Configuring AWS for Cloud Connected

Overview

A Cloud Connected deployment of Panther means that your organization owns the Snowflake account and the AWS account in which Panther is deployed, and Panther performs deployment upgrades of the platform.

After your Panther deployment is complete, you can monitor your Panther-related AWS costs.

The instructions on this page are for setting up a new Cloud Connected deployment. If you would like to convert an existing Panther-hosted (SaaS) instance to a Cloud Connected deployment, do not follow these steps; instead, reach out to your Panther Support team to initiate the conversion.

How to prepare for your initial Cloud Connected deployment

Prerequisites

Create a Snowflake account (within your Snowflake organization) to be used with your Panther deployment: see the instructions on Configuring Snowflake for Cloud Connected.
- If you already have a Snowflake instance, take note of the configuration recommendations on Snowflake Configuration for Optimal Search Performance.

Step 1: Create a new AWS account

Create a new AWS account, if needed. (It is also possible to use an existing empty one.)

Your Panther instance cannot be deployed in an AWS account with existing resources.

Step 2: Exchange information with Panther Support

Reach out to the Panther Support team, and:

Provide the following values:
- Your AWS account ID
- Your Snowflake region
Request values for the following three parameters for the PantherDeploymentRole template:
- DeploymentRoleName
- IdentityAccountId
- OpsAccountId

If you are deploying more than one instance of Panther, the PantherDeploymentRole parameter values do not change.

Panther will use your AWS account ID and Snowflake region to make a request to AWS to enable Amazon S3 Select for your account. In the meantime, you may proceed in this deployment process, but you will not be able to pass Step 5 (i.e., have a successful run of the readiness checker tool) until the request has been fulfilled.

Step 3: Deploy the `PantherDeploymentRole`

In the same region your Snowflake account is in, deploy the panther-deployment-role CloudFormation template found at this link. Panther will assume this IAM role to perform upgrades.
- Use the values for the three template parameters (DeploymentRoleName, IdentityAccountId, and OpsAccountId) provided by Panther in Step 2.
- It's recommended to name the stack PantherDeploymentRoleStack.
- See the CloudFormation documentation for instructions on how to create a CloudFormation stack from a template either using the CloudFormation console or using the AWS CLI.

Reminder: The stack must be created in the same region your Snowflake account is in.

Step 4: Deploy the pre-deployment tools

Follow the instructions in Deploying the tool set.

Step 5: Run the readiness checker tool

Follow the instructions in Using the readiness checker tool.
- Before proceeding, ensure you have a successful run.

Step 6: Connect Snowflake credentials to the AWS account

Follow the instructions in Using the Snowflake credential bootstrap tool.
- You will need your Snowflake account URL (which you found in a previous step of this process), as well as the password for the pantheraccountadmin user you created.

Save the outputted Snowflake secret ARN, as you will need to provide it to Panther in Step 8.

Step 7: Create ACM certificates

In the same region your Snowflake account is in, follow the AWS Certificate Manager (ACM) Requesting a public certificate documentation to request a single certificate for two subdomains of the domain you have already registered:
- <your_desired_Panther_subdomain>.<domain_name>.com
- *.<your_desired_Panther_subdomain>.<domain_name>.com
(If your deployment region is not us-east-1) In us-east-1, follow the same Requesting a public certificate documentation to request a certificate for:
- *.<your_desired_Panther_subdomain>.<domain_name>.com
Make note of your outputted certificate ARNs, as you will need to provide them to Panther in the next step.

Step 8: Provide values to Panther

Provide the following information about your infrastructure to your Panther support team:

Desired Panther account name
- This will be visible in your Panther Console as Company Name.
Snowflake secret ARN
- You generated this in Step 6, above.
Panther subdomain
- You used this in Step 7, above.
ARNs of all ACM certificates you requested in Step 7, above.
AWS account ID
Snowflake region
Snowflake edition
For your initial Panther user:
- First name
- Last name
- Email address

Please stop here, and wait for Panther to notify you that you can continue.

