Configuring AWS for Cloud Connected

Overview

A Cloud Connected deployment of Panther means that your organization owns the Snowflake account and the AWS account in which Panther is deployed, and Panther performs deployment upgrades of the platform.

After your Panther deployment is complete, you can monitor your Panther-related AWS costs.

The instructions on this page are for setting up a new Cloud Connected deployment. If you would like to convert an existing Panther-hosted (SaaS) instance to a Cloud Connected deployment, do not follow these steps; instead, reach out to your Panther Support team to initiate the conversion.

How to prepare for your initial Cloud Connected deployment

Prerequisites

Create a Snowflake account (within your Snowflake organization) to be used with your Panther deployment: see the instructions on Configuring Snowflake for Cloud Connected.
- If you already have a Snowflake instance, take note of the configuration recommendations on Snowflake Configuration for Optimal Search Performance.

Step 1: Create a new AWS account

Create a new AWS account, if needed. (It is also possible to use an existing empty one.)

Your Panther instance cannot be deployed in an AWS account with existing resources.

Step 2: Exchange information with Panther Support

Reach out to the Panther Support team, and:

Provide the following values:
- Your AWS account ID
- Your Snowflake region
Request values for the following three parameters for the PantherDeploymentRole template:
- DeploymentRoleName
- IdentityAccountId
- OpsAccountId

If you are deploying more than one instance of Panther, the PantherDeploymentRole parameter values do not change.

Panther will use your AWS account ID and Snowflake region to make a request to AWS to enable Amazon S3 Select for your account. In the meantime, you may proceed in this deployment process, but you will not be able to pass Step 5 (i.e., have a successful run of the readiness checker tool) until the request has been fulfilled.

Step 3: Deploy the `PantherDeploymentRole`

In the same region your Snowflake account is in, deploy the panther-deployment-role CloudFormation template found at this link. Panther will assume this IAM role to perform upgrades.
- Use the values for the three template parameters (DeploymentRoleName, IdentityAccountId, and OpsAccountId) provided by Panther in Step 2.
- It's recommended to name the stack PantherDeploymentRoleStack.
- See the CloudFormation documentation for instructions on how to create a CloudFormation stack from a template either using the CloudFormation console or using the AWS CLI.

Reminder: The stack must be created in the same region your Snowflake account is in.

Step 4: Deploy the pre-deployment tools

Follow the instructions in Deploying the tool set.

Step 5: Run the readiness checker tool

Follow the instructions in Using the readiness checker tool.
- Before proceeding, ensure you have a successful run.

Step 6: Connect Snowflake credentials to the AWS account

Follow the instructions in Using the Snowflake credential bootstrap tool.
- You will need your Snowflake account URL (which you found in a previous step of this process), as well as the password for the pantheraccountadmin user you created.

Save the outputted Snowflake secret ARN, as you will need to provide it to Panther in Step 8.

Step 7: Create ACM certificates

In the same region your Snowflake account is in, follow the AWS Certificate Manager (ACM) Requesting a public certificate documentation to request a single certificate for two subdomains of the domain you have already registered:
- <your_desired_Panther_subdomain>.<domain_name>.com
- logs.<your_desired_Panther_subdomain>.<domain_name>.com
In us-east-1, follow the same Requesting a public certificate documentation to request a certificate for:
- *.<your_desired_Panther_subdomain>.<domain_name>.com
Make note of your outputted certificate ARNs, as you will need to provide them to Panther in the next step.

Step 8: Provide values to Panther

Provide the following information about your infrastructure to your Panther support team:

Desired Panther account name
- This will be visible in your Panther Console as Company Name.
Snowflake secret ARN
- You generated this in Step 6, above.
Panther subdomain
- You used this in Step 7, above.
ARN of ACM certificate for the "regular" and logs subdomains
- You requested this in Step 7, above.
ARN of ACM certificate for the wildcard subdomain
- You requested this in Step 7, above.
AWS account ID
Snowflake region
Snowflake edition
For your initial Panther user:
- First name
- Last name
- Email address

Please stop here, and wait for Panther to notify you that you can continue.

Step 9: Configure your DNS records

In your AWS console, navigate to the EC2 service.
Locate the AWS-provided DNS name for your web load balancer:
- Point your primary subdomain (<your_desired_Panther_subdomain>.<company_name>.com) to this AWS-provided DNS name for your web load balancer.
Locate the AWS-provided DNS name for the http-ingest-alb load balancer:
- Point your logs subdomain (logs.<your_desired_Panther_subdomain>.<company_name>.com) to this AWS-provided DNS name for the http-ingest-alb load balancer.
In your AWS console, navigate to the API Gateway service.
Click APIs > Custom domain names.
In the Endpoint Configuration section, copy the API Gateway domain name value.
- Point your API subdomain (api.<your_desired_Panther_subdomain>.<company_name>.com) to this API Gateway domain name value.
To validate that the API endpoint is working as expected, attempt Panther Analysis Tool (PAT) workflows using https://api.yourcustomdomain.xyz/public/graphql for --api-host.
- Follow Install, Configure, and Authenticate with the Panther Analysis Tool to get set up with PAT.
- For example: pipenv run panther_analysis_tool check-connection --api-host https://api.yourcustomdomain.xyz/public/graphql --api-token $YOUR_TOKEN

Step 10: Request API Gateway, Lambda, and CodeBuild quota increases

Follow this AWS documentation to request the following quota increases:
- API Gateway throttle quota: Set at 20,000
- Lambda concurrent executions quota: Set at 2,000
- CodeBuild:
  - Concurrently running builds for ARM/Large environment (or ARM BUILD_GENERAL1_LARGE): Set at 2 or more
  - Concurrently running builds for Linux/Large environment (or Linux BUILD_GENERAL1_LARGE): Set at 2 or more

After your initial Cloud Connected deployment

Step 1 (recommended): Activate Panther-defined tags on AWS resources

Panther defines certain tags on the AWS resources created for your Panther deployment. Follow this AWS documentation to activate these tags.

Step 2 (optional): Provide Panther your custom tags for AWS resources

In addition to the Panther-defined tags, you may wish to add your own custom tags on the AWS resources created for your Panther deployment. To do so, reach out to your Panther support team with the list of tag keys and values.

PreviousConfiguring Snowflake for Cloud Connected NextPre-Deployment Tools

Last updated 7 months ago