Cloud Connected
Panther Cloud Connected deployments
Overview
Under the Cloud Connected deployment model, your organization owns the Snowflake account and the AWS account in which your Panther instance is deployed, while Panther manages initial deployments and subsequent upgrades of the platform. Panther performs this work by assuming an IAM role named PantherDeploymentRole that you create using a CloudFormation template provided by Panther.
To deploy a Cloud Connected instance of Panther, first verify your organization meets the Cloud Connected requirements, then follow the instructions in How to configure your Cloud Connected account.
When a Cloud Connected instance is deployed, Panther will self-monitor itself by automatically ingesting audit logs produced by your AWS account. This allows you to monitor actions taken by the PantherDeploymentRole, as well as any other IAM role.
Learn about Panther's other deployment models on Panther Deployment Types.
Aside from the modifications in AWS you are asked to make as part of the Cloud Connected setup process, is highly discouraged to make any additional changes to the AWS account your Panther infrastructure resides in, including creating additional resources (such as Data Transport sources) and/or updating any permissions. Such changes may interfere with Panther's automation software.
Cloud Connected requirements
In order to deploy a Cloud Connected instance of Panther, you must meet the following criteria.
You must have:
A custom domain registered.
If you need help registering a custom domain and would like to use AWS as your domain registrar, follow this Amazon Route 53 documentation.
A Snowflake organization, in which you can create a new or empty Snowflake account
Certain Panther features require Snowflake Enterprise or higher. Learn more here.
An AWS organization, in which you can create a new or empty AWS account (and deploy resources in the same region as the Snowflake account)
You must have the ability to:
Manually create ACM Certificates and DNS records for certain Panther endpoints
Deploy CloudFormation templates
Create exceptions to AWS Organizations Service Control Policies (SCP)
Create and invoke a Lambda function
Read and write in Secrets Manager
How to configure your Cloud Connected account
To deploy a Cloud Connected instance of Panther, follow the instructions on the below pages:
These steps are summarized on a high-level in the diagram below:
Cloud Connected deployment monitoring
Monitoring your Panther AWS costs
You can monitor your Panther-related spend in AWS by using the AWS Cost Explorer.
If you have not already, enable Cost Explorer.
View the Cost Explorer chart to explore usage and cost amounts.
Use the Filter and Group by fields to narrow your search to certain services, tag names, and/or usage types.
Learn more about Panther and customer-defined AWS resource tags below.
How Panther monitors your Cloud Connected deployment
In order to provide a SaaS-like experience, Panther monitors Cloud Connected deployments using the following tools:
Datadog for metrics and system logs
Sentry for alerting on errors
Pendo for user and product analytics
Using AWS resource tags
Panther-defined tags on AWS resources
Panther defines tags on your AWS resources, which may be useful in cost analysis. In order for them to be used, you must first activate them.
Panther defines the following tags on your AWS resources:
panther:apppanther:resourcepanther:subsystempanther:version
Custom tags on AWS resources
It's possible to add custom tags to your AWS resources, if you would like. Doing so may aid in your billing analysis.
To add custom tags, reach out to your Panther support team with the list of tag keys and values.
Decommissioning a Cloud Connected Panther deployment
If you need to decommission a Panther deployment, you can simply terminate the AWS and Snowflake accounts. If you'd like to retain you Snowflake data, you can preserve that account while terminating the AWS account.
Last updated
