Vanta supports reading tags (called labels in GCP) from our various cloud provider integrations to populate different attributes of cloud resources, such as owner, description, user data, and scope. While these attributes can be set manually on the Inventory page or Integrations page for scoping, these fields are not persistent and will disappear once the integration is disconnected. For this reason, we recommend using tags, as they are continuous and more scalable.
Vanta offers two bulk tagging options:
Vanta tags
- View available Vanta tags by navigating to Inventory in the left-hand column under Assets, and select the Edit bulk tag button in the top right corner
- Select your cloud provider from the left-hand menu and go to the Vanta tags tab
- You should then see a list of available Vanta tags with examples of how to use each, including what the expected value is for the specific tag:
We will provide the exact tag details below for your reference:
VantaOwner
- For AWS and Azure, this is the email address of the instance's owner, and it should be set to the email address of a user in Vanta. An owner will not be assigned if there is no user in Vanta with the email specified.
- For Digital Ocean and GCP, this is everything before the @ sign in the email address, with the
.
replacement with_dot_
. Example: john.doe@vanta.com invanta-owner
for GCP would bevanta-owner = john_dot_doe
.
VantaNonProd
- This tag is present on a resource marking it as non-production. Having the value set to true will also keep a resource as non-production.
-
- Vanta will mark the resource as out of scope once the tag is applied. Only apply this tag for non-production resources.
- Vanta will mark the resource as out of scope once the tag is applied. Only apply this tag for non-production resources.
VantaDescription
- This tag allows administrators to set a description, for instance, or add any other descriptive information.
VantaContainsUserData
- This tag allows administrators to define whether or not a resource contains user data (True/0) or if they do not contain user data (False/1).
VantaContainsEPHI
- This tag allows administrators to define whether or not a resource contains electronically Protected Health Information (ePHI). It can be set to either (True/0) or if they do not have ephi data (False/1).
- This tag is only available for customers who are using HIPAA standards.
VantaUserDataStored
- This tag allows administrators to describe the type of user data the instance contains.
VantaNoAlert
- Administrators can add this tag to mark a resource as out of scope for their audit. If this tag is added, the administrator will need to set a reason for why it's not relevant to their audit.
See an example in AWS:
For the EC2 instance above - because it is tagged with "VantaOwner: jake@vanta.com" This means that Vanta will apply whichever user in Vanta has that email as the item owner on the inventory page.
Currently, Vanta does not support Vanta tags or custom tags for Heroku resources, and does not support custom tags for Digital Ocean.
Adding Custom Tags
- From the Inventory page, select Edit Bulk Tag in the upper right corner
- Select your cloud provider from the left-hand menu and go to Custom Tags
- In the table, enter the names and values of your custom tags in the input fields to map them to existing Vanta tags
- In the below example, the custom tag owner maps to the Vanta tag VantaOwner, and the custom tag env with the value of true maps to the Vanta tag VantaNonProd
- Once complete, click Save Changes
In the example above, instead of a tag consisting of "VantaOwner:john.doe@vanta.com", you would set the tag to "owner:john.doe@vanta.com".