Pre-Deployment Tools
Overview
Panther offers a set of tools for organizations deploying a Cloud Connected Panther instance:
Snowflake Credential Bootstrap tool: This tool aids in storing your Snowflake credentials inside your AWS account before the first deployment of Panther infrastructure in AWS (including the initial configuration of Snowflake). This allows for the following benefits:
You can avoid an escape of credentials from the AWS account, including any human handoff.
Credentials can be validated early on in the setup process for accuracy
Readiness Checker tool: This tool runs a simulation of the actions defined by the deployment role against the AWS account, in an attempt to identify organization policies that may collide with the Panther deployment and require further review.
A clean run of this tool is a strong indicator that you are unlikely to encounter IAM-related deployment issues, and can streamline the deployment process from Panther's end.
These are distributed as a collection of lambda functions defined as CloudFormation templates built using AWS SAM. The source for these utilities is in this panther-auxiliary
GitHub repository.
Deploying the tool set
Prerequisites
In your AWS account, you must have permissions to:
Create a CloudFormation stack
Create and invoke a Lambda function
Read and write in Secrets Manager
You must follow the instructions in Configuring AWS for Cloud Connected before following the instructions on this page.
The Deployment Role CloudFormation stack must be stood up before running the readiness checker tools as it uses the live version of the PantherDeploymentRole.
Deploy the CloudFormation template in AWS
Find the CloudFormation template at the S3 URL below, first replacing
<region>
with the region you intend to deploy Panther in:https://panther-public-cloudformation-templates.s3.us-west-2.amazonaws.com/panther-preflight-tools-<region>/latest/template.yml
Deploy the template. See the CloudFormation documentation for instructions on how to create a CloudFormation stack from a template either using the CloudFormation console or using the AWS CLI.
Select the AWS region that the
PantherDeploymentRole
and Snowflake account reside in.For the stack name, we recommend using
PantherPreflightToolsStack
, for consistency with the contents.
Using the tools
Using the Snowflake Credential Bootstrap tool
To use the tool, you will run the lambda twice, with a step in between. The first lambda run seeds the secret into the AWS account—its output will direct you to a page in AWS where you can modify the secret to add credentials. The second lambda run verifies connectivity with the newly created secret against the Snowflake account, and yields the ARN of the new, validated secret.
Using the AWS CLI, authenticate to the target account.
There are many ways to authenticate—find basic instructions on the AWS Authentication and access credentials documentation.
In a web browser, authenticate to the target account in the AWS console.
Invoke the lambda, supplying the login URL of your snowflake account as a parameter:
An AWS console URL will be outputted.
In a web browser, navigate to the AWS console URL outputted in the CLI. Here, you can modify the secret:
Click Save.
In the CLI, invoke the lambda again to validate your configuration:
The response to this call, if successful, will include the ARN of the newly created secret. Provide this value to your Panther support team.
Using the IAM Readiness Checker tool
Invoking the readiness check does not require a payload. It can be invoked either in the AWS CLI or AWS console.
Invoking on the command line with the aws
CLI:
Run the following:
In this example, the result will end up in the
output.json
:
Last updated