Step 9: Create your CNAME records

In your AWS console, navigate to the EC2 service.
Locate the AWS-provided DNS name for your web load balancer:
1. Navigate to Route53 (or a different DNS service of your choice).
2. Create a new CNAME record that points your primary subdomain (<your_desired_Panther_subdomain>.<company_name>.com) to this DNS name for your web load balancer.
In EC2, locate the AWS-provided DNS name for the http-ingest-alb load balancer:
1. Navigate to Route53 (or a different DNS service of your choice).
2. Create a new CNAME record that points your logs subdomain (logs.<your_desired_Panther_subdomain>.<company_name>.com) to this DNS name for your http-ingest-alb load balancer.
In your AWS console, navigate to the API Gateway service.
Click APIs > Custom domain names.
Click the name of the API subdomain (api.<your_desired_Panther_subdomain>.<company_name>.com).
1. Navigate to Route53 (or a different DNS service of your choice).
2. Create a new CNAME record that points your API subdomain (api.<your_desired_Panther_subdomain>.<company_name>.com) to this API Gateway domain name value.
(Optional) Validate the three CNAME records you just created:
- To validate that the primary endpoint is working:
  1. In a web browser, navigate to your primary subdomain.
  2. Log in to your Panther Console.
- To validate that the HTTP ingest endpoint is working:
  - Set up an HTTP Source in Panther by following these instructions.
- To validate that the API endpoint is working, make a call using the Panther Analysis Tool (PAT):
  1. Create an API token.
  2. Identify your GraphQL API endpoint.
  3. Execute the following check-connection command: pipenv run panther_analysis_tool check-connection --api-host $YOUR_GRAPHQL_ENDPOINT --api-token $YOUR_TOKEN

Step 10: Request API Gateway and CodeBuild quota increases

Follow this AWS documentation to request the following quota increases:
- API Gateway throttle quota: Set at 20,000
- CodeBuild:
  - Concurrently running builds for ARM/Large environment (or ARM BUILD_GENERAL1_LARGE): Set at 2 or more
  - Concurrently running builds for Linux/Large environment (or Linux BUILD_GENERAL1_LARGE): Set at 2 or more

Panther automatically submits a request for your Lambda concurrent executions quota to be increased to 2,000.

After your initial Cloud Connected deployment

Step 1 (recommended): Activate Panther-defined tags on AWS resources

Panther defines these tags on the AWS resources created for your Panther deployment. Follow this AWS documentation to activate these tags.

Step 2 (optional): Provide Panther your custom tags for AWS resources

In addition to the Panther-defined tags, you may wish to add your own custom tags on the AWS resources created for your Panther deployment. To do so, reach out to your Panther support team with the list of tag keys and values.

PreviousConfiguring Snowflake for Cloud Connected NextPre-Deployment Tools

Last updated 1 month ago

Was this helpful?

Configuring AWS for Cloud Connected

Overview

After your Panther deployment is complete, you can monitor your Panther-related AWS costs.

How to prepare for your initial Cloud Connected deployment

Prerequisites

Create a Snowflake account (within your Snowflake organization) to be used with your Panther deployment: see the instructions on Configuring Snowflake for Cloud Connected.
- If you already have a Snowflake instance, take note of the configuration recommendations on Snowflake Configuration for Optimal Search Performance.

Step 1: Create a new AWS account

Create a new AWS account, if needed. (It is also possible to use an existing empty one.)

Your Panther instance cannot be deployed in an AWS account with existing resources.

Step 2: Exchange information with Panther Support

Reach out to the Panther Support team, and:

Provide the following values:
- Your AWS account ID
- Your Snowflake region
Request values for the following three parameters for the PantherDeploymentRole template:
- DeploymentRoleName
- IdentityAccountId
- OpsAccountId

If you are deploying more than one instance of Panther, the PantherDeploymentRole parameter values do not change.

Step 3: Deploy the `PantherDeploymentRole`

In the same region your Snowflake account is in, deploy the panther-deployment-role CloudFormation template found at this link. Panther will assume this IAM role to perform upgrades.
- Use the values for the three template parameters (DeploymentRoleName, IdentityAccountId, and OpsAccountId) provided by Panther in Step 2.
- It's recommended to name the stack PantherDeploymentRoleStack.
- See the CloudFormation documentation for instructions on how to create a CloudFormation stack from a template either using the CloudFormation console or using the AWS CLI.

Reminder: The stack must be created in the same region your Snowflake account is in.

Step 4: Deploy the pre-deployment tools

Follow the instructions in Deploying the tool set.

Step 5: Run the readiness checker tool

Follow the instructions in Using the readiness checker tool.
- Before proceeding, ensure you have a successful run.

Step 6: Connect Snowflake credentials to the AWS account

Follow the instructions in Using the Snowflake credential bootstrap tool.
- You will need your Snowflake account URL (which you found in a previous step of this process), as well as the password for the pantheraccountadmin user you created.

Save the outputted Snowflake secret ARN, as you will need to provide it to Panther in Step 8.

Step 7: Create ACM certificates

In the same region your Snowflake account is in, follow the AWS Certificate Manager (ACM) Requesting a public certificate documentation to request a single certificate for two subdomains of the domain you have already registered:
- <your_desired_Panther_subdomain>.<domain_name>.com
- *.<your_desired_Panther_subdomain>.<domain_name>.com
(If your deployment region is not us-east-1) In us-east-1, follow the same Requesting a public certificate documentation to request a certificate for:
- *.<your_desired_Panther_subdomain>.<domain_name>.com
Make note of your outputted certificate ARNs, as you will need to provide them to Panther in the next step.

