# Cloud Connected

## Overview <a href="#overview" id="overview"></a>

Under the Cloud Connected deployment model, your organization owns the AWS and Snowflake or Databricks accounts in which your Panther instance is deployed, while Panther manages initial deployments and subsequent upgrades. To deploy a Cloud Connected instance of Panther, follow the instructions in [Setting Up a Cloud Connected Panther Instance](https://docs.panther.com/system-configuration/panther-deployment-types/cloud-connected/set-up).

In the Cloud Connected model, Panther performs deployment and maintenance work by assuming an IAM role named `PantherDeploymentRole`. When a Cloud Connected instance is deployed, Panther will self-monitor by automatically ingesting audit logs produced by your AWS account. This allows you to monitor actions taken by the `PantherDeploymentRole`, as well as any other IAM role.

After your Panther deployment is complete, you can [monitor your Panther-related AWS costs](https://docs.panther.com/system-configuration/panther-deployment-types/cloud-connected#monitoring-your-panther-aws-costs).

Learn about Panther's other deployment models on [Panther Deployment Types](https://docs.panther.com/system-configuration/panther-deployment-types).

Aside from the modifications in AWS you are asked to make as part of the [Cloud Connected setup process](https://docs.panther.com/system-configuration/panther-deployment-types/cloud-connected/set-up), it is highly discouraged to make any additional changes to the AWS account your Panther infrastructure resides in, including creating additional resources (such as [Data Transport](https://docs.panther.com/data-onboarding/data-transports) sources) and/or updating any permissions. Such changes may interfere with Panther's automation software.

## How to set up a Cloud Connected instance of Panther <a href="#how-to-set-up-a-cloud-connected-instance-of-panther" id="how-to-set-up-a-cloud-connected-instance-of-panther"></a>

* Follow the instructions in [Setting Up a Cloud Connected Panther Instance](https://docs.panther.com/system-configuration/panther-deployment-types/cloud-connected/set-up).

## Cloud Connected deployment monitoring <a href="#cloud-connected-deployment-monitoring" id="cloud-connected-deployment-monitoring"></a>

### Monitoring your Panther AWS costs <a href="#monitoring-your-panther-aws-costs" id="monitoring-your-panther-aws-costs"></a>

You can monitor your Panther-related spend in AWS by using the [AWS Cost Explorer](https://docs.aws.amazon.com/cost-management/latest/userguide/ce-what-is.html).

1. If you have not already, [enable Cost Explorer](https://docs.aws.amazon.com/cost-management/latest/userguide/ce-enable.html).
2. View the [Cost Explorer chart](https://docs.aws.amazon.com/cost-management/latest/userguide/ce-chart.html) to explore usage and cost amounts.
   * Use the **Filter** and **Group by** fields to narrow your search to certain services, tag names, and/or usage types.
   * Learn more about Panther and customer-defined [AWS resource tags below](https://docs.panther.com/system-configuration/panther-deployment-types/cloud-connected#using-aws-resource-tags).

### How Panther monitors your Cloud Connected deployment <a href="#how-panther-monitors-your-cloud-connected-deployment" id="how-panther-monitors-your-cloud-connected-deployment"></a>

In order to provide a SaaS-like experience, Panther monitors Cloud Connected deployments using the following tools:

* [Datadog](https://www.datadoghq.com/) for metrics and system logs
* [Sentry](https://sentry.io/) for alerting on errors

#### (If using Snowflake) What Panther monitors in Snowflake in a Cloud Connected deployment

Panther monitors data loading errors into Snowflake, as well as any Snowflake objects Panther created and owns. This includes:

* The Panther service account users and roles
  * If during [setup](https://docs.panther.com/system-configuration/panther-deployment-types/cloud-connected/set-up) you opt to provide Panther an already-created Snowflake account and admin user (instead of letting Panther create these for you, as is recommended), the account user will be monitored despite not being created explicitly by Panther.
* [Warehouses](https://docs.snowflake.com/en/user-guide/warehouses)
* [Storage integration](https://docs.snowflake.com/en/sql-reference/sql/create-storage-integration)
* [Snowpipes](https://docs.snowflake.com/en/user-guide/data-load-snowpipe-intro)

Panther does not monitor the data inside any Panther-created Snowflake tables.

