Setting Up a Cloud Connected Panther Instance
Using the panther-cloud-connected-setup CLI tool
Last updated
Was this helpful?
Using the panther-cloud-connected-setup CLI tool
Last updated
Was this helpful?
To provision a Panther instance, you will use the panther-cloud-connected-setup CLI tool, in addition to taking manual steps. Read about the tool below, then begin the setup process.
Part of setting up a Cloud Connected Panther instance is running the . The tool performs all its operations from your local machine or within your AWS or Snowflake accounts, and does not share any credentials or information with Panther.
Running this tool:
Within your AWS account:
Deploys the PantherDeploymentRole IAM role
Deploys and executes the PantherReadinessCheck pre-deployment tool, which verifies that you are unlikely to encounter deployment issues
Registers for SSL certificates for the following subdomains, based on the root domain you provide:
<desired panther subdomain>.yourdomain.com
*.<desired panther subdomain>.yourdomain.com
Provisions Snowflake credentials in your AWS environment, using:
(Recommended) A Snowflake account and user named pantheraccountadmin Panther creates on your behalf
(Not recommended) An already created (empty) Snowflake account and pantheraccountadmin user you provide, created according to the . This path may appeal to you if you're unable to allow the panther-cloud-connected-setup tool to use a Snowflake user with the . (This user's credentials are never shared with Panther.)
The panther-cloud-connected-setup tool stores state in the panther-cli-state.db file. If the tool does not successfully provision a Panther instance on first run, this file makes re-runs simpler, as it tracks the steps that have already been successfully completed.
This file stores sensitive information. After successfully provisioning a Panther instance, it's recommended to run ./panther-cloud-connected-setup --clean to purge the file, or delete the file from the disk.
(To have the panther-cloud-connected-setup tool provision a Snowflake account and user for you, which is recommended) You have a Snowflake user that:
(If you will provide an already created Snowflake account and user, which is not recommended) You have an empty Snowflake account and pantheraccountadmin user created according to the instructions below.
An IAM user with at least the following permissions:
You have a custom domain registered.
Your Panther instance cannot be deployed in an AWS account with existing resources.
Reach out to Panther support to notify them you are deploying a Cloud Connected instance and ask for values for CloudFormationConfig.IdentityAccountId and CloudFormationConfig.OpsAccountId. You will use these values in Step 3.
Create a configuration file locally by copying one of the following templates:
Update the keys' values, following the guidance in the template and taking note of the below:
Run the tool with the following command:
Additional flags that may be useful:
--verbose: Print verbose logging
--snowflake-logging: Print verbose Snowflake logging
A successful run of the tool will output a file with account information. Provide this file to Panther support.
Stop here, and wait for Panther to notify you that you may continue.
In your AWS console, navigate to the EC2 service.
Locate the AWS-provided DNS name for your web load balancer:
Navigate to Route53 (or a different DNS service of your choice).
Create a new CNAME record that points your primary subdomain (<your_desired_Panther_subdomain>.<company_name>.com) to this DNS name for your web load balancer.
In EC2, locate the AWS-provided DNS name for the http-ingest-alb load balancer:
Navigate to Route53 (or a different DNS service of your choice).
Create a new CNAME record that points your logs subdomain (logs.<your_desired_Panther_subdomain>.<company_name>.com) to this DNS name for your http-ingest-alb load balancer.
In your AWS console, navigate to the API Gateway service.
Click APIs > Custom domain names.
Click the name of the API subdomain (api.<your_desired_Panther_subdomain>.<company_name>.com).
Navigate to Route53 (or a different DNS service of your choice).
Create a new CNAME record that points your API subdomain (api.<your_desired_Panther_subdomain>.<company_name>.com) to this API Gateway domain name value.
(Optional) Validate the three CNAME records you just created:
To validate that the primary endpoint is working:
In a web browser, navigate to your primary subdomain.
Log in to your Panther Console.
To validate that the HTTP ingest endpoint is working:
Execute the following check-connection command:
pipenv run panther_analysis_tool check-connection --api-host $YOUR_GRAPHQL_ENDPOINT --api-token $YOUR_TOKEN
Concurrently running builds for ARM/Large environment (or ARM BUILD_GENERAL1_LARGE): Set at 2 or more
Concurrently running builds for Linux/Large environment (or Linux BUILD_GENERAL1_LARGE): Set at 2 or more
You have a .
Has the attached.
The . Before that happens, you may use a user with the ORGADMIN role instead of GLOBALORGADMIN.
Uses RSA key-pair authentication. If you need to set up an RSA key-pair, follow the .
Has matching values for NAME and LOGIN_NAME. To verify this, run the following command in a :
Certain Panther features require or higher. .
In your Snowflake organization, create a new, dedicated Snowflake account for Panther using the template below. <YOUR_REGION> should be one of the (and be the same AWS where your Panther instance will eventually be deployed).
This command as well as the first user of the account, who is assigned the ACCOUNTADMIN role. This user will not be provided to Panther. See full syntax guidelines for the CREATE ACCOUNT command .
For additional guidance, see .
You have an .
You are able to provide user credentials (i.e., an ), optionally with a , for either:
(Recommended) The AWS account (or a different IAM user with comparable permissions).
Ability to deploy templates
Ability to create certificates in
Ability to create and invoke
Ability to read/write to
If your AWS organization has and policies at the organization level, it is recommended that you have the ability to update them or create exceptions. These policies may interfere with the CLI tool's actions and prevent successful provisioning.
If you need help registering a custom domain and would like to use AWS as your domain registrar, follow .
In your AWS organization, , if needed. (It is also possible to use an existing empty one.)
If the panther-cloud-connected-setup tool should provision a Snowflake account and user for you:
If you will provide an already created, empty Snowflake account and pantheraccountadmin user:
When entering a value for PantherAccountConfig.Region, use one of the . This region is where your Panther instance will be deployed.
(If you are using ) When entering a value for SnowflakeConfig.NewAccountConfig.SnowflakeEdition, take note that certain Panther features require or higher. .
Learn more about the tool in its .
In the Endpoint Configuration section, copy the API Gateway domain name value.
.
To validate that the API endpoint is working, make a call using the :
.
.
Follow to request the following quota increases:
: Set at 20,000
:
Panther automatically submits a request for your to be increased to 2,000.
Panther on the AWS resources created for your Panther deployment. Follow to activate these tags.
In addition to the Panther-defined tags, you may wish to add on the AWS resources created for your Panther deployment. To do so, reach out to your Panther support team with the list of tag keys and values.
