> For the complete documentation index, see [llms.txt](https://docs.panther.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.panther.com/cloud-scanning.md).

# Cloud Security Scanning

## Overview

Cloud Security Scanning in Panther works by capturing the configurations of your Amazon Web Services (AWS) resources and invoking associated [policies](/detections/policies.md) you've defined to detect misconfigurations. Cloud Security Scanning is automatically enabled when you onboard a Cloud Account in your Panther instance.

This feature can improve your cloud security posture and assist with compliance. Common security misconfigurations detectable by Panther include:

* S3 Buckets without encryption
* Security Groups allowing inbound SSH traffic from `0.0.0.0/0`
* Access Keys being older than 90 days
* IAM policies that are too permissive

When adding a new AWS account, Panther runs a baseline scan and models all of the resources in your account. Account scans are then performed daily. This works by using an assumable IAM Role with ReadOnly permissions.

## How to use Cloud Security Scanning

Cloud Security Scanning is automatically enabled in Panther when a cloud account is onboarded. With Cloud Security Scanning, Panther captures the state of cloud resources and invokes any associated [policies](/detections/policies.md) on a daily cadence to detect misconfigurations.

You can onboard a cloud account [in the Panther Console](#onboarding-a-cloud-account-in-the-panther-console), or [using the Panther API](#onboarding-a-cloud-account-using-the-panther-api).

Additionally, we recommend [onboarding your CloudTrail or CloudWatch logs as a log source integration](/data-onboarding/supported-logs/aws.md) so you can configure detections and receive alerts for active incidents and breaches.

{% hint style="info" %}
Panther's Cloud Security Scanning performs scans daily.

You can also enable [real-time monitoring](#real-time-monitoring) of cloud infrastructure configurations.
{% endhint %}

### Onboarding a cloud account in the Panther Console

1. Log in to your Panther Console.
2. In the left sidebar, click **Configure > Cloud Accounts** then click **Create New**.
   * The Cloud Accounts page displays your accounts in a DataGrid with columns for Name, Status, Account ID, Created, and Real Time Scanning status. A hidden-by-default Stack Name column can be enabled through the column-visibility toggle. You can use the toolbar to filter accounts by health status, real-time scanning status, or by a Created date range, and use the quick search to find specific accounts by name or account ID.
3. On the **Basic Information** step, enter your account **Name** and **AWS Account ID**.
   * You can also click **Show Advanced Options** to indicate which AWS Regions, Resource Types, and Resources (by regex) you would like to exclude from cloud scanning. This can help prevent too many alerts from being generated by regions and resources known to be misconfigured.\
     ![The image shows the "Connecting a new Cloud Account" Basic Information step in Panther. There are fields for Name and AWS Account ID. "Advanced Options" is expanded and includes dropdown menus for "Exclude AWS Regions" and "Exclude Resource Types," and a repeatable field for "Exclude Resources by Regex."](/files/ULGh8ZdsUjoZ4rwGygLl)
4. Click **Continue**.

### Set up an IAM role

Panther needs an IAM role to scan resources from your AWS account. On the **Setup an IAM Role** step, choose how you'd like to create the role using one of the following tabs:

* [Using the AWS UI](#creating-an-iam-role-using-the-aws-ui): Launch a CloudFormation stack using the AWS console.
* [CloudFormation Template](#creating-an-iam-role-using-a-cloudformation-template): Download Panther's CloudFormation template and deploy it through your own pipeline.
* [Terraform Template](#creating-an-iam-role-using-a-terraform-template): Download Panther's Terraform template and deploy it through your own pipeline.
* [Setup Manually](#creating-an-iam-role-manually-or-with-other-automation): Create the IAM role manually or with other automation.

Regardless of which option you choose, you will paste the resulting **Role ARN** into the **Enter role ARN** field at the bottom of the tab, then click **Continue**.

<figure><img src="/files/RUeTKJzpMdR98R6ypioe" alt="The Setup an IAM Role step displays tabs for Using the AWS UI, CloudFormation Template, Terraform Template, and Setup Manually, with an Enter role ARN field below the selected tab&#x27;s instructions."><figcaption></figcaption></figure>

#### Creating an IAM Role using the AWS UI

1. On the **Setup an IAM Role** step, select the **Using the AWS UI** tab.
2. Click **Launch Console UI**.
   * You will be redirected to the AWS console in a new browser tab, with the template URL pre-filled.
   * Check the acknowledgements in the "Capabilities" box, and click **Create stack**.
3. When the stack finishes deploying, copy the **Role ARN** from the stack's **Outputs** tab.
4. Navigate back to your Panther Console, paste the value into the **Enter role ARN** field, and click **Continue**.

