# Configuring AWS for Cloud Connected (Legacy) ## Overview {% hint style="danger" %} Do not follow the instructions on this page—instead, follow the [Cloud Connected](https://docs.panther.com/system-configuration/panther-deployment-types/cloud-connected) and [Setting Up a Cloud Connected Panther Instance instructions](https://docs.panther.com/system-configuration/panther-deployment-types/cloud-connected/set-up). This page exists only for historical reference. {% endhint %} A [Cloud Connected](https://docs.panther.com/system-configuration/panther-deployment-types/cloud-connected) deployment of Panther means that your organization owns the Snowflake account and the AWS account in which Panther is deployed, and Panther performs deployment upgrades of the platform. After your Panther deployment is complete, you can [monitor your Panther-related AWS costs](https://docs.panther.com/system-configuration/cloud-connected#monitoring-your-panther-aws-costs). {% hint style="warning" %} The instructions on this page are for setting up a *new* Cloud Connected deployment. If you would like to convert an existing [Panther-hosted (SaaS)](https://docs.panther.com/system-configuration/panther-deployment-types/..#saas) instance to a Cloud Connected deployment, do not follow these steps; instead, reach out to your Panther Support team to initiate the conversion. {% endhint %} ## How to prepare for your initial Cloud Connected deployment ### Prerequisites * Create a Snowflake account (within your Snowflake organization) to be used with your Panther deployment: see the instructions on [Configuring Snowflake for Cloud Connected](https://docs.panther.com/system-configuration/panther-deployment-types/legacy-configurations/cloud-connected-setup-without-cli-tool-legacy/configuring-snowflake-for-cloud-connected-legacy). * If you already have a Snowflake instance, take note of the configuration recommendations on [Snowflake Configuration for Optimal Search Performance](https://docs.panther.com/search/backend/snowflake/configuration). ### Step 1: Create a new AWS account * Create a new AWS account, if needed. (It is also possible to use an existing empty one.) {% hint style="warning" %} Your Panther instance cannot be deployed in an AWS account with existing resources. {% endhint %} ### Step 2: Exchange information with Panther Support Reach out to the Panther Support team, and: * Provide the following values: * Your AWS account ID * Your Snowflake region * Request values for the following three parameters for the `PantherDeploymentRole` template: * `DeploymentRoleName` * `IdentityAccountId` * `OpsAccountId` If you are deploying more than one instance of Panther, the `PantherDeploymentRole` parameter values do not change. Panther will use your AWS account ID and Snowflake region to make a request to AWS to enable [Amazon S3 Select](https://docs.aws.amazon.com/AmazonS3/latest/userguide/selecting-content-from-objects.html) for your account. In the meantime, you may proceed in this deployment process, but you will not be able to pass [Step 5](#step-5-run-the-readiness-checker-tool) (i.e., have a successful run of the readiness checker tool) until the request has been fulfilled. ### Step 3: Deploy the `PantherDeploymentRole` * In the same region your Snowflake account is in, deploy the `panther-deployment-role` CloudFormation template [found at this link](https://panther-public-cloudformation-templates.s3.us-west-2.amazonaws.com/panther-deployment-role/latest/template.yml). Panther will assume this IAM role to perform upgrades. * Use the values for the three template parameters (`DeploymentRoleName`, `IdentityAccountId`, and `OpsAccountId`) provided by Panther in [Step 2](#step-2-exchange-information-with-panther-support). * It's recommended to name the stack `PantherDeploymentRoleStack`. * See the CloudFormation documentation for instructions on how to create a CloudFormation stack from a template either [using the CloudFormation console](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-create-stack.html) or[ using the AWS CLI](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-cli-creating-stack.html). {% hint style="warning" %} Reminder: The stack must be created in the same region your Snowflake account is in. {% endhint %} ### Step 4: Deploy the pre-deployment tools * Follow the instructions in [Deploying the tool set](https://docs.panther.com/system-configuration/panther-deployment-types/legacy-configurations/pre-deployment-tools-legacy#deploying-the-tool-set). ### Step 5: Run the readiness checker tool * Follow the instructions in [Using the readiness checker tool](https://docs.panther.com/system-configuration/panther-deployment-types/legacy-configurations/pre-deployment-tools-legacy#using-the-readiness-checker-tool). * Before proceeding, ensure you have a successful run. ### Step 6: Connect Snowflake credentials to the AWS account * Follow the instructions in [Using the Snowflake credential bootstrap tool](https://docs.panther.com/system-configuration/panther-deployment-types/legacy-configurations/pre-deployment-tools-legacy#using-the-snowflake-credential-bootstrap-tool). * You will need your Snowflake account URL, as well as the password for the `pantheraccountadmin` user you created. {% hint style="info" %} Save the outputted Snowflake secret ARN, as you will need to provide it to Panther in [Step 8](#step-8-provide-values-to-panther). {% endhint %} ### Step 7: Create ACM certificates 1. In the same region your Snowflake account is in, follow the AWS Certificate Manager (ACM) [Requesting a public certificate documentation](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html) to request a single certificate for two subdomains of the domain [you have already registered](https://docs.panther.com/system-configuration/cloud-connected#cloud-connected-requirements): * `..com` * `*...com` 2. (If your deployment region is not `us-east-1`) In `us-east-1`, follow the same [Requesting a public certificate documentation](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html) to request a certificate for: * `*...com` 3. Make note of your outputted certificate ARNs, as you will need to provide them to Panther in the next step. ### Step 8: Provide values to Panther Provide the following information about your infrastructure to your Panther support team: * Desired Panther account name * This will be visible in your Panther Console as **Company Name**. * Snowflake secret ARN * You generated this in [Step 6](#step-6-connect-snowflake-credentials-to-the-aws-account), above. * Panther subdomain * You used this in [Step 7](#step-7-create-acm-certificates), above. * ARNs of all ACM certificates you requested in [Step 7](#step-7-create-acm-certificates), above. * [AWS account ID](https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html#ViewYourAWSId) * Snowflake region * [Snowflake edition](https://docs.snowflake.com/en/user-guide/intro-editions) * For your initial Panther user: * First name * Last name * Email address {% hint style="warning" %} Please stop here, and wait for Panther to notify you that you can continue. {% endhint %} ### Step 9: Create your CNAME records 1. In your AWS console, navigate to the EC2 service. 2. Locate the AWS-provided DNS name for your `web` load balancer:
1. Navigate to Route53 (or a different DNS service of your choice). 2. Create a new CNAME record that points your primary subdomain (`..com`) to this DNS name for your `web` load balancer. 3. In EC2, locate the AWS-provided DNS name for the `http-ingest-alb` load balancer:
1. Navigate to Route53 (or a different DNS service of your choice). 2. Create a new CNAME record that points your logs subdomain (`logs...com`) to this DNS name for your `http-ingest-alb` load balancer. 4. In your AWS console, navigate to the API Gateway service. 5. Click **APIs** > **Custom domain names**. 6. Click the name of the API subdomain (`api...com`). 7. In the **Endpoint Configuration** section, copy the **API Gateway domain name** value.\ ![Under an "Endpoint configuration" header, a field titled "API Gateway domain name" is circled.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-d7536ffa4822228f8bc4ebbfcfc4aa62f94db2a2%2FScreenshot%202024-11-14%20at%202.07.13%E2%80%AFPM.png?alt=media) 1. Navigate to Route53 (or a different DNS service of your choice). 2. Create a new CNAME record that points your API subdomain (`api...com`) to this **API Gateway domain name** value. 8. (Optional) Validate the three CNAME records you just created: * To validate that the primary endpoint is working: 1. In a web browser, navigate to your primary subdomain. 2. Log in to your Panther Console. * To validate that the HTTP ingest endpoint is working: * [Set up an HTTP Source in Panther by following these instructions](https://docs.panther.com/data-onboarding/data-transports/http#how-to-set-up-an-http-log-source-in-panther). * To validate that the API endpoint is working, make a call using the [Panther Analysis Tool (PAT)](https://docs.panther.com/panther-developer-workflows/detections-repo/pat): 1. [Create an API token](https://docs.panther.com/panther-developer-workflows/api#how-to-create-a-panther-api-token). 2. [Identify your GraphQL API endpoint](https://docs.panther.com/panther-developer-workflows/api/graphql#step-1-identify-your-panther-graphql-api-url). 3. Execute the following `check-connection` command:\ `pipenv run panther_analysis_tool check-connection --api-host $YOUR_GRAPHQL_ENDPOINT --api-token $YOUR_TOKEN` ### Step 10: Request API Gateway and CodeBuild quota increases * Follow [this AWS documentation](https://docs.aws.amazon.com/servicequotas/latest/userguide/request-quota-increase.html) to request the following quota increases: * [API Gateway throttle quota](https://docs.aws.amazon.com/apigateway/latest/developerguide/limits.html#apigateway-account-level-limits-table): Set at 20,000 * [CodeBuild](https://docs.aws.amazon.com/codebuild/latest/userguide/limits.html): * Concurrently running builds for ARM/Large environment (or `ARM BUILD_GENERAL1_LARGE`): Set at 2 or more * Concurrently running builds for Linux/Large environment (or `Linux BUILD_GENERAL1_LARGE`): Set at 2 or more Panther automatically submits a request for your [Lambda concurrent executions quota](https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-limits.html#compute-and-storage) to be increased to 2,000. ## After your initial Cloud Connected deployment ### Step 1 (recommended): Activate Panther-defined tags on AWS resources * Panther [defines these tags](https://docs.panther.com/system-configuration/cloud-connected#panther-defined-tags-on-aws-resources) on the AWS resources created for your Panther deployment. Follow [this AWS documentation](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/activating-tags.html) to activate these tags. ### Step 2 (optional): Provide Panther your custom tags for AWS resources * In addition to the Panther-defined tags, you may wish to add [your own custom tags](https://docs.panther.com/system-configuration/cloud-connected#custom-tags-on-aws-resources) on the AWS resources created for your Panther deployment. To do so, reach out to your Panther support team with the list of tag keys and values.