Configuring AWS for Cloud Connected
Last updated
Was this helpful?
Last updated
Was this helpful?
Overview
A deployment of Panther means that your organization owns the Snowflake account and the AWS account in which Panther is deployed, and Panther performs deployment upgrades of the platform.
After your Panther deployment is complete, you can .
The instructions on this page are for setting up a new Cloud Connected deployment. If you would like to convert an existing instance to a Cloud Connected deployment, do not follow these steps; instead, reach out to your Panther Support team to initiate the conversion.
Create a Snowflake account (within your Snowflake organization) to be used with your Panther deployment: see the instructions on .
If you already have a Snowflake instance, take note of the configuration recommendations on .
Create a new AWS account, if needed. (It is also possible to use an existing empty one.)
Your Panther instance cannot be deployed in an AWS account with existing resources.
Reach out to the Panther Support team, and:
Provide the following values:
Your AWS account ID
Your Snowflake region
Request values for the following three parameters for the PantherDeploymentRole
template:
DeploymentRoleName
IdentityAccountId
OpsAccountId
If you are deploying more than one instance of Panther, the PantherDeploymentRole
parameter values do not change.
PantherDeploymentRole
It's recommended to name the stack PantherDeploymentRoleStack
.
Reminder: The stack must be created in the same region your Snowflake account is in.
Before proceeding, ensure you have a successful run.
<your_desired_Panther_subdomain>.<domain_name>.com
*.<your_desired_Panther_subdomain>.<domain_name>.com
*.<your_desired_Panther_subdomain>.<domain_name>.com
Make note of your outputted certificate ARNs, as you will need to provide them to Panther in the next step.
Provide the following information about your infrastructure to your Panther support team:
Desired Panther account name
This will be visible in your Panther Console as Company Name.
Snowflake secret ARN
Panther subdomain
Snowflake region
For your initial Panther user:
First name
Last name
Email address
Please stop here, and wait for Panther to notify you that you can continue.
In your AWS console, navigate to the EC2 service.
Locate the AWS-provided DNS name for your web
load balancer:
Navigate to Route53 (or a different DNS service of your choice).
Create a new CNAME record that points your primary subdomain (<your_desired_Panther_subdomain>.<company_name>.com
) to this DNS name for your web
load balancer.
In EC2, locate the AWS-provided DNS name for the http-ingest-alb
load balancer:
Navigate to Route53 (or a different DNS service of your choice).
Create a new CNAME record that points your logs subdomain (logs.<your_desired_Panther_subdomain>.<company_name>.com
) to this DNS name for your http-ingest-alb
load balancer.
In your AWS console, navigate to the API Gateway service.
Click APIs > Custom domain names.
Click the name of the API subdomain (api.<your_desired_Panther_subdomain>.<company_name>.com
).
Navigate to Route53 (or a different DNS service of your choice).
Create a new CNAME record that points your API subdomain (api.<your_desired_Panther_subdomain>.<company_name>.com
) to this API Gateway domain name value.
(Optional) Validate the three CNAME records you just created:
To validate that the primary endpoint is working:
In a web browser, navigate to your primary subdomain.
Log in to your Panther Console.
To validate that the HTTP ingest endpoint is working:
Execute the following check-connection
command:
pipenv run panther_analysis_tool check-connection --api-host $YOUR_GRAPHQL_ENDPOINT --api-token $YOUR_TOKEN
Concurrently running builds for ARM/Large environment (or ARM BUILD_GENERAL1_LARGE
): Set at 2 or more
Concurrently running builds for Linux/Large environment (or Linux BUILD_GENERAL1_LARGE
): Set at 2 or more
Panther will use your AWS account ID and Snowflake region to make a request to AWS to enable for your account. In the meantime, you may proceed in this deployment process, but you will not be able to pass (i.e., have a successful run of the readiness checker tool) until the request has been fulfilled.
In the same region your Snowflake account is in, deploy the panther-deployment-role
CloudFormation template . Panther will assume this IAM role to perform upgrades.
Use the values for the three template parameters (DeploymentRoleName
, IdentityAccountId
, and OpsAccountId
) provided by Panther in .
See the CloudFormation documentation for instructions on how to create a CloudFormation stack from a template either or.
Follow the instructions in .
Follow the instructions in .
Follow the instructions in .
You will need your Snowflake account URL (which you found ), as well as the password for the pantheraccountadmin
user you created.
Save the outputted Snowflake secret ARN, as you will need to provide it to Panther in .
In the same region your Snowflake account is in, follow the AWS Certificate Manager (ACM) to request a single certificate for two subdomains of the domain :
(If your deployment region is not us-east-1
) In us-east-1
, follow the same to request a certificate for:
You generated this in , above.
You used this in , above.
ARNs of all ACM certificates you requested in , above.
In the Endpoint Configuration section, copy the API Gateway domain name value.
.
To validate that the API endpoint is working, make a call using the :
.
.
Follow to request the following quota increases:
: Set at 20,000
:
Panther automatically submits a request for your to be increased to 2,000.
Panther on the AWS resources created for your Panther deployment. Follow to activate these tags.
In addition to the Panther-defined tags, you may wish to add on the AWS resources created for your Panther deployment. To do so, reach out to your Panther support team with the list of tag keys and values.