Vanta + AWS Integration: Complete Setup Guide
At Agency, the AWS integration is one of the first things we configure when onboarding clients onto Vanta — and for good reason.
At Agency, the AWS integration is one of the first things we configure when onboarding clients onto Vanta — and for good reason. For organizations running infrastructure on AWS, this integration provides automated evidence collection for approximately thirty to forty percent of SOC 2 security controls — including encryption at rest, network security group configuration, IAM policy evaluation, logging and monitoring status, backup configuration, and resource inventory. The integration works by creating a cross-account IAM role that grants Vanta read-only access to your AWS configuration, allowing continuous monitoring without the ability to modify your infrastructure. For organizations with multiple AWS accounts (common in environments with separate development, staging, and production accounts), each account requires its own IAM role and connection.
This guide provides step-by-step instructions for connecting AWS to Vanta across single and multi-account environments. It covers IAM role creation, CloudFormation stack deployment, required permissions, multi-account and multi-region configuration, resource discovery verification, troubleshooting common connection failures, and understanding which AWS services Vanta monitors for SOC 2 compliance.
Prerequisites
Before You Begin
| Requirement | Detail |
|---|---|
| AWS account access | Administrator or IAM management permissions in each AWS account you plan to connect |
| Vanta admin access | Admin role in Vanta to configure integrations |
| CloudFormation permissions | Ability to create CloudFormation stacks in your AWS account(s) |
| Account inventory | List of all AWS accounts that are in SOC 2 scope (production, staging, shared services, etc.) |
| Region inventory | List of all AWS regions where you have active resources |
Scoping Decision: Which AWS Accounts to Connect
| Account Type | Connect to Vanta? | Rationale |
|---|---|---|
| Production | Yes — required | Production accounts host customer data and in-scope services |
| Staging / Pre-production | Recommended | If staging mirrors production configuration, connecting it demonstrates consistent security practices |
| Development | Situational | Connect if developers access production data or if development environments are in your SOC 2 scope |
| Shared services (logging, networking) | Recommended | If these accounts host shared infrastructure that supports production services |
| Sandbox / experimentation | No | Typically out of SOC 2 scope unless they access production data |
Step-by-Step Setup: Single AWS Account
Step 1: Initiate the Connection in Vanta
Navigate to Vanta's integrations page and locate the AWS integration. Click to begin the connection process. Vanta provides two connection methods:
| Method | When to Use |
|---|---|
| CloudFormation (recommended) | Standard approach — Vanta provides a CloudFormation template that creates the IAM role automatically |
| Manual IAM role creation | When organizational policies restrict CloudFormation usage or when you need custom IAM configurations |
Step 2: Deploy the CloudFormation Stack
Vanta generates a CloudFormation template URL specific to your Vanta organization. The template creates:
| Resource | Purpose |
|---|---|
| IAM role | Cross-account role that Vanta assumes to read your AWS configuration |
| IAM policy | Read-only policy attached to the role specifying which AWS services Vanta can access |
| Trust relationship | Allows Vanta's AWS account to assume the role in your account |
| External ID | Unique identifier that prevents confused deputy attacks |
Deployment steps:
- Click the CloudFormation launch link provided by Vanta
- The AWS CloudFormation console opens with the template pre-loaded
- Review the stack parameters — the external ID and Vanta account ID are pre-populated
- Acknowledge that CloudFormation will create IAM resources (required checkbox)
- Click "Create Stack"
- Wait for the stack status to show CREATE_COMPLETE (typically one to three minutes)
Step 3: Verify the Connection in Vanta
After the CloudFormation stack completes:
- Return to Vanta's AWS integration page
- Vanta automatically detects the new IAM role and begins resource discovery
- Initial resource discovery takes five to fifteen minutes depending on account size
- Once complete, Vanta displays discovered resources and begins running automated tests
Step 4: Verify Resource Discovery
After the initial discovery, confirm that Vanta has found the expected resources:
| Resource Type | What to Verify |
|---|---|
| EC2 instances | All running and stopped instances appear |
| RDS databases | All database instances are listed |
| S3 buckets | All buckets appear with encryption and access policy status |
| IAM users and roles | All IAM entities are discovered |
| VPC and security groups | Network configuration is visible |
| CloudTrail | Logging status is detected |
| KMS keys | Encryption key configuration is visible |
| Lambda functions | Serverless functions are listed |
| ECS/EKS clusters | Container services are discovered (if used) |
If resources are missing, check the IAM role permissions and ensure the regions where resources are deployed are accessible to the integration.
