S3 Source
Onboarding AWS S3 as a Data Transport log source in the Panther Console
Panther supports configuring your Amazon S3 bucket as a Data Transport to pull security logs from S3 buckets.
First you will configure the S3 source in your Panther Console, then you will configure your S3 bucket to send notifications when it receives new data.
Data can be sent compressed (or uncompressed). Learn more about compression specifications in Ingesting compressed data in Panther.
See the diagram below to understand how data flows from your application(s) into Panther using S3 (in SaaS):

The instructions below outline how to set up an S3 integration manually, in the Panther Console. It's also possible to manage your S3 log source using the Panther API, or using Terraform.
To set up an S3 log source in Panther, follow the steps below. You can also view the data ingestion video overview for a quick walkthrough of S3 source setup.
- If an Amazon S3 bucket does not already exist, create one by following Amazon's Creating a bucket documentation.
- 1.In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
- 2.In the upper right corner, click Create New.
- 3.Click the Custom Log Formats tile.
- 4.In the AWS S3 Bucket tile on the slide-out panel, click Start.
- 5.On the "Configure your source" page, enter values for the following fields:
- Name: Enter a descriptive name for the S3 source.
- AWS Account ID: Enter the 12-digit AWS Account ID where the S3 buckets are located.
- Bucket Name: Enter the ID or name of the S3 bucket to onboard.
- KMS Key ARN (optional): If your data is encrypted using KMS-SSE, provide the ARN of the KMS key.
- 6.If you would like to attach schemas for this source and/or configure inclusive or exclusive bucket prefixes, click Configure Prefixes & Schemas (Optional). You can also perform these actions after the source is set up.
- 1.In the S3 Prefixes & Schemas popup modal, create combinations of S3 prefixes, schemas, and exclusion filters, according the structure of your data storage in S3.
- To attach one or more schemas to all data in the bucket, leave the S3 Prefix field blank. This will create a wildcard (*) prefix.
- 2.Click Apply Changes.
- 7.Click Setup.
If you add a KMS key to your S3 bucket after creating the S3 log source in Panther, you must recreate the log source in Panther with the KMS key. Editing the original source to add the KMS key will not work.
Panther needs an AWS IAM role with permissions to read objects from your S3 bucket. You can choose from the following options:

Using the AWS Console UI
CloudFormation or Terraform File
I want to set everything up on my own
Launch a CloudFormation stack using the AWS console:
- 1.On the Create IAM Role page, locate the tile labeled Using the AWS Console UI. At the bottom of the tile, click Continue.
- 2.Click Launch Console UI.
- You will be redirected to the AWS console in a new browser tab, with the template URL pre-filled.
- The CloudFormation stack will create an AWS IAM role with the minimum required permissions to read objects from your S3 bucket.
- Click the "Outputs" tab of the CloudFormation stack in AWS, and note the Role ARN.
- 3.Navigate back to the Panther Console.
- 4.Enter the Role ARN.
- 5.Click Setup.
- 6.
Use Panther's provided CloudFormation or Terraform templates to create an IAM role by choosing Select to the right of this option.
- 1.On the Create IAM Role page, locate the tile labeled CloudFormation or Terraform File. At the bottom of the tile, click Continue.
- 2.On the "CloudFormation or Terraform Template File" page, choose which type of template you would like to download:
- If using CloudFormation:
- 1.Click CloudFormation Template.
- 2.Click Download Template to download the template to apply it through your own pipeline.
- 3.Upload the template file in AWS:
- 1.Open your AWS console and navigate to the CloudFormation service.
- 2.Click Create stack.
- 3.Click Upload a template file and select the CloudFormation template you downloaded.
- If using Terraform:
- 1.Click Terraform Template.
- 2.Click Download Template to download the template to apply it through your own pipeline.
- 3.Enter the Role ARN.
- 4.Click Setup.
- 5.
Create the IAM role manually, then fill in the role ARN in Panther. When you set up the IAM role manually, you must also follow the instructions below to configure your S3 buckets to send notifications when new data arrives.
- 1.On the Create IAM Role page, click the link that says I want to set everything up on my own.
