Vanta integration questions and enhancements

[allenhouchins]

I'm working with @Sampfluger88 on our compliance requirements and have been poking around at the Vanta integration. I saw this issue was previously opened and closed: #19312

Given the updates of the previous ticket, this might be best addressed by @eashaw

A couple of questions:

• Why does the API only account need to be set up as an admin? If Vanta is just pulling in information, we should limit this to least privileges (ex: Observer). Or is Vanta writing data back to Fleet?
• It seems like the API account has to be a global admin. I tried setting this up scoped to just the Workstations and Workstations (canary) groups and it will not connect stating "The API key provided has insufficient permissions. Please configure the API-only user associated with this token to have the Admin role." Is it true that this account needs Global admin? If so, why? Being able to scope this account to specific teams would address the issue around devices in Compliance exclusions or the Servers team showing up in Vanta.

[eashaw]

@allenhouchins The integration requires an admin API token because it sends information about user accounts on the Fleet instance to Vanta (IIRC, only admin roles can send requests to the /api/v1/fleet/users endpoint).

For #19312, we updated the integration to exclude hosts from a specific team if it was running for our Fleet instance. If we need to set up the vanta integration for dogfood again, we will need to update the integration to make sure those hosts are excluded when the integration runs (it currently uses the database ID of the old integration).

Can you let me know when you are reconnecting the integration so I can make that change?

[allenhouchins]

The integration requires an admin API token because it sends information about user accounts on the Fleet instance to Vanta (IIRC, only admin roles can send requests to the /api/v1/fleet/users endpoint).

@eashaw Ah, ok! That makes sense. This integration is managing more than just devices. It's also pulling in Fleet administrator information.

The new integration has just been enabled. Please make sure only hosts from Workstations team_id=275 and Workstations (canary) team_id=274 are in scope. Thanks!

[eashaw]

@allenhouchins I just merged a PR to update the integration. The next run of the script will only send information about hosts on those two teams from Dogfood.

[allenhouchins]

@eashaw Thank you! If we have old device records still in Vanta for VMs and things part of the older Compliance exclusions team, should I manually delete those or does the sync clean that up?

[eashaw]

should I manually delete those or does the sync clean that up?

@allenhouchins It has been a while since I've been in the Vanta dashboard, but I think you will need to remove those manually.

[allenhouchins]

@eashaw Sounds good! Thanks! I'll close this out.

[fleet-release]

Integration smooth as stream,
Data flows, yet safe it seems.
Fleet and Vanta dream.