Pre-Deployment Tools


Panther offers a set of tools for organizations deploying a Cloud Connected Panther instance:

  • Snowflake Credential Bootstrap tool: This tool aids in storing your Snowflake credentials inside your AWS account before the first deployment of Panther infrastructure in AWS (including the initial configuration of Snowflake). This allows for the following benefits:

    • You can avoid an escape of credentials from the AWS account, including any human handoff.

    • Credentials can be validated early on in the setup process for accuracy

  • Readiness Checker tool: This tool runs a simulation of the actions defined by the deployment role against the AWS account, in an attempt to identify organization policies that may collide with the Panther deployment and require further review.

    • A clean run of this tool is a strong indicator that you are unlikely to encounter IAM-related deployment issues, and can streamline the deployment process from Panther's end.

These are distributed as a collection of lambda functions defined as CloudFormation templates built using AWS SAM. The source for these utilities is in this panther-auxiliary GitHub repository.

Deploying the tool set


Deploy the CloudFormation template in AWS

  1. Find the CloudFormation template at the S3 URL below, first replacing <region> with the region you intend to deploy Panther in:<region>/latest/template.yml

  2. Deploy the template. See the CloudFormation documentation for instructions on how to create a CloudFormation stack from a template either using the CloudFormation console or using the AWS CLI.

    • Select the AWS region that thePantherDeploymentRoleand Snowflake account reside in.

    • For the stack name, we recommend using PantherPreflightToolsStack, for consistency with the contents.

Using the tools

Using the Snowflake Credential Bootstrap tool

To use the tool, you will run the lambda twice, with a step in between. The first lambda run seeds the secret into the AWS account—its output will direct you to a page in AWS where you can modify the secret to add credentials. The second lambda run verifies connectivity with the newly created secret against the Snowflake account, and yields the ARN of the new, validated secret.

  1. Using the AWS CLI, authenticate to the target account.

  2. In a web browser, authenticate to the target account in the AWS console.

  3. Invoke the lambda, supplying the login URL of your snowflake account as a parameter:

    aws lambda invoke\
     --function-name "PantherSnowflakeCredentialBootstrap"\
     --log-type Tail\
     --payload '{"host": ""}'\
     --cli-binary-format raw-in-base64-out /dev/stderr > /dev/null
    • An AWS console URL will be outputted.

  4. In a web browser, navigate to the AWS console URL outputted in the CLI. Here, you can modify the secret:

    1. Click Save.

  5. In the CLI, invoke the lambda again to validate your configuration:

    aws lambda invoke\
     --function-name "PantherSnowflakeCredentialBootstrap"\
     --log-type Tail\
     --payload '{"validate": true}'\
     --cli-binary-format raw-in-base64-out /dev/stderr > /dev/null
  6. The response to this call, if successful, will include the ARN of the newly created secret. Provide this value to your Panther support team.

Using the IAM Readiness Checker tool

Invoking the readiness check does not require a payload. It can be invoked either in the AWS CLI or AWS console.

Invoking on the command line with the aws CLI:

  1. Run the following:

      aws lambda invoke --function-name "PantherReadinessCheck"\
      --cli-binary-format raw-in-base64-out output.json
  2. In this example, the result will end up in the output.json:

    [12:18] user@host $> aws lambda invoke --function-name "PantherReadinessCheck" --cli-binary-format raw-in-base64-out output.json
    [12:18] user@host $> cat output.json
    {"Message": "All evaluations were successful against the Deployment Role"}

Last updated