Cloud Security Scanning

Panther Cloud Security Scanning uses policies to detect misconfigurations in AWS accounts


Panther's Cloud Security Scanning works by scanning AWS accounts, modeling the Resources within them, and using Policies to detect misconfigurations. Cloud Security Scanning is automatically enabled when you onboard a Cloud Account to your Panther Console.
This feature can be used to power your compliance and improve your cloud security posture. Common security misconfigurations detectable by Panther include:
  • S3 Buckets without encryption
  • Security Groups allowing inbound SSH traffic from
  • Access Keys being older than 90 days
  • IAM policies that are too permissive
When adding a new AWS account, Panther runs a baseline scan and models all of the resources in your account. Account scans are performed daily to ensure the most consistent state possible. This works by using an assumable IAM Role with ReadOnly permissions.
Cloud Security Scanning is not available during Panther's free 30-day trial. Request access to the feature via an assisted trial by using the Intercom Messenger in the bottom-right corner of the Panther Console.

How to use Cloud Security Scanning

Onboarding a cloud account in Panther will automatically enable Cloud Security Scanning. Panther will scan the resources daily for potential vulnerabilities. You can onboard a cloud account in the Panther Console, or using the Panther API.
Additionally, we recommend onboarding your CloudTrail or CloudWatch logs as a log source integration so you can configure detections and receive alerts for active incidents and breaches.
Panther's Cloud Security Scanning performs scans daily.
You can also enable real-time monitoring of cloud infrastructure configurations.

Onboarding the cloud account in Panther

  1. 1.
    Log in to your Panther Console.
  2. 2.
    In the left sidebar, click Configure > Cloud Accounts then click Connect an account.
  3. 3.
    Enter your account Name and AWS Account ID.
    • You may also expand the Advanced Options to indicate which AWS Regions, Resource Types, and Resources by Region you would like to exclude from cloud scanning. This can help prevent too many alerts from being generated by regions and resources known to be misconfigured.
      The image shows the Cloud Account configuration page in Panther. There are fields for Name and AWS Account ID. "Advanced Options" is expanded and includes dropdown menus for "Exclude AWS Regions," "Exclude Resource Types," and a field for "Exclude Resources by Regex."
  4. 4.
    Click Continue Setup.

Set up an IAM role

Panther needs an IAM role to have the ability to scan resources from your AWS account. You can choose from the following options to set this up:
The Setup an IAM Role page displays options for Using the AWS Console UI, CloudFormation or Terraform template, or "I want to set up everything on my own."

Creating an IAM Role using the AWS Console UI

  1. 1.
    On the "Setup an IAM Role" page, click Select next to Using the AWS Console UI.
  2. 2.
    Click Launch Console UI.
    • You will be redirected to the AWS console in a new browser tab, with the template URL pre-filled.
    • Check the acknowledgements in the "Capabilities" box, and click Create Stack.
  3. 3.
    Navigate back to your Panther Console.
  4. 4.
    Click Continue Setup to complete the Cloud Account setup process.

Creating an IAM Role using a CloudFormation or Terraform Template File

  1. 1.
    On the "Setup an IAM Role page", click Select next to CloudFormation or Terraform Template File.
  2. 2.
    Click the template option you want to use, which downloads the template to apply it through your own pipeline.
  3. 3.
    Upload the template file in AWS.
  4. 4.
    Once deployed, navigate back to the Panther Console, and click Continue Setup.
    The image shows the CloudFormation Template File option page in the Panther Console. On the screen there are links to download a CloudFormation or Terraform Template, then instructions to run commands in your CLI.

Creating an IAM role manually or with other automation

If you wish to create an IAM role via some other mechanism, ensure it has the naming standard and permissions documented in Panther’s provided templates.
  1. 1.
    On the "Set Up an IAM role" page, click the link that says I want to set everything up on my own.
  2. 2.
    Create the required IAM role. You may create the required IAM role manually or through your own automation.

Finish the cloud account setup process

The Setup Verification page verifies whether the IAM role has been successfully created.
  1. 1.
    Optionally, you can click Setup CloudTrail to enable Real Time Scanning.
    • If you have already configured a Log Source containing CloudTrail Logs or if you would like to configure this later, you may skip this step.
  2. 2.
    Click Finish Setup.
The screen displays a message that says 'Everything looks good!" and "Your configured stack was deployed successfully and your source's setup is now complete!" There is also a message indicating that you can also set up a CloudTrail log source. At the bottom, there is a blue "Finish Setup" button.

Onboarding a cloud account using the Panther API

To onboard a cloud account with the Panther API, use the CreateCloudAccount operation. Note that after using this operation, you will still need to set up an IAM role in your AWS account—follow the Creating an IAM role manually or with other automation instructions above.

Real-time monitoring

CloudTrail logs

To set up real-time monitoring via CloudTrail logs, follow the instructions to onboard CloudTrail logs.

CloudWatch events

To leverage CloudWatch events for resource scanning and monitoring, you must configure a template in AWS and then onboard your Cloud Account.

Configure CloudFormation to leverage CloudWatch events

Before getting started, review the panther-cloudwatch-events.yml file within panther-auxiliary. This YAML file contains the CloudFormation stack information necessary to configure Panther's real-time CloudWatch Event collection.
It works by creating CloudWatch Event rules which feed to Panther's SQS Queue proxied by a local SNS topic in each region. Latency between an event occurring in AWS and the event being detected by CloudWatch Event rules is typically 1 minute or less.
  1. 1.
    Download the panther-cloudwatch-events.yml file from panther-auxiliary.
  2. 2.
    Launch your AWS console and navigate to the CloudFormation project.
  3. 3.
    Click Create stack and choose the option "With new resources."
  4. 4.
    In the Template section, choose the option Upload a template file. Select your panther-cloudwatch-events.yml file.
  5. 5.
    Click Next.
  6. 6.
    In the Specify Details section, fill in the necessary fields, including the following:
    • Stack name: panther-real-time-events
    • QueueArn: arn:aws:sqs:<PantherRegion>:<PantherAccountID>:panther-aws-events-queue
  7. 7.
    Click Next.
  8. 8.
    On the Configure stack options page, click Next.
  9. 9.
    On the Review page, make sure you have configured your settings correctly. Click Next.
  10. 10.
    After configuring the template, follow the instructions to onboard your cloud account.

Cloud resource attributes

To learn more about the attributes that can be referenced in Cloud Security policies, see Cloud Resource Attributes.

Troubleshooting Cloud Security Scanning

Visit the Panther Knowledge Base to view articles about Cloud Security Scanning policies and articles about Cloud Accounts that answer frequently asked questions and help you resolve common errors and issues.