Cloud Connected
Panther Cloud Connected deployments
Overview
Under the Cloud Connected deployment model, your organization owns the Snowflake account and the AWS account in which your Panther instance is deployed, while Panther manages initial deployments and subsequent upgrades of the platform. Panther performs this work by assuming an IAM role named PantherDeploymentRole
that you create using a CloudFormation template provided by Panther.
When a Cloud Connected instance is deployed, Panther will self-monitor itself by automatically ingesting audit logs produced by your AWS account. This allows you to monitor actions taken by the PantherDeploymentRole
, as well as any other IAM role.
Learn about Panther's other deployment models on Panther Deployment Types.
Aside from the modifications in AWS you are asked to make as part of the Cloud Connected setup process, is highly discouraged to make any additional changes to the AWS account your Panther infrastructure resides in, including creating additional resources (such as Data Transport sources) and/or updating any permissions. Such changes may interfere with Panther's automation software.
Configuring your Cloud Connected account
Follow the documentation to work with Panther on configuring your Cloud Connected account. This includes the following steps:
The instructions explained in-depth on the pages linked above are represented at a high level in the diagram below:
Cloud Connected requirements
Cloud Connected deployments are subject to several stipulations, including:
A new or empty AWS account.
A new or empty Snowflake account.
Certain Panther features require Snowflake Enterprise or higher. Learn more here.
The manual creation of ACM Certificates and DNS records for certain Panther endpoints.
The deployment of CloudFormation templates.
The addition of exceptions to AWS Organization Service Control Policies (SCP) to allow Panther to deploy and operate as expected.
Cloud Connected deployment monitoring
Monitoring your Panther AWS costs
You can monitor your Panther-related spend in AWS by using the AWS Cost Explorer.
If you have not already, enable Cost Explorer.
View the Cost Explorer chart to explore usage and cost amounts.
Use the Filter and Group by fields to narrow your search to certain services, tag names, and/or usage types.
Learn more about Panther and customer-defined AWS resource tags below.
How Panther monitors your Cloud Connected deployment
In order to provide a SaaS-like experience, Panther monitors Cloud Connected deployments using the following tools:
Datadog for metrics and system logs
Sentry for alerting on errors
Pendo for user and product analytics
Using AWS resource tags
Panther-defined tags on AWS resources
Panther defines tags on your AWS resources, which may be useful in cost analysis. In order for them to be used, you must first activate them.
Panther defines the following tags on your AWS resources:
panther:app
panther:resource
panther:subsystem
panther:version
Custom tags on AWS resources
It's possible to add custom tags to your AWS resources, if you would like. Doing so may aid in your billing analysis.
To add custom tags, reach out to your Panther support team with the list of tag keys and values.
Decommissioning a Cloud Connected Panther deployment
If you need to decommission a Panther deployment, you can simply terminate the AWS and Snowflake accounts. If you'd like to retain you Snowflake data, you can preserve that account while terminating the AWS account.
Last updated