.com
Which permissions need to be granted for the integration?
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.folders.list
iam.roles.list
resourcemanager.organizations.getIamPolicy
resourcemanager.folders.getIamPolicy
bigquery.datasets.get
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.subnetworks.get
pubsub.topics.get
storage.buckets.get
appengine.applications.get
cloudasset.assets.searchAllResources
Is it possible to connect Vanta without enabling all the APIs listed above?
- No, but these APIs only need to be enabled on the vanta-scanner project created by the script, and billing will not be enabled on the vanta-scanner project.
What permissions are required to run the script in GCP?
- Minimum permissions to run the script are documented here.
Does Vanta integrate with Google Firebase?
- Vanta will run a limited scope of tests on Firebase, looking at the overall configuration of GCP (e.g., user access that MFA is enabled)
What does the GCP linking flow script do?
- Create a Vanta-scanner project under your organization.
- Enable the required APIs on the created Vanta-scanner project.
- Create a custom role, VantaOrganizationScanner, for listing IAM policies inherited by a GCP project.
- Create a new service account, vanta-scanner-service-account, in the vanta-scanner project.
- Download a key for vanta-scanner-service-account as vanta-scanner-key.json.
- Grant vanta-scanner-service-account the VantaOrganizationScanner role in the organization that houses your projects.
If you are linking individual projects, the script will additionally:
- Create a custom role, VantaProjectScanner, for listing resources in a GCP project
-
For each specified project:
- Grant vanta-scanner-service-account the VantaProjectScanner role.
- Grant vanta-scanner-service-account the roles/iam.securityReviewer standard role.
-
For each specified project:
If you are linking an organization, the script will additionally:
- Grant vanta-scanner-service-account the roles/iam.securityReviewer standard role for the organization.
How does Vanta determine vulnerability priority from GCP?
- Vanta uses the effective severity of the vulnerability determined by GCP.
- GCP determines the effective severity based on the CVSS score and other factors about the asset the vulnerability is on.
- Vanta's vulnerability priority should be the same as the vulnerability priority in the GCP dashboard.
Notes for Terraform flow
- Customers download our Terraform script, make any necessary changes, and place the script in their codebase or wherever they place their infrastructure code.
- If customers disconnect GCP in Vanta, they should also clean up using Terraform destroy.
- Just like console flow, we don’t support projects outside of organizations.
How is Terraform script different from the Shell script from the Console flow?
- Project ID will use vanta-scanner-{organizationId} as the project ID for the project Vanta creates on behalf of the customers to pull in resources
- When clicking on “Shut down,” the project is soft-deleted, and it could take up to 30 days for Google to shut it down completely. During that soft delete period, the project ID of that soft-deleted project is not available for reuse. You might need to come up with a different, unique ID for your project ID if you were to connect with GCP using Terraform again within 30 days. Once the project is fully shut down, you can reuse that project ID.
- Terraform does not support conditionally creating or updating resources easily compared to Shell script (Console flow), hence compared to Shell script, instead of conditionally creating and updating the custom role VantaOrganizationScanner with proper permissions depending on whether it’s Console projects linking flow or Console org linking flow, the Terraform flow uses the ID VantaOrganizationScanner for Terraform projects linking flow and VantaExtensiveOrganizationScanner for Terraform org linking flow
Please note:
- If the project ID exists for any reason, the Terraform script will fail. The following scenarios might require you to change the project ID of the Terraform script first before they can run the plan and apply:
- Connected to GCP on Vanta previously and already had a project created with the above ID.
- Connected to GCP using Terraform and disconnected but did not clean up resources.
- You cleaned up resources but then reconnected quickly, so the project ID might only be soft-deleted for up to 30 days and not available for reuse (yet).
- Vanta currently doesn't support officially connecting multiple projects from different multi-organizations