Cloud Connected
Panther Cloud Connected deployments
Last updated
Was this helpful?
Panther Cloud Connected deployments
Last updated
Was this helpful?
Under the Cloud Connected deployment model, your organization owns the Snowflake account and AWS account in which your Panther instance is deployed, while Panther manages initial deployments and subsequent upgrades of the platform. Panther performs this work by assuming an IAM role named PantherDeploymentRole
that you create using a CloudFormation template provided by Panther.
To deploy a Cloud Connected instance of Panther, first verify your organization meets the , then follow the instructions in . Cloud Connected instances can be deployed in .
When a Cloud Connected instance is deployed, Panther will self-monitor itself by automatically ingesting audit logs produced by your AWS account. This allows you to monitor actions taken by the PantherDeploymentRole
, as well as any other IAM role.
Learn about Panther's other deployment models on .
Aside from the modifications in AWS you are asked to make as part of the Cloud Connected , is highly discouraged to make any additional changes to the AWS account your Panther infrastructure resides in, including creating additional resources (such as sources) and/or updating any permissions. Such changes may interfere with Panther's automation software.
In order to deploy a Cloud Connected instance of Panther, you must meet the following criteria.
You must have:
A custom domain registered.
If you need help registering a custom domain and would like to use AWS as your domain registrar, follow .
A , in which you can create a new or empty Snowflake account
Certain Panther features require or higher. .
An , in which you can create a new or empty AWS account (and deploy resources in the same region as the Snowflake account)
You must have the ability to:
To deploy a Cloud Connected instance of Panther, follow the instructions on the below pages:
These steps are summarized on a high-level in the diagram below:
Use the Filter and Group by fields to narrow your search to certain services, tag names, and/or usage types.
In order to provide a SaaS-like experience, Panther monitors Cloud Connected deployments using the following tools:
Panther defines the following tags on your AWS resources:
panther:app
panther:resource
panther:subsystem
panther:version
It's possible to add custom tags to your AWS resources, if you would like. Doing so may aid in your billing analysis.
To add custom tags, reach out to your Panther support team with the list of tag keys and values.
If you need to decommission a Panther deployment, you can simply terminate the AWS and Snowflake accounts. If you'd like to retain you Snowflake data, you can preserve that account while terminating the AWS account.
Manually create and DNS records for certain Panther endpoints
Deploy templates
Create exceptions to
Create and invoke a function
Read and write in
You can monitor your Panther-related spend in AWS by using the .
If you have not already, .
View the to explore usage and cost amounts.
Learn more about Panther and customer-defined .
for metrics and system logs
for alerting on errors
for user and product analytics
Panther defines tags on your AWS resources, which may be useful in cost analysis. In order for them to be used, you must first .