Multi-Account Setup
AWS Organizations Integration
For organizations using AWS Organizations with multiple accounts, Vanta supports connecting multiple accounts through individual CloudFormation deployments in each account:
| Approach | How It Works | Best For |
|---|---|---|
| Individual account connections | Deploy the CloudFormation stack separately in each AWS account | Organizations with fewer than five in-scope accounts |
| StackSets (for AWS Organizations) | Deploy the CloudFormation template across multiple accounts simultaneously using AWS CloudFormation StackSets | Organizations with five or more accounts needing efficient deployment |
StackSets Deployment Process
For multi-account environments using AWS Organizations:
- Create a CloudFormation StackSet in your management account using the Vanta-provided template
- Target the organizational units (OUs) or specific accounts where the stack should be deployed
- StackSets automatically deploys the IAM role to each target account
- Each account's IAM role appears in Vanta as a separate connection
- Verify resource discovery for each account
Multi-Account Best Practices
| Practice | Rationale |
|---|---|
| Connect all production accounts | Production accounts are always in SOC 2 scope |
| Use consistent naming for IAM roles | Name the role consistently (e.g., VantaIntegrationRole) across all accounts for manageability |
| Document which accounts are connected and why | Maintain a mapping of AWS accounts to SOC 2 scope justification |
| Set up alerts for stack drift | Monitor for changes to the IAM role permissions that could break the integration |
| Review account connections quarterly | Ensure new accounts are connected and decommissioned accounts are removed |
Required Permissions
IAM Policy Overview
Vanta's IAM role uses a read-only policy that grants access to describe, list, and get operations across AWS services — no write, create, delete, or modify permissions are included.
Key Permission Categories
| Permission Category | AWS Services | Purpose |
|---|---|---|
| Compute | EC2, ECS, EKS, Lambda | Discover compute resources; verify security group configuration |
| Storage | S3, EBS, EFS | Verify encryption at rest; check bucket policies and access controls |
| Database | RDS, DynamoDB, Redshift, ElastiCache | Verify database encryption; check backup configuration |
| Identity | IAM, STS | Evaluate IAM policies, MFA status, access key rotation, password policy |
| Networking | VPC, Security Groups, NACLs | Evaluate network security configuration; identify overly permissive rules |
| Logging | CloudTrail, CloudWatch, Config | Verify logging is enabled; check log retention; confirm monitoring configuration |
| Encryption | KMS | Verify encryption key management; check key rotation policies |
| Governance | Organizations, Config Rules, GuardDuty | Evaluate organizational security posture and threat detection |
Security Considerations
| Concern | How It Is Addressed |
|---|---|
| Vanta cannot modify your infrastructure | The IAM policy contains only read permissions (Describe*, List*, Get*); no write or modify actions |
| Cross-account access is secured | The trust relationship uses an external ID specific to your Vanta organization, preventing confused deputy attacks |
| Permissions can be audited | You can review the IAM policy attached to the Vanta role at any time in your AWS IAM console |
| Access can be revoked immediately | Deleting the CloudFormation stack or removing the IAM role immediately terminates Vanta's access |
What Vanta Monitors for SOC 2
Automated Tests by AWS Service
| AWS Service | SOC 2 Controls Tested | Example Tests |
|---|---|---|
| IAM | Access management (CC6) | MFA enabled for all IAM users; access keys rotated within ninety days; no root account access keys; password policy meets requirements |
| S3 | Data protection (CC6) | Server-side encryption enabled; public access blocked; bucket policies restrict access appropriately |
| EC2 | Infrastructure security (CC6, CC7) | Security groups do not allow unrestricted inbound access (0.0.0.0/0) on sensitive ports; EBS volumes encrypted |
| RDS | Data protection, availability (CC6, A1) | Encryption at rest enabled; automated backups configured; Multi-AZ deployment (for availability criterion) |