## Using AWS resource tags <a href="#using-aws-resource-tags" id="using-aws-resource-tags"></a>

### Panther-defined tags on AWS resources <a href="#panther-defined-tags-on-aws-resources" id="panther-defined-tags-on-aws-resources"></a>

Panther defines tags on your AWS resources, which may be useful in cost analysis. In order for them to be used, you must first [activate them](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/activating-tags.html).

Panther defines the following tags on your AWS resources:

* `panther:app`
* `panther:resource`
* `panther:subsystem`
* `panther:version`

### Custom tags on AWS resources <a href="#custom-tags-on-aws-resources" id="custom-tags-on-aws-resources"></a>

It's possible to add custom tags to your AWS resources, if you would like. Doing so may aid in your billing analysis.

To add custom tags, reach out to your Panther support team with the list of tag keys and values.

## Snowflake user operations <a href="#optional-creating-read-only-roles-for-panther-data-tables" id="optional-creating-read-only-roles-for-panther-data-tables"></a>

This section does not apply if you are using Databricks as your data store.

### (Optional) Creating read-only users for Panther data tables <a href="#optional-creating-read-only-roles-for-panther-data-tables" id="optional-creating-read-only-roles-for-panther-data-tables"></a>

Panther maintains the `pantheraccountadmin` user credentials in a secure location.

If needed, you can create and maintain several users with read-only access to the Panther data lake tables. To do so, run the following commands (using the `pantheraccountadmin` user or another `SECURITYADMIN`-enabled user on your Snowflake account):

```sql
USE ROLE SECURITYADMIN;

# If needed, create a new user
CREATE USER IF NOT EXISTS my_readonly_user 
    PASSWORD = '<INITIAL PASSWORD>'
    MUST_CHANGE_PASSWORD = TRUE;

# Grant the PANTHER_READONLY_ROLE to the newly created user
GRANT ROLE PANTHER_READONLY_ROLE TO USER my_readonly_user;
```

It's recommended to [authenticate users created this way using an identity provider (IdP)](https://docs.snowflake.com/en/user-guide/admin-security-fed-auth-configure-idp).

### **(Not recommended) Disabling and re-enabling the `pantheraccountadmin` user** <a href="#not-recommended-disabling-and-re-enabling-the-pantheraccountadmin-user" id="not-recommended-disabling-and-re-enabling-the-pantheraccountadmin-user"></a>

Disabling the `pantheraccountadmin` user may prevent Panther from being able to:

* Perform credential rotation
* Enable certain functionality, such as [Role-Based Access Control (RBAC)](https://docs.panther.com/system-configuration/rbac)
* Deploy new data lake features requiring `ACCOUNTADMIN`-level permissions

If you choose to disable the `pantheraccountadmin` user despite the implications above, you may do so using the following commands:

```sql
USE ROLE SECURITYADMIN;

ALTER USER pantheraccountadmin SET DISABLED = TRUE
```

If a Panther upgrade requires privileged access, the user can then be temporarily re-enabled:

```sql
USE ROLE SECURITYADMIN;

ALTER USER pantheraccountadmin SET DISABLED = FALSE
```

## Decommissioning a Cloud Connected Panther deployment <a href="#decommissioning-a-cloud-connected-panther-deployment" id="decommissioning-a-cloud-connected-panther-deployment"></a>

If you need to decommission a Panther deployment, you can simply terminate the AWS and Snowflake accounts. If you'd like to retain you Snowflake or Databricks data, you can preserve that account while terminating the AWS account.