When integrating AWS Vanta requires the permissions specified in the SecurityAudit policy attached to the VantaAuditor role as well as some additional permissions that are granted in the VantaAdditionalPermisisons policy.
The SecurityAudit permissions are created by AWS, while the permissions in the VantaAdditionalPermissions are dependent on which products administrators enabled on your AWS Integration. This article details how the permissions relate to the enabled product, and how to update them.
Prerequisites
The user in Vanta connecting must be an editor or an admin in Vanta
The user must also have admin access to AWS, or permissions to create. modify and edit Roles and Policies in IAM
What products are available for the AWS Integration?
When linking AWS, on the second step administrators are prompted to select the products used within their organization:
The available products on this menu are:
1. AWS Web Services (On by Default, Cannot be Disabled)
2. AWS CodeCommit
3. AWS IAM Identity Center
4. Amazon Inspector/Basic Scanning
Depending on the products enabled, the permissions that are granted in the VantaAdditionalPermissions policy can vary. These features also may incur additional cost within AWS if they are not already in use. You can hover over the tool tip (i) to see more details about how this feature works in Vanta:
How do the products affect the VantaAdditionalPermissions Policy?
If you are only using Amazon Web Services, you are prompted to add a limited set of permissions that lack visibility into Code Commit, and AWS IAM Identity Center:
Resources such as Alarms, EC2, RDS, IAM Accounts are still fetched but Inspector Scans, Code Repos, and AWS IAM Identity Center users are not.
When you enable another product such as Code Commit, the permissions expand to encompass the required permissions to have resources from that enabled product fetch along with the other enabled products:
Enabling all four products results in the largest permission set:
And disabling one or more products results in a smaller set of permissions needed for the policy.
I want to enable a product after I originally connected the integration, how can I go about doing this?
When you enable a product after the connection has been established, you need to first update the VantaAdditionalPermissions Policy in AWS to add Allow Actions for the specific product.
The snippet below is the minimum set of permissions required for integration. These are sufficient for Amazon Web Services & Amazon Inspector/Basic Scanning products :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"datapipeline:EvaluateExpression",
"datapipeline:QueryObjects",
"rds:DownloadDBLogFilePortion"
],
"Resource": "*"
}
]
}If you only had Amazon Web Services enabled, and you now wish to enable the Inspector product, no changes need to be made to your VantaAdditionalPermissions policy.
If the AWS CodeCommit product is enabled, the following Allow Action needs to be added to but not replace the VantaAdditionalPermisisons policy:
{
"Effect": "Allow",
"Action": [
"codecommit:GetApprovalRuleTemplate",
"codecommit:ListPullRequests",
"codecommit:GetCommentsForPullRequest",
"codecommit:GetPullRequest",
"codecommit:GetPullRequestApprovalStates"
],
"Resource": "*"
}If the AWS IAM Identity Center product is enabled, the following Allow needs to be added to but not replace the VantaAdditionalPermisisons policy:
{
"Effect": "Allow",
"Action": [
"identitystore:Describe*",
"identitystore:Get*",
"identitystore:IsMemberInGroups",
"identitystore:List*"
],
"Resource": "*"
}Once the policy has been updated, you can go to the integration page in Vanta, click manage then edit:
Next click the pencil icon to edit the connection:
And then toggle on the desired product:
Then click next and done. If the VantaAdditionalPermissions policy was correctly updated, the new product should begin to work.
Keep in Mind
If you are having issues updating the policy , you can always go to the integrations page, click manage -->edit ---> Add new account on AWS and then go through the flow as if you are adding a new account. The key is to enable the products you are looking to have turned on and copy the policy that is generated. From there you can close the connection flow and update your VantaAdditionalPermisisons policy in AWS: