Cloud Connected Setup Without CLI Tool (Legacy)

Overview

Under the Cloud Connected deployment model, your organization owns the Snowflake account and AWS account in which your Panther instance is deployed, while Panther manages initial deployments and subsequent upgrades of the platform. Panther performs this work by assuming an IAM role named PantherDeploymentRole that you create using a CloudFormation template provided by Panther.

To deploy a Cloud Connected instance of Panther, first verify your organization meets the Cloud Connected requirements, then follow the instructions in How to configure your Cloud Connected account. Cloud Connected instances can be deployed in any of these supported AWS regions.

When a Cloud Connected instance is deployed, Panther will self-monitor itself by automatically ingesting audit logs produced by your AWS account. This allows you to monitor actions taken by the PantherDeploymentRole, as well as any other IAM role.

Learn about Panther's other deployment models on Panther Deployment Types.

Cloud Connected requirements

In order to deploy a Cloud Connected instance of Panther, you must meet the following criteria.

You must have:

• A custom domain registered.

  • If you need help registering a custom domain and would like to use AWS as your domain registrar, follow this Amazon Route 53 documentation.

• A Snowflake organization, in which you can create a new or empty Snowflake account

  • Certain Panther features require Snowflake Enterprise or higher. Learn more here.

• An AWS organization, in which you can create a new or empty AWS account (and deploy resources in the same region as the Snowflake account)

You must have the ability to:

• Manually create ACM Certificates and DNS records for certain Panther endpoints

• Deploy CloudFormation templates

• Create exceptions to AWS Organizations Service Control Policies (SCP)

• Create and invoke a Lambda function

• Read and write in Secrets Manager

How to configure your Cloud Connected account

To deploy a Cloud Connected instance of Panther, follow the instructions on the below pages:

1. Configuring Snowflake for Cloud Connected

2. Configuring AWS for Cloud Connected

These steps are summarized on a high-level in the diagram below:

Cloud Connected deployment monitoring

Monitoring your Panther AWS costs

You can monitor your Panther-related spend in AWS by using the AWS Cost Explorer.

1. If you have not already, enable Cost Explorer.

2. View the Cost Explorer chart to explore usage and cost amounts.

   • Use the Filter and Group by fields to narrow your search to certain services, tag names, and/or usage types.

   • Learn more about Panther and customer-defined AWS resource tags below.

How Panther monitors your Cloud Connected deployment

In order to provide a SaaS-like experience, Panther monitors Cloud Connected deployments using the following tools:

• Datadog for metrics and system logs

• Sentry for alerting on errors

• Pendo for user and product analytics

Using AWS resource tags

Panther-defined tags on AWS resources

Panther defines tags on your AWS resources, which may be useful in cost analysis. In order for them to be used, you must first activate them.

Panther defines the following tags on your AWS resources:

• panther:app

• panther:resource

• panther:subsystem

• panther:version

Custom tags on AWS resources

It's possible to add custom tags to your AWS resources, if you would like. Doing so may aid in your billing analysis.

To add custom tags, reach out to your Panther support team with the list of tag keys and values.

Decommissioning a Cloud Connected Panther deployment

If you need to decommission a Panther deployment, you can simply terminate the AWS and Snowflake accounts. If you'd like to retain you Snowflake data, you can preserve that account while terminating the AWS account.