Configuring AWS for Cloud Connected
Overview
A Cloud Connected deployment of Panther means that your organization owns the Snowflake account and the AWS account in which Panther is deployed, and Panther performs deployment upgrades of the platform.
After your Panther deployment is complete, you can monitor your Panther-related AWS costs.
The instructions on this page are for setting up a new Cloud Connected deployment. If you would like to convert an existing Panther-hosted (SaaS) instance to a Cloud Connected deployment, do not follow these steps; instead, reach out to your Panther Support team to initiate the conversion.
How to prepare for your initial Cloud Connected deployment
Prerequisites
Create a Snowflake account (within your Snowflake organization) to be used with your Panther deployment: see the instructions on Configuring Snowflake for Cloud Connected.
If you already have a Snowflake instance, take note of the configuration recommendations on Snowflake Configuration for Optimal Search Performance.
Step 1: Create a new AWS account
Create a new AWS account, if needed. (It is also possible to use an existing empty one.)
Your Panther instance cannot be deployed in an AWS account with existing resources.
Step 2: Exchange information with Panther Support
Reach out to the Panther Support team, and:
Provide the following values:
Your AWS account ID
Your Snowflake region
Request values for the following three parameters for the
PantherDeploymentRoletemplate:DeploymentRoleNameIdentityAccountIdOpsAccountId
If you are deploying more than one instance of Panther, the PantherDeploymentRole parameter values do not change.
Panther will use your AWS account ID and Snowflake region to make a request to AWS to enable Amazon S3 Select for your account. In the meantime, you may proceed in this deployment process, but you will not be able to pass Step 5 (i.e., have a successful run of the readiness checker tool) until the request has been fulfilled.
Step 3: Deploy the PantherDeploymentRole
PantherDeploymentRoleIn the same region your Snowflake account is in, deploy the
panther-deployment-roleCloudFormation template found at this link. Panther will assume this IAM role to perform upgrades.Use the values for the three template parameters (
DeploymentRoleName,IdentityAccountId, andOpsAccountId) provided by Panther in Step 2.It's recommended to name the stack
PantherDeploymentRoleStack.See the CloudFormation documentation for instructions on how to create a CloudFormation stack from a template either using the CloudFormation console or using the AWS CLI.
Reminder: The stack must be created in the same region your Snowflake account is in.
Step 4: Deploy the pre-deployment tools
Follow the instructions in Deploying the tool set.
Step 5: Run the readiness checker tool
Follow the instructions in Using the readiness checker tool.
Before proceeding, ensure you have a successful run.
Step 6: Connect Snowflake credentials to the AWS account
Follow the instructions in Using the Snowflake credential bootstrap tool.
You will need your Snowflake account URL (which you found in a previous step of this process), as well as the password for the
pantheraccountadminuser you created.
Save the outputted Snowflake secret ARN, as you will need to provide it to Panther in Step 8.
Step 7: Create ACM certificates
In the same region your Snowflake account is in, follow the AWS Certificate Manager (ACM) Requesting a public certificate documentation to request a single certificate for two subdomains of the domain you have already registered:
<your_desired_Panther_subdomain>.<domain_name>.comlogs.<your_desired_Panther_subdomain>.<domain_name>.com
In
us-east-1, follow the same Requesting a public certificate documentation to request a certificate for:*.<your_desired_Panther_subdomain>.<domain_name>.com
Make note of your outputted certificate ARNs, as you will need to provide them to Panther in the next step.
Step 8: Provide values to Panther
Provide the following information about your infrastructure to your Panther support team:
Desired Panther account name
This will be visible in your Panther Console as Company Name.
Snowflake secret ARN
You generated this in Step 6, above.
Panther subdomain
You used this in Step 7, above.
ARN of ACM certificate for the "regular" and logs subdomains
You requested this in Step 7, above.
ARN of ACM certificate for the wildcard subdomain
You requested this in Step 7, above.
Snowflake region
For your initial Panther user:
First name
Last name
Email address
Please stop here, and wait for Panther to notify you that you can continue.
Step 9: Create your CNAME records
In your AWS console, navigate to the EC2 service.
Locate the AWS-provided DNS name for your
webload balancer:Navigate to Route53 (or a different DNS service of your choice).
Create a new CNAME record that points your primary subdomain (
<your_desired_Panther_subdomain>.<company_name>.com) to this DNS name for yourwebload balancer.
In EC2, locate the AWS-provided DNS name for the
http-ingest-albload balancer:Navigate to Route53 (or a different DNS service of your choice).
Create a new CNAME record that points your logs subdomain (
logs.<your_desired_Panther_subdomain>.<company_name>.com) to this DNS name for yourhttp-ingest-albload balancer.
In your AWS console, navigate to the API Gateway service.
Click APIs > Custom domain names.
Click the name of the API subdomain (
api.<your_desired_Panther_subdomain>.<company_name>.com).Navigate to Route53 (or a different DNS service of your choice).
Create a new CNAME record that points your API subdomain (
api.<your_desired_Panther_subdomain>.<company_name>.com) to this API Gateway domain name value.
(Optional) Validate the three CNAME records you just created:
To validate that the primary endpoint is working:
In a web browser, navigate to your primary subdomain.
Log in to your Panther Console.
To validate that the HTTP ingest endpoint is working:
To validate that the API endpoint is working, make a call using the Panther Analysis Tool (PAT):
Execute the following
check-connectioncommand:pipenv run panther_analysis_tool check-connection --api-host $YOUR_GRAPHQL_ENDPOINT --api-token $YOUR_TOKEN
Step 10: Request API Gateway and CodeBuild quota increases
Follow this AWS documentation to request the following quota increases:
API Gateway throttle quota: Set at 20,000
Concurrently running builds for ARM/Large environment (or
ARM BUILD_GENERAL1_LARGE): Set at 2 or moreConcurrently running builds for Linux/Large environment (or
Linux BUILD_GENERAL1_LARGE): Set at 2 or more
Panther automatically submits a request for your Lambda concurrent executions quota to be increased to 2,000.
After your initial Cloud Connected deployment
Step 1 (recommended): Activate Panther-defined tags on AWS resources
Panther defines these tags on the AWS resources created for your Panther deployment. Follow this AWS documentation to activate these tags.
Step 2 (optional): Provide Panther your custom tags for AWS resources
In addition to the Panther-defined tags, you may wish to add your own custom tags on the AWS resources created for your Panther deployment. To do so, reach out to your Panther support team with the list of tag keys and values.
Last updated