- 2.Create the required IAM role. You may create the required IAM role manually or through your own automation.
- The IAM policy, which will be attached to the role, must include the statements defined below:{"Version": "2012-10-17","Statement": [{"Action": "s3:GetBucketLocation","Resource": "arn:aws:s3:::<bucket-name>","Effect": "Allow"},{"Action": "s3:GetObject","Resource": "arn:aws:s3:::<bucket-name>/<input-file-path>","Effect": "Allow"}]}
- If your S3 bucket is configured with server-side encryption using AWS KMS, you must include an additional statement granting the Panther API access to the corresponding KMS key. In this case, the policy will look something like this:{"Version": "2012-10-17","Statement": [{"Action": "s3:GetBucketLocation","Resource": "arn:aws:s3:::<bucket-name>","Effect": "Allow"},{"Action": "s3:GetObject","Resource": "arn:aws:s3:::<bucket-name>/<input-file-path>","Effect": "Allow"},{"Action": ["kms:Decrypt", "kms:DescribeKey"],"Resource": "arn:aws:kms:<region>:<your-account-id>:key/<kms-key-id>","Effect": "Allow"}]}
- In addition to the above, if you want to view the contents of your S3 bucket in the Panther Console (such as to utilize the inferring custom schemas from historical data feature), you will need to add the
s3:ListBucket
action:{"Version": "2012-10-17","Statement": [{"Action": ["s3:GetBucketLocation","s3:ListBucket"],"Resource": "arn:aws:s3:::<bucket-name>","Effect": "Allow"},{"Action": "s3:GetObject","Resource": "arn:aws:s3:::<bucket-name>/<input-file-path>","Effect": "Allow"}]}
- 3.Add a trust policy to your role with the following
AssumeRolePolicyDocument
statement so that Panther can assume this role:{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"AWS": ["arn:<aws-partition>:iam::<panther-master-account-id>:root"]},"Action": "sts:AssumeRole","Condition": {"Bool": {"aws:SecureTransport": true}}}]}- Populate
<AWS-PARTITION>
with the partition of the account running the Panther backend (e.g.,aws
). Note that we do not deploy toaws-cn
oraws-us-gov
. - Populate
<PANTHER-MASTER-ACCOUNT-ID>
with the 12-digit account ID where Panther is deployed. To get your AWS Account ID: Click the gear icon in the upper right side of the Panther Console to access Settings, then the AWS account ID is displayed at the bottom of the page.
- 4.In the Panther Console, enter the Role ARN.
- 5.Click Setup.
- 6.
If you choose the option I want to set everything up on my own to create an IAM role, you must also configure the S3 buckets to send notifications when new data arrives.
You will be directed to a success screen:

- If any permission errors are detected, they will be displayed and you will be asked to try configuring the IAM role again.
- The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
- If you have not done so already, attach one or more schemas to the source.
- 1.Click Attach or Infer Schemas.
- 2.Either attach a Panther-managed schema, or follow these instructions to infer a custom schema from historical S3 data.
Once the S3 bucket has been successfully onboarded to Panther and data is flowing, Panther will backup all raw logs for up to 90 days. After that, the logs will be deleted.
The raw logs are used for various reasons, for example: To backup dropped logs that may not have been successfully normalized and classified in Panther's data processing pipeline.
When you set up the IAM role manually, you must also follow the instructions below to configure your S3 buckets to send notifications when new data arrives.
Note: If you already have configured the bucket to send
All object create events
to an SNS topic, proceed to the next section, "Modify an existing SNS topic," and subscribe it to Panther's input data queue.Only one SNS topic is required per AWS account, so multiple buckets within one AWS account all use the same SNS topic for Panther. If you've already created an SNS topic for a different S3 bucket in the same AWS account, you can skip this step of creating an SNS topic.
First you need to create an SNS Topic and SNS Subscription to notify Panther that new data is ready for processing.
- 1.Log into the AWS Console of the account that owns the S3 bucket.
- 2.Select the AWS Region where your S3 bucket is located and navigate to the CloudFormation console.
- 3.Navigate to the Stacks section. Select Create Stack (with new resources).