| CloudTrail | Monitoring (CC7) | CloudTrail enabled in all regions; log file validation enabled; logs delivered to designated S3 bucket |
| CloudWatch | Monitoring (CC7) | Alarms configured for critical events; log groups with appropriate retention |
| KMS | Encryption management (CC6) | Key rotation enabled; key policies restrict access appropriately |
| VPC | Network security (CC6) | Default security groups restrict all inbound traffic; VPC flow logs enabled |
| Config | Configuration monitoring (CC7) | AWS Config enabled; Config rules evaluating compliance |
| GuardDuty | Threat detection (CC7) | GuardDuty enabled; findings are being monitored and addressed |
Tests That Require Manual Evidence
Not all SOC 2 controls can be verified through the AWS integration. Controls requiring manual evidence include:
| Control Area | Why It Requires Manual Evidence |
|---|---|
| Access reviews | Vanta monitors IAM configuration but periodic access review completion must be documented separately |
| Change management | Code review and deployment approval processes are verified through the code repository integration, not AWS |
| Incident response | Incident response plan and tabletop exercise documentation are uploaded manually |
| Risk assessment | Risk assessment documentation is managed within Vanta's risk module, not derived from AWS |
| Employee training | Security awareness training is tracked through HR or training platform integrations |
| Vendor management | Vendor risk assessments are managed within Vanta's vendor module |
Troubleshooting Common Issues
Connection Failures
| Issue | Likely Cause | Resolution |
|---|---|---|
| CloudFormation stack fails to create | Insufficient permissions to create IAM resources | Ensure you have IAM:CreateRole, IAM:PutRolePolicy, and CloudFormation permissions |
| Vanta shows "Connection Failed" | IAM role trust relationship is incorrectly configured | Verify the external ID matches the value provided by Vanta; confirm the trusted account ID matches Vanta's AWS account |
| Partial resource discovery | IAM policy missing permissions for specific services | Review the Vanta-provided IAM policy; ensure all required permissions are included |
| Resources in specific regions not appearing | Integration limited to certain regions | Vanta monitors all enabled regions by default; verify the resource's region is not opted out |
| Connection drops after initial success | IAM role or policy was modified | Check for changes to the IAM role trust relationship or policy; redeploy the CloudFormation stack if needed |
Test Failures
| Issue | Likely Cause | Resolution |
|---|---|---|
| "MFA not enabled" for IAM users | Service accounts or legacy users without MFA | Enable MFA for all human IAM users; for service accounts, document the exception or use IAM roles instead of users |
| "S3 bucket not encrypted" | Legacy buckets created before encryption defaults | Enable default encryption on all S3 buckets; use SSE-S3 or SSE-KMS |
| "Security group allows unrestricted access" | Security group with 0.0.0.0/0 inbound rules on sensitive ports | Restrict security group rules to specific IP ranges or security groups; remove 0.0.0.0/0 rules on ports other than 80/443 if public-facing |
| "CloudTrail not enabled" | CloudTrail not configured or limited to specific regions | Enable CloudTrail in all regions with a multi-region trail; enable log file validation |
| "Root account access keys exist" | Access keys created for the root account | Delete root account access keys; use IAM users or roles for programmatic access |
Performance and Timing
| Question | Answer |
|---|---|
| How often does Vanta scan AWS? | Vanta performs continuous monitoring with scans approximately every twenty-four hours for most resources |
| How long after remediation do tests pass? | Typically within twenty-four hours after the next scan cycle; some configuration changes are detected within one to four hours |
| Does Vanta impact AWS performance? | No — Vanta uses read-only API calls that do not affect instance performance or availability |
| What is the API call volume? | Moderate — primarily Describe and List calls; stays well within AWS API rate limits for standard accounts |
Post-Setup Optimization