Step 8: Provide values to Panther

Provide the following information about your infrastructure to your Panther support team:

Desired Panther account name
- This will be visible in your Panther Console as Company Name.
Snowflake secret ARN
- You generated this in Step 6, above.
Panther subdomain
- You used this in Step 7, above.
ARNs of all ACM certificates you requested in Step 7, above.
AWS account ID
Snowflake region
Snowflake edition
For your initial Panther user:
- First name
- Last name
- Email address

Please stop here, and wait for Panther to notify you that you can continue.

Step 9: Create your CNAME records

In your AWS console, navigate to the EC2 service.
Locate the AWS-provided DNS name for your web load balancer:
1. Navigate to Route53 (or a different DNS service of your choice).
2. Create a new CNAME record that points your primary subdomain (<your_desired_Panther_subdomain>.<company_name>.com) to this DNS name for your web load balancer.
In EC2, locate the AWS-provided DNS name for the http-ingest-alb load balancer:
1. Navigate to Route53 (or a different DNS service of your choice).
2. Create a new CNAME record that points your logs subdomain (logs.<your_desired_Panther_subdomain>.<company_name>.com) to this DNS name for your http-ingest-alb load balancer.
In your AWS console, navigate to the API Gateway service.
Click APIs > Custom domain names.
Click the name of the API subdomain (api.<your_desired_Panther_subdomain>.<company_name>.com).
In the Endpoint Configuration section, copy the API Gateway domain name value.
1. Navigate to Route53 (or a different DNS service of your choice).
2. Create a new CNAME record that points your API subdomain (api.<your_desired_Panther_subdomain>.<company_name>.com) to this API Gateway domain name value.
(Optional) Validate the three CNAME records you just created:
- To validate that the primary endpoint is working:
  1. In a web browser, navigate to your primary subdomain.
  2. Log in to your Panther Console.
- To validate that the HTTP ingest endpoint is working:
  - Set up an HTTP Source in Panther by following these instructions.
- To validate that the API endpoint is working, make a call using the Panther Analysis Tool (PAT):
  1. Create an API token.
  2. Identify your GraphQL API endpoint.
  3. Execute the following check-connection command: pipenv run panther_analysis_tool check-connection --api-host $YOUR_GRAPHQL_ENDPOINT --api-token $YOUR_TOKEN

Step 10: Request API Gateway and CodeBuild quota increases

Follow this AWS documentation to request the following quota increases:
- API Gateway throttle quota: Set at 20,000
- CodeBuild:
  - Concurrently running builds for ARM/Large environment (or ARM BUILD_GENERAL1_LARGE): Set at 2 or more
  - Concurrently running builds for Linux/Large environment (or Linux BUILD_GENERAL1_LARGE): Set at 2 or more

Panther automatically submits a request for your Lambda concurrent executions quota to be increased to 2,000.

After your initial Cloud Connected deployment

Step 1 (recommended): Activate Panther-defined tags on AWS resources

Panther defines these tags on the AWS resources created for your Panther deployment. Follow this AWS documentation to activate these tags.

Step 2 (optional): Provide Panther your custom tags for AWS resources

In addition to the Panther-defined tags, you may wish to add your own custom tags on the AWS resources created for your Panther deployment. To do so, reach out to your Panther support team with the list of tag keys and values.

PreviousConfiguring Snowflake for Cloud Connected NextPre-Deployment Tools

Last updated 1 month ago

Was this helpful?

How to prepare for your initial Cloud Connected deployment

Prerequisites

Step 1: Create a new AWS account

Step 2: Exchange information with Panther Support

Step 3: Deploy the PantherDeploymentRole

Step 4: Deploy the pre-deployment tools

Step 5: Run the readiness checker tool

Step 6: Connect Snowflake credentials to the AWS account

Step 7: Create ACM certificates

Step 8: Provide values to Panther

Step 9: Create your CNAME records

Step 10: Request API Gateway and CodeBuild quota increases

After your initial Cloud Connected deployment

Step 1 (recommended): Activate Panther-defined tags on AWS resources

Step 2 (optional): Provide Panther your custom tags for AWS resources

How to prepare for your initial Cloud Connected deployment

Prerequisites

Step 1: Create a new AWS account

Step 2: Exchange information with Panther Support

Step 3: Deploy the PantherDeploymentRole

Step 4: Deploy the pre-deployment tools

Step 5: Run the readiness checker tool

Step 6: Connect Snowflake credentials to the AWS account

Step 7: Create ACM certificates

Step 8: Provide values to Panther

Step 9: Create your CNAME records

Step 10: Request API Gateway and CodeBuild quota increases

After your initial Cloud Connected deployment

Step 1 (recommended): Activate Panther-defined tags on AWS resources

Step 2 (optional): Provide Panther your custom tags for AWS resources

Step 3: Deploy the `PantherDeploymentRole`

Step 3: Deploy the `PantherDeploymentRole`