Pre-Deployment Tools
Last updated
Last updated
Panther offers a set of tools for organizations deploying a Cloud Connected Panther instance:
Readiness checker tool: This tool runs a simulation of the actions defined by the deployment role against the AWS account to identify organizational policies that may collide with the Panther deployment and require further review. It also verifies that your AWS account has Amazon S3 Select enabled.
A successful run of this tool is a strong indicator that you are unlikely to encounter IAM or S3 Select-related deployment issues, and can streamline the deployment process from Panther's end.
Snowflake credential bootstrap tool: This tool aids in storing your Snowflake credentials inside your AWS account before the first deployment of Panther infrastructure in AWS (including the initial configuration of Snowflake). This allows for the following benefits:
You can avoid an escape of credentials from the AWS account, including any human handoff with Panther employees.
Credentials can be validated early on in the setup process for accuracy.
These are distributed as a collection of lambda functions defined as CloudFormation templates built using AWS SAM. The source for these utilities is in this panther-auxiliary GitHub repository.
The PantherDeploymentRole CloudFormation stack must be already deployed.
You should have completed this in Step 3 of the Configuring AWS for Cloud Connected process.
Construct the S3 URL where the CloudFormation template is stored by replacing <region> in the URL below with the region you intend to deploy Panther in:
https://panther-public-cloudformation-templates.s3.us-west-2.amazonaws.com/panther-preflight-tools-<region>/latest/template.yml
Deploy the template using the S3 URL you constructed. See the CloudFormation documentation for instructions on how to create a CloudFormation stack from a template either using the CloudFormation console or using the AWS CLI.
Select the AWS region that thePantherDeploymentRoleand Snowflake account reside in.
For the stack name, we recommend using PantherPreflightToolsStack, for consistency with the contents.
There are no parameters to configure in this stack.
Invoking the readiness check does not require a payload. It can be invoked either in the AWS CLI or AWS console.
Invoking in the AWS console:
In an authenticated session of the AWS console, navigate to the test page of the PantherReadinessCheck lambda utility:
https://console.aws.amazon.com/lambda/home#/functions/PantherReadinessCheck?tab=testing
In the Event Name field, provide a name.
In the Event JSON field, enter an empty payload.
Do not proceed until you have a successful run. If you are having trouble successfully running this tool, reach out to the Panther Support team.
If your readiness checker run fails, it may be due to one of the reasons below.
If the output of the command is Some evaluations were not allowed! with a list of failing actions, update your organizational service control policy (SCP) to allow thePantherDeploymentRole to perform the necessary actions to ensure successful deployment.
You may have an AWS Control Tower Guardrails policy blocking your deployment.
If the output from the command includes "s3_select_enabled": false, please reach out to the Panther Support team. Panther will work with AWS to enable Amazon S3 Select for your account.
To use the tool, you will run the PantherSnowflakeCredentialBootstrap lambda twice, with a step in between. The first lambda run seeds the secret into the AWS account—its output will direct you to a page in AWS where you can modify the secret to add credentials. The second lambda run verifies connectivity with the newly created secret against the Snowflake account, and yields the ARN of the new, validated secret.
In your AWS console, navigate to the Lambda service.
Ensure you are working in the same region your Snowflake account is deployed in.
Find your PantherSnowflakeCredentialBootstrap lambda.
Click the Test tab.
In Test event action ensure Create new event is selected.
In the Event name field, provide a name.
In the Event JSON editor, replace its contents with a single key/value pair, where the key is host and the value is your Snowflake account URL:
When the test is complete (and has run successfully), click the Details dropdown to see the results.
Modify the secret:
Click Save.
Return to the browser tab open to your PantherSnowflakeCredentialBootstrap lambda.
Still in the Test tab, in the Event JSON editor, update the event to:
The response to this call, if successful, will include the ARN of the newly created secret.
Save the outputted ARN value in a secure location, as you will need to provide it to your Panther support team in a later step.
In the upper-right corner, click Test.
When the test is complete, click the Details dropdown to see the results.
In the upper-right corner, click Test.
Copy the outputted URL, and open it in a new browser tab.
On the Secret value tile, click Retrieve secret value.
Click Edit.
Update the value of the password key with the password for your pantheraccountadmin Snowflake user.
In the upper-right corner, click Test.
On the Secret value tile, click Retrieve secret value.
Click Edit.
Update the value of the password key with the password for your pantheraccountadmin Snowflake user.