Recommended Configuration After Connection
| Action | Purpose |
|---|---|
| Review and resolve all failing tests | Address test failures before the audit observation period begins |
| Tag resources appropriately | Use consistent tagging (e.g., Environment: production) to help organize Vanta's resource view |
| Connect monitoring integrations | Connect CloudWatch, PagerDuty, or Datadog to Vanta for monitoring evidence |
| Set up notification channels | Configure Slack or email notifications for new test failures |
| Document excluded resources | If specific resources are intentionally out of scope, document the justification in Vanta |
Key Takeaways
- The Vanta-AWS integration provides automated evidence collection for approximately thirty to forty percent of SOC 2 security controls — we consider it the single most impactful integration in most Vanta deployments
- The integration uses a read-only IAM role — Vanta cannot modify your AWS infrastructure
- We recommend deploying using the CloudFormation template for consistent, auditable IAM role creation
- Connect all production AWS accounts; evaluate staging and shared services accounts based on SOC 2 scope
- For multi-account environments, we advise using CloudFormation StackSets to deploy the IAM role across multiple accounts efficiently
- Initial resource discovery takes five to fifteen minutes; continuous monitoring scans run approximately every twenty-four hours
- Key controls tested include IAM MFA enforcement, S3 encryption, security group configuration, CloudTrail logging, and RDS backup/encryption
- Not all SOC 2 controls are covered by the AWS integration — access reviews, incident response, risk assessment, and training require separate evidence
- We always tell clients to verify resource discovery after setup to ensure all in-scope resources are detected
- Address all failing tests before the audit observation period begins to avoid carrying exceptions into your report
Frequently Asked Questions
Can I connect multiple AWS accounts to Vanta?
What we tell clients is: absolutely, and for most organizations with separate production, staging, and shared services accounts, you should. Vanta supports connecting multiple AWS accounts, each requiring its own IAM role. For organizations with fewer than five accounts, connect each individually through the Vanta integrations page. For organizations with five or more accounts using AWS Organizations, use CloudFormation StackSets to deploy the IAM role across all target accounts simultaneously. Each connected account appears as a separate connection in Vanta with its own resource inventory and test results.
Does the Vanta integration affect AWS performance?
Based on what we see across our client deployments: no. The integration uses read-only API calls (Describe, List, Get operations) that do not impact instance performance, network throughput, or application availability. The API call volume stays within normal AWS rate limits. Vanta does not install agents on EC2 instances or interact with running workloads — it reads configuration metadata through the AWS API.
What happens if I modify the IAM role permissions?
The advice we give here is to avoid modifying the Vanta-provided IAM policy unless absolutely necessary. Modifying the IAM role policy may cause Vanta to lose access to certain AWS services, resulting in test failures or missing resource discovery. If you need to restrict permissions beyond the default Vanta policy, review which tests will be affected before making changes. If the trust relationship is modified incorrectly, the entire connection may fail. If you accidentally break the connection, delete and redeploy the CloudFormation stack to restore the default configuration.
Do I need to connect AWS GovCloud accounts differently?
In our experience, AWS GovCloud accounts may require separate configuration due to GovCloud's isolated partition. Check Vanta's current documentation for GovCloud-specific instructions, as the setup process and supported services may differ from standard AWS commercial regions. The IAM role creation process is similar but uses GovCloud-specific endpoints and account IDs.
Agency Team
Agency Insights
Expert guidance on cybersecurity compliance from Agency's advisory team.
LinkedIn
