Cloud Security Scanning
Panther Cloud Security Scanning uses policies to detect misconfigurations in AWS resources
Last updated
Was this helpful?
Panther Cloud Security Scanning uses policies to detect misconfigurations in AWS resources
Last updated
Was this helpful?
Cloud Security Scanning in Panther works by capturing the configurations of your Amazon Web Services (AWS) resources and invoking associated you've defined to detect misconfigurations. Cloud Security Scanning is automatically enabled when you onboard a Cloud Account in your Panther instance.
This feature can improve your cloud security posture and assist with compliance. Common security misconfigurations detectable by Panther include:
S3 Buckets without encryption
Security Groups allowing inbound SSH traffic from 0.0.0.0/0
Access Keys being older than 90 days
IAM policies that are too permissive
When adding a new AWS account, Panther runs a baseline scan and models all of the resources in your account. Account scans are then performed daily. This works by using an assumable IAM Role with ReadOnly permissions.
Cloud Security Scanning is automatically enabled in Panther when a cloud account is onboarded. With Cloud Security Scanning, Panther captures the state of cloud resources and invokes any associated on a daily cadence to detect misconfigurations.
You can onboard a cloud account , or .
Additionally, we recommend so you can configure detections and receive alerts for active incidents and breaches.
Log in to your Panther Console.
In the left sidebar, click Configure > Cloud Accounts then click Connect an account.
Enter your account Name and AWS Account ID.
Click Continue Setup.
Panther needs an IAM role to have the ability to scan resources from your AWS account. You can choose from the following options to set this up:
On the "Setup an IAM Role" page, click Select next to Using the AWS Console UI.
Click Launch Console UI.
You will be redirected to the AWS console in a new browser tab, with the template URL pre-filled.
Check the acknowledgements in the "Capabilities" box, and click Create Stack.
Navigate back to your Panther Console.
Click Continue Setup to complete the Cloud Account setup process.
On the "Setup an IAM Role page", click Select next to CloudFormation or Terraform Template File.
Click the template option you want to use, which downloads the template to apply it through your own pipeline.
Upload the template file in AWS.
On the "Set Up an IAM role" page, click the link that says I want to set everything up on my own.
Create the required IAM role. You may create the required IAM role manually or through your own automation.
The Setup Verification page verifies whether the IAM role has been successfully created.
Optionally, you can click Setup CloudTrail to enable Real Time Scanning.
If you have already configured a Log Source containing CloudTrail Logs or if you would like to configure this later, you may skip this step.
Click Finish Setup.
You can optionally enable real-time monitoring of your cloud resources, in addition to the daily scan performed by the Cloud Security Scanning service.
To set up real-time monitoring, either onboard AWS CloudTrail as a log source, or follow the CloudWatch events process below.
To leverage CloudWatch events for resource scanning and monitoring, you must configure a CloudFormation stack in AWS and then onboard your Cloud Account.
It works by creating CloudWatch Event rules which feed to Panther's SQS Queue proxied by a local SNS topic in each region. Latency between an event occurring in AWS and the event being detected by CloudWatch Event rules is typically 1 minute or less.
Launch your AWS console and navigate to the CloudFormation service.
Click Create stack and choose the option "With new resources."
In the Template section, choose the option Upload a template file. Select your panther-cloudwatch-events.yml file.
Click Next.
In the Specify Details section, fill in the necessary fields, including the following:
Stack name: panther-real-time-events
QueueArn: arn:aws:sqs:<PantherRegion>:<PantherAccountID>:panther-aws-events-queue
Click Next.
On the Configure stack options page, click Next.
On the Review page, make sure you have configured your settings correctly. Click Next.
You may also expand the Advanced Options to indicate which AWS Regions, Resource Types, and Resources by Region you would like to exclude from cloud scanning. This can help prevent too many alerts from being generated by regions and resources known to be misconfigured.
: Launch a CloudFormation stack using the AWS console.
: Use Panther's provided CloudFormation template or Terraform template to create an IAM role by downloading the template and deploying on your own.
: Create the IAM role manually or with other automation.
You can also find the Terraform template at .
Once deployed, navigate back to the Panther Console, and click Continue Setup.
If you wish to create an IAM role via some other mechanism, ensure it has the naming standard and permissions documented in .
To onboard a cloud account with the Panther API, use the . Note that after using this operation, you will still need to set up an IAM role in your AWS account—follow the instructions above.
Real-time monitoring means that whenever a change is made to a cloud resource (including configuration modifications, creations, and deletions), Panther invokes any associated with that resource. This means that if the change causes the resource to fail a policy, you will be alerted in near-real-time, instead of at the time of the next daily scan.
To set up real-time monitoring via CloudTrail logs, follow the instructions to .
Before getting started, review the panther-cloudwatch-events.yml CloudFormation template within . This YAML file contains the CloudFormation stack information necessary to configure Panther's real-time CloudWatch Event collection.
the panther-cloudwatch-events.yml template from panther-auxiliary.
After configuring the template, follow the .
To learn more about the attributes that can be referenced in Cloud Security policies, see .
Visit the Panther Knowledge Base to and that answer frequently asked questions and help you resolve common errors and issues.
