Configuring AWS for Cloud Connected

Overview

A Cloud Connected deployment of Panther means that your organization owns the Snowflake account and the AWS account in which Panther is deployed, and Panther performs deployment upgrades of the platform.

After your Panther deployment is complete, you can monitor your Panther-related AWS costs.

The instructions on this page are for setting up a new Cloud Connected deployment. If you would like to convert an existing Panther-hosted (SaaS) instance to a Cloud Connected deployment, do not follow these steps; instead, reach out to your Panther Support team to initiate the conversion.

How to prepare for your initial Cloud Connected deployment

Prerequisites

Create a Snowflake instance to be used with your Panther deployment: see the instructions on Configuring Snowflake for Cloud Connected.
If you already have a Snowflake instance, take note of the configuration recommendations on Snowflake Configuration for Optimal Search Performance.

Step 1: Configure your AWS account for the Panther deployment

To set up a Cloud Connected deployment of Panther, follow the below steps:

Create a new AWS account, if needed. (It is also possible to use an existing empty one.)
- Your Panther instance cannot be deployed in an AWS account with existing resources.
Create a custom Panther domain by following the Configuring a Custom Domain instructions, skipping the Configure Panther section.
You will select an AWS region for your Panther deployment during this step. Choose the same AWS region your Snowflake account is in. This region cannot later be changed.
- Save the outputted CertificateArn and CustomDomain, as you will need them in the next step.
Provide the following information to your Panther support team:
- The CertificateArn and CustomDomain you generated in the previous step
- The AWS region in which you created your custom domain in the previous step
- Your AWS account ID
- The Email, Firstname, and Lastname for the initial Panther user
- Your Snowflake version
Deploy the "Deployment Role" CloudFormation template, using the values for the three template parameters (DeploymentRoleName, IdentityAccountId, and OpsAccountId) provided by Panther.
- The stack must be created in the region you intend to deploy Panther.
- This template is stored in S3. The following URL can be used directly when creating the stack:
  https://panther-public-cloudformation-templates.s3.us-west-2.amazonaws.com/panther-deployment-role/latest/template.yml
- If you have not already been provided values for the template parameters, please contact your Panther support team before continuing. We recommend naming the stack PantherDeploymentRoleStack for consistency with its contents.
- This template provisions an IAM role,PantherDeploymentRole, that Panther will assume to perform upgrades.
- See the CloudFormation documentation for instructions on how to create a CloudFormation stack from a template either using the CloudFormation console or using the AWS CLI.

Step 2: Deploy the pre-deployment tools

Follow Panther's instructions to deploy the Pre-Deployment tools.
- You will use these tools in Steps 3 and 4, below.

Step 3: Connect Snowflake credentials to the AWS account

Follow the Using the Snowflake Credential Bootstrap tool instructions on Pre-Deployment Tools to connect your Snowflake credentials.
- This process ensures the credentials will not leave the AWS environment or be read by a Panther employee.
- You will need your Snowflake Account URL and ADMIN_PASSWORD.

Step 4: Run the Readiness Checker tool in the AWS account

Follow Panther's instructions for running the Readiness Checker tool.
Inform your Panther support team of the results.
- Panther will proceed with the deployment.

Step 5: Configure DNS records for your Panther deployment

Complete these steps after Panther has confirmed that your deployment is ready.

In AWS Certificate Manager (ACM), create two separate, public wildcard certificates for *.yourcustomdomain.xyz that can be used for the following Panther endpoints:
If your Panther deployment is in us-east-1, you can create a single wildcard certificate that covers both of these endpoints, if you'd like.
- api
  - The wildcard certificate for this endpoint must be created in us-east-1 as Edge-optimized. Custom domains cannot use certificates created in other regions.
- logs
  - The wildcard certificate for this endpoint must be created in the same region as the Panther deployment.
For additional information, please see the AWS documentation.
In Route53, create a CNAME record with the value for the api and logs wildcard ACM certificates created in the previous step to validate each of the certificates.
Locate the AWS-provided DNS name for the http-ingest-alb:
Using the DNS name mentioned in the previous step, create a CNAME record in Route53 using the following format: logs.yourcustomdomain.xyz.
To validate that the logs endpoint is working as expected, run an nslookup against logs.yourcustomdomain.xyz or dig +short logs.yourcustomdomain.xyz.
- Also ensure that the http-ingest-alb is using the logs wildcard ACM certificate created in Step 1.
Provide the new api wildcard ACM certificate ARN to Panther so that the api endpoint can be configured.
- We do not recommend doing this manually.
Once Panther has updated the deployment with the new ACM certificate, create an CNAME record in Route53 that points to the Cloudfront distribution created automatically in the previous steps. The Cloudfront DNS entry will be provided by Panther.
To validate that the API endpoint is working as expected, attempt Panther Analysis Tool (PAT) workflows using https://api.yourcustomdomain.xyz/public/graphql for --api-host.
- Follow Install, Configure, and Authenticate with the Panther Analysis Tool to get set up with PAT.
- For example: pipenv run panther_analysis_tool validate --api-host https://api.yourcustomdomain.xyz/public/graphql --api-token $YOUR_TOKEN
Configure a CNAME record and point it to the web ELB to log in to your newly created Panther Console.

Step 6: Request API Gateway and Lambda quota increases

Follow this AWS documentation to request the following quota increases:
- API Gateway throttle quota: Set at 20,000
- Lambda concurrent executions quota: Set at 2,000

After your initial Cloud Connected deployment

Step 1 (recommended): Activate Panther-defined tags on AWS resources

Panther defines certain tags on the AWS resources created for your Panther deployment. Follow this AWS documentation to activate these tags.

Step 2 (optional): Provide Panther your custom tags for AWS resources

In addition to the Panther-defined tags, you may wish to add your own custom tags on the AWS resources created for your Panther deployment. To do so, reach out to your Panther support team with the list of tag keys and values.

PreviousConfiguring Snowflake for Cloud Connected NextPre-Deployment Tools

Last updated 4 months ago