Knowledge BaseRelease NotesRequest Demo

AWS Config

Connecting AWS Configuration logs to your Panther Console

Overview

Panther supports ingesting Amazon Web Services (AWS) Config configuration snapshot logs via AWS S3. Panther does not support AWS Config History logs.

How to onboard AWS Config logs to Panther

After AWS Config is configured to generate configuration snapshot logs via the AWS CLI, they will be sent to an S3 bucket.

AWS Config sends configuration history files to your S3 bucket every six hours, but these files are not supported for ingestion. Instead, you'll need to manually trigger a configuration snapshot (which is supported in Panther) to be sent to your S3 bucket. You can do this using either the deliver-config-snapshot command via the AWS CLI or the DeliverConfigSnapshot action in the AWS Config API. To generate snapshot files on a regular cadence, consider using EventBridge Scheduler, AWS Systems Manager Automation, or an external cron job.

For more details, refer to the AWS Config documentation.

To then pull these logs into Panther, you will need to set up an S3 bucket in the Panther Console.

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for “AWS Config,” then click its tile.

    • On the next screen, the Transport Mechanism dropdown in the upper right corner will be populated with the AWS S3 Bucket option.

  4. Click Start Setup.

  5. Follow Panther’s documentation for configuring S3 for data transport.

    • While configuring the S3 bucket source in Panther, configure the following exclusion filters:

      • *_Config_*ConfigHistory*.json.gz. This will ensure that Panther ignores S3 objects containing unsupported Config History logs.

      • */OversizedChangeNotification/*.json.gz. This will ensure that Panther ignores S3 objects containing unsupported change SNS notifications.

Panther-managed detections

See Panther-managed rules for AWS in the panther-analysis GitHub repository.

Supported AWS Config logs

AWS.Config

Record and evaluate snapshots of your AWS resources' configurations. For more information, see AWS's documentation on how Config works.

The Panther-managed AWS.Config schema is specially designed to extract events out of a configurationItems envelope, which is how they arrive from AWS. This works based on the S3 key name. If you clone this schema and/or try to apply it on files that are not named in the same way that AWS names them, you may receive classification failures.

The event time (p_event_time) is the time the snapshot was created.

PreviousAWS CloudWatchNextAWS EKS

Last updated

Was this helpful?