#### Creating an IAM Role using a CloudFormation Template

1. On the **Setup an IAM Role** step, select the **CloudFormation Template** tab.
2. Click **Download Template** to download Panther's CloudFormation template.
3. Deploy the template through your own pipeline—for example, by running the `aws cloudformation deploy` command shown under **Run Command** in your CLI.
4. When the stack finishes deploying, copy the **Role ARN** from the stack's **Outputs** tab, paste it into the **Enter role ARN** field, and click **Continue**.\
   ![The image shows the CloudFormation Template tab on the Setup an IAM Role step in the Panther Console. There is a Download Template button, instructions to run a CLI command in a code block, and an Enter role ARN field.](/files/PK1KOuruYBZxOcIsmkfb)

#### Creating an IAM Role using a Terraform Template

1. On the **Setup an IAM Role** step, select the **Terraform Template** tab.
2. Click **Download Template** to download Panther's Terraform template.
   * You can also find the Terraform template at [this GitHub link](https://github.com/panther-labs/panther-auxiliary/tree/9365346d8698e730bd623086e24ca6f2a34c4b5c/terraform/panther_cloudsec_iam).
3. Deploy the template through your own pipeline—run `terraform init` to initialize the directory, then apply the template as shown under **Run Command** in your CLI.
4. Once deployed, copy the **Role ARN** from the outputs of your Terraform deployment, paste it into the **Enter role ARN** field, and click **Continue**.

#### Creating an IAM role manually or with other automation

If you wish to create an IAM role via some other mechanism, ensure it has the naming standard and permissions documented in [Panther’s provided templates](https://github.com/panther-labs/panther-auxiliary/blob/main/cloudformation/panther-cloudsec-iam.yml).

1. On the **Setup an IAM Role** step, select the **Setup Manually** tab.
2. Create the required IAM role manually or through your own automation.
3. Paste the role's ARN into the **Enter role ARN** field, and click **Continue**.

### Finish the cloud account setup process

On the **Verification** step, Panther automatically verifies whether the IAM role has been successfully created. When the check succeeds, you'll see an "Everything looks good!" message confirming your cloud account is set up.

Click **Go to Cloud Accounts** to return to the Cloud Accounts list.

{% hint style="info" %}
To receive alerts in near-real time instead of waiting for the daily scan, set up [real-time monitoring](#real-time-monitoring) after onboarding your account.
{% endhint %}

<figure><img src="/files/tTM0P1EVVWbX1N4kdLWW" alt="The Verification step displays a message that says &#x22;Everything looks good!&#x22; confirming the cloud account setup is complete. At the bottom, there is a blue &#x22;Go to Cloud Accounts&#x22; button."><figcaption></figcaption></figure>

### Onboarding a cloud account using the Panther API

To onboard a cloud account with the Panther API, use the [`CreateCloudAccount` operation](/panther-developer-workflows/api/graphql/cloud-account.md#creating-a-cloud-account). Note that after using this operation, you will still need to set up an IAM role in your AWS account—follow the [Creating an IAM role manually or with other automation](#creating-an-iam-role-manually-or-with-other-automation) instructions above.

## Real-time monitoring

You can optionally enable real-time monitoring of your cloud resources, in addition to the daily scan performed by the Cloud Security Scanning service.

Real-time monitoring means that whenever a change is made to a cloud resource (including configuration modifications, creations, and deletions), Panther invokes any [policies](/detections/policies.md) associated with that resource. This means that if the change causes the resource to fail a policy, you will be alerted in near-real-time, instead of at the time of the next daily scan.

To set up real-time monitoring, either onboard AWS CloudTrail as a log source, or follow the CloudWatch events process below.

### CloudTrail logs

To set up real-time monitoring via CloudTrail logs, follow the instructions to [onboard CloudTrail logs](/data-onboarding/supported-logs/aws.md).

### CloudWatch events

To leverage CloudWatch events for resource scanning and monitoring, you must configure a CloudFormation stack in AWS and then onboard your Cloud Account.

