# Cloud Connected Setup Without CLI Tool (Legacy)

## Overview

{% hint style="danger" %}
Do not follow the instructions on this page—instead, follow the [Cloud Connected](https://docs.panther.com/system-configuration/panther-deployment-types/cloud-connected) and [Setting Up a Cloud Connected Panther Instance instructions](https://docs.panther.com/system-configuration/panther-deployment-types/cloud-connected/set-up). This page, and its subpages, exist only for historical reference.
{% endhint %}

Under the Cloud Connected deployment model, your organization owns the Snowflake account and AWS account in which your Panther instance is deployed, while Panther manages initial deployments and subsequent upgrades of the platform. Panther performs this work by assuming an IAM role named `PantherDeploymentRole` that you create using a CloudFormation template provided by Panther.

To deploy a Cloud Connected instance of Panther, first verify your organization meets the [Cloud Connected requirements](#cloud-connected-requirements), then follow the instructions in [How to configure your Cloud Connected account](#how-to-configure-your-cloud-connected-account). Cloud Connected instances can be deployed in [any of these supported AWS regions](https://docs.panther.com/system-configuration/panther-deployment-types/..#supported-aws-regions).

When a Cloud Connected instance is deployed, Panther will self-monitor itself by automatically ingesting audit logs produced by your AWS account. This allows you to monitor actions taken by the `PantherDeploymentRole`, as well as any other IAM role.

Learn about Panther's other deployment models on [Panther Deployment Types](https://docs.panther.com/system-configuration/panther-deployment-types).

{% hint style="warning" %}
Aside from the modifications in AWS you are asked to make as part of the Cloud Connected [setup process](#configuring-your-cloud-connected-account), is highly discouraged to make any additional changes to the AWS account your Panther infrastructure resides in, including creating additional resources (such as [Data Transport](https://docs.panther.com/data-onboarding/data-transports) sources) and/or updating any permissions. Such changes may interfere with Panther's automation software.
{% endhint %}

## Cloud Connected requirements

In order to deploy a Cloud Connected instance of Panther, you must meet the following criteria.

You must have:

* A custom domain registered.
  * If you need help registering a custom domain and would like to use AWS as your domain registrar, follow [this Amazon Route 53 documentation](https://aws.amazon.com/getting-started/hands-on/get-a-domain/).
* A [Snowflake organization](https://docs.snowflake.com/en/user-guide/organizations), in which you can create a new or empty Snowflake account
  * Certain Panther features require [Snowflake Enterprise](https://docs.snowflake.com/en/user-guide/intro-editions) or higher. [Learn more here](https://github.com/panther-labs/panther-docs/blob/main/docs/gitbook/system-configuration/panther-deployment-types/legacy-configurations/cloud-connected-setup-without-cli-tool-legacy/broken-reference/README.md).
* An [AWS organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html), in which you can create a new or empty AWS account (and deploy resources in the same region as the Snowflake account)

You must have the ability to:

* Manually create [ACM Certificates](https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html) and DNS records for certain Panther endpoints
* Deploy [CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) templates
* Create exceptions to [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html) [Service Control Policies (SCP)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html)
* Create and invoke a [Lambda](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) function
* Read and write in [Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html)

## How to configure your Cloud Connected account

To deploy a Cloud Connected instance of Panther, follow the instructions on the below pages:

1. [Configuring Snowflake for Cloud Connected](https://docs.panther.com/system-configuration/panther-deployment-types/legacy-configurations/cloud-connected-setup-without-cli-tool-legacy/configuring-snowflake-for-cloud-connected-legacy)
2. [Configuring AWS for Cloud Connected](https://docs.panther.com/system-configuration/panther-deployment-types/legacy-configurations/cloud-connected-setup-without-cli-tool-legacy/configuring-aws-for-cloud-connected-legacy)

These steps are summarized on a high-level in the diagram below:

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-0183ef2a4ae65376a40dd48daed9d27aba4655de%2Fimage.png?alt=media" alt="A flow diagram is shown with sections for Snowflake, AWS, and Panther. Various actions are described in rectangular shapes, such as &#x22;Create Snowflake account and user&#x22; and &#x22;Create ACM certificates.&#x22;"><figcaption></figcaption></figure>

## Cloud Connected deployment monitoring

### Monitoring your Panther AWS costs

You can monitor your Panther-related spend in AWS by using the [AWS Cost Explorer](https://docs.aws.amazon.com/cost-management/latest/userguide/ce-what-is.html).

1. If you have not already, [enable Cost Explorer](https://docs.aws.amazon.com/cost-management/latest/userguide/ce-enable.html).
2. View the [Cost Explorer chart](https://docs.aws.amazon.com/cost-management/latest/userguide/ce-chart.html) to explore usage and cost amounts.
   * Use the **Filter** and **Group by** fields to narrow your search to certain services, tag names, and/or usage types.
   * Learn more about Panther and customer-defined [AWS resource tags below](#using-aws-resource-tags).

### How Panther monitors your Cloud Connected deployment

In order to provide a SaaS-like experience, Panther monitors Cloud Connected deployments using the following tools:

* [Datadog](https://www.datadoghq.com/) for metrics and system logs
* [Sentry](https://sentry.io/) for alerting on errors
* [Pendo](https://www.pendo.io/) for user and product analytics

## Using AWS resource tags

### Panther-defined tags on AWS resources

Panther defines tags on your AWS resources, which may be useful in cost analysis. In order for them to be used, you must first [activate them](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/activating-tags.html).

Panther defines the following tags on your AWS resources:

* `panther:app`
* `panther:resource`
* `panther:subsystem`
* `panther:version`

### Custom tags on AWS resources

It's possible to add custom tags to your AWS resources, if you would like. Doing so may aid in your billing analysis.

To add custom tags, reach out to your Panther support team with the list of tag keys and values.

## Decommissioning a Cloud Connected Panther deployment

If you need to decommission a Panther deployment, you can simply terminate the AWS and Snowflake accounts. If you'd like to retain you Snowflake data, you can preserve that account while terminating the AWS account.