- 4.Under the "Specify template" section, enter the following Amazon S3 URL:https://panther-public-cloudformation-templates.s3-us-west-2.amazonaws.com/panther-log-processing-notifications/latest/template.yml
- 5.Specify the following stack details:
- Stack name: A name of your choice, e.g.
panther-log-processing-notifications-<bucket-label>
- MasterAccountId: The 12 digit AWS Account ID where Panther is deployed
- PantherRegion: The region where Panther is deployed
- SnsTopicName
:
The name of the SNS topic receiving the notification, by default this ispanther-notifications-topic
- 6.Click Next, Next, and then Create Stack to complete the process.
Note: This stack has one output named
SnsTopicArn
.
If you opted to create a new SNS topic in the previous step, skip this step and proceed to the section below, "Configure Event Notifications on the bucket."
Follow the steps below if you wish to use an existing topic for sending bucket notifications. Note that the SNS topic must be in the same region as your S3 bucket.
We recommend enabling KMS encryption for the SNS topic:
- 1.Log in to the AWS console and navigate to KMS.
- 2.Select the KMS key you want to use for encryption.
- 3.Edit the policy to ensure it has the appropriate permissions to be used with the SNS topic and S3 bucket notifications.
- Example policy:{"Sid": "Allow access for Key User (SNS Service Principal)","Effect": "Allow","Principal": {"Service": "sns.amazonaws.com"},"Action": ["kms:GenerateDataKey*","kms:Decrypt"],"Resource": "<SNS-TOPIC-ARN>"},{"Sid": "Allow access for Key User (S3 Service Principal)","Effect": "Allow","Principal": {"Service": "s3.amazonaws.com"},"Action": ["kms:GenerateDataKey*","kms:Decrypt"],"Resource": "arn:aws:s3:::<bucket-name>"}
- 4.Click the Encryption tab under the SNS topic.
- 5.Click Enable, and specify the KMS key you want to use for encryption.
Create a subscription between your SNS topic and Panther's log processing SQS queue.
- 1.Log into the AWS Console for the account where your S3 bucket exists
- 2.
- 3.Note the ARN of this SNS topic
- 4.Click Edit and scroll down to the "Access Policy" card
- 5.Add the following statement to the topic's
Access Policy
:{"Sid": "CrossAccountSubscription","Effect": "Allow","Principal": {"AWS": "arn:aws:iam::<PANTHER-MASTER-ACCOUNT-ID>:root"},"Action": "sns:Subscribe","Resource": "<SNS-TOPIC-ARN>"}- Populate
<PANTHER-MASTER-ACCOUNT-ID>
with the 12-digit account ID where Panther is deployed. This AWS account ID can be found in your Panther Console at the bottom of the page after navigating to Settings by clicking the gear icon. - Populate
SNS-TOPIC-ARN
with the ARN you noted previously in this documentation.
Create the subscription to the Panther Master account's SQS queue.
From the SNS Console, click Create subscription:
- 1.Fill out the form:
- Protocol:
Amazon SQS
- Endpoint:
arn:aws:sqs:<PantherRegion>:<MasterAccountId>:panther-input-data-notifications-queue
- 2.Do not check the box for the
Enable raw message delivery
setting;raw message delivery
must be disabled. - 3.Click Create subscription.
Note: If your subscription is in a "Pending" state and does not get confirmed immediately, you must finish setting up this log source in your Panther Console. Panther confirms the SNS subscription only if a Panther log source exists for the AWS account of the SNS topic.
With the SNS Topic created, the final step is to enable notifications from the S3 buckets.
- 1.
- 2.Locate the Event Notifications card.
- 3.Click + Create event notification and use the following settings:
- In the "General Configuration" section:
- Name:
PantherEventNotifications
- Suffix: (optional) limits notifications to objects with keys that end in matching characters
- Prefix: (optional) limits notifications to objects with keys that start with matching characters
- In the "Event Types" card, check the box next to
All object create events
. - In the "Destination" card:
- Under "Destination," select SNS Topic.
- For
SNS Topic,
selectpanther-notifications-topic
from the drop-down menu.
- 4.Click Save.
- 5.
Panther will now start processing new files arriving to your bucket.
Last modified 18d ago