#### Configure CloudFormation to leverage CloudWatch events

Before getting started, review the `panther-cloudwatch-events.yml` CloudFormation template within [panther-auxiliary](https://github.com/panther-labs/panther-auxiliary/blob/main/cloudformation/panther-cloudwatch-events.yml). This YAML file contains the CloudFormation stack information necessary to configure Panther's real-time CloudWatch Event collection.

It works by creating CloudWatch Event rules which feed to Panther's SQS Queue proxied by a local SNS topic in each region. Latency between an event occurring in AWS and the event being detected by CloudWatch Event rules is typically 1 minute or less.

1. [Download](https://github.com/panther-labs/panther-auxiliary/blob/main/cloudformation/panther-cloudwatch-events.yml) the `panther-cloudwatch-events.yml` template from panther-auxiliary.
2. Launch your AWS console and navigate to the CloudFormation service.
3. Click **Create stack** and choose the option "With new resources."
4. In the **Template** section, choose the option *Upload a template file*. Select your `panther-cloudwatch-events.yml` file.
5. Click **Next**.
6. In the **Specify Details** section, fill in the necessary fields, including the following:
   * **Stack name**: `panther-real-time-events`
   * **QueueArn**: `arn:aws:sqs:<PantherRegion>:<PantherAccountID>:panther-aws-events-queue`
7. Click **Next**.
8. On the **Configure stack options** page, click **Next**.
9. On the **Review** page, make sure you have configured your settings correctly. Click **Next**.
10. After configuring the template, follow the [instructions to onboard your cloud account](#onboarding-a-cloud-account-in-the-panther-console).

## Cloud resource attributes

To learn more about the attributes that can be referenced in Cloud Security policies, see [Cloud Resource Attributes](/cloud-scanning/cloud-resource-attributes.md).

## Managing Cloud Accounts

### Cloud Accounts DataGrid

The Cloud Accounts page displays all your connected AWS accounts in an interactive DataGrid that provides:

* **Columns**: Name (clickable to edit), Status, Account ID, Created, and Real Time Scanning status. Stack Name is available as a hidden-by-default column through the column-visibility toggle in the toolbar.
* **Filtering**: Click the filter (funnel) icon to open a filter panel where you can filter by health status, real-time scanning status, or a Created date range. Active filters appear as chips above the grid with a Clear All control that preserves the quick-search text.
* **Search**: Quick text search across account names and AWS Account IDs.
* **Sorting**: Click column headers to sort accounts.
* **Actions**: Use the kebab menu (⋮) on each row to edit or delete accounts. The actions menu only appears for users with the *Cloud Account Modify* permission.

![The Cloud Accounts page in Panther displays a DataGrid with three accounts. Columns visible are Name, Status, Account ID, Created, and Real Time Scanning. A filter funnel icon and a "Filter by text" search field sit above the grid, and a "Create New" button is in the top right.](/files/xMAI2yHOhU52OFngNHcd)

The filter panel exposes Health and Real-time Scanning checkboxes plus a Created date range selector:

![The Cloud Accounts page with the filter panel open on the left of the DataGrid. The panel shows a Health section with Healthy and Unhealthy checkboxes, a Real-time Scanning section with Enabled and Not Enabled checkboxes, and a Created date dropdown.](/files/ySYN7oE38g6ZfpEKtfFb)

### Account Health Notifications

When a cloud account becomes unhealthy (e.g., due to IAM role issues), the Status column on the list will switch to **Unhealthy**, and an **Account has turned Unhealthy** notification will appear on the account's edit page, above the configuration form. The notification lists every failing health metric (audit role and/or real-time monitoring) with its summary message, and each entry has a **View Error Message** link that reveals the raw error details.

![The Cloud Account edit page for an unhealthy account. A red-bordered "Account has turned Unhealthy" banner appears above the configuration form, listing a failing audit role check with the message "We were unable to assume arn:aws:iam::123456789012:role/MyApplicationServerRole" and a "View Error Message" link. The configuration form below shows Name and AWS Account ID fields.](/files/XEyQC29YxjaZsLjpEOJL)

## Troubleshooting Cloud Security Scanning

Visit the Panther Knowledge Base to [view articles about Cloud Security Scanning policies](https://help.panther.com/Detections/Policies) and [articles about Cloud Accounts](https://help.panther.com/Data_Sources/Cloud_Accounts) that answer frequently asked questions and help you resolve common errors and issues.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.panther.com/cloud-scanning.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
