Pre-Deployment Tools (Legacy)

Overview

Do not follow the instructions on this page—instead, follow the Cloud Connected and Setting Up a Cloud Connected Panther Instance instructions. This page exists only for historical reference.

Panther offers a set of tools for organizations deploying a Cloud Connected Panther instance:

Readiness checker tool: This tool runs a simulation of the actions defined by the deployment role against the AWS account to identify organizational policies that may collide with the Panther deployment and require further review. It also verifies that your AWS account has Amazon S3 Select enabled.
- A successful run of this tool is a strong indicator that you are unlikely to encounter IAM or S3 Select-related deployment issues, and can streamline the deployment process from Panther's end.
Snowflake credential bootstrap tool: This tool aids in storing your Snowflake credentials inside your AWS account before the first deployment of Panther infrastructure in AWS (including the initial configuration of Snowflake). This allows for the following benefits:
- You can avoid an escape of credentials from the AWS account, including any human handoff with Panther employees.
- Credentials can be validated early on in the setup process for accuracy.

These are distributed as a collection of lambda functions defined as CloudFormation templates built using AWS SAM. The source for these utilities is in this panther-auxiliary GitHub repository.

Deploying the tool set

Prerequisites

The PantherDeploymentRole CloudFormation stack must be already deployed.
- You should have completed this in Step 3 of the Configuring AWS for Cloud Connected process.

Deploying the pre-deployment tools CloudFormation template

Construct the S3 URL where the CloudFormation template is stored by replacing <region> in the URL below with the region you intend to deploy Panther in: https://panther-public-cloudformation-templates.s3.us-west-2.amazonaws.com/panther-preflight-tools-<region>/latest/template.yml
Deploy the template using the S3 URL you constructed. See the CloudFormation documentation for instructions on how to create a CloudFormation stack from a template either using the CloudFormation console or using the AWS CLI.
- Select the AWS region that thePantherDeploymentRoleand Snowflake account reside in.
- For the stack name, we recommend using PantherPreflightToolsStack, for consistency with the contents.
- There are no parameters to configure in this stack.

Using the readiness checker tool

Invoking the readiness check does not require a payload. It can be invoked either in the AWS CLI or AWS console.

Invoking in the AWS console:

In an authenticated session of the AWS console, navigate to the test page of the PantherReadinessCheck lambda utility: https://console.aws.amazon.com/lambda/home#/functions/PantherReadinessCheck?tab=testing
In the Event Name field, provide a name.
In the Event JSON field, enter an empty payload.
In the upper-right corner, click Test.
When the test is complete, click the Details dropdown to see the results.
- Do not proceed until you have a successful run. If you are having trouble successfully running this tool, reach out to the Panther Support team.

Invoking on the command line with the aws CLI:

Run the following:

  aws lambda invoke --function-name "PantherReadinessCheck"\
  --cli-binary-format raw-in-base64-out output.json

In this example, the result will end up in the output.json:

[12:18] user@host $> aws lambda invoke --function-name "PantherReadinessCheck" --cli-binary-format raw-in-base64-out output.json
[12:18] user@host $> cat output.json
{"Message": "All evaluations were successful against the Deployment Role"}

Do not proceed until you have a successful run. If you are having trouble successfully running this tool, reach out to the Panther Support team.

Reasons for readiness checker failure

If your readiness checker run fails, it may be due to one of the reasons below.

Service control policy

If the output of the command is Some evaluations were not allowed! with a list of failing actions, update your organizational service control policy (SCP) to allow thePantherDeploymentRole to perform the necessary actions to ensure successful deployment.

Control Tower Guardrails

You may have an AWS Control Tower Guardrails policy blocking your deployment.

Amazon S3 Select is not enabled

If the output from the command includes "s3_select_enabled": false, please reach out to the Panther Support team. Panther will work with AWS to enable Amazon S3 Select for your account.

Using the Snowflake credential bootstrap tool

To use the tool, you will run the PantherSnowflakeCredentialBootstrap lambda twice, with a step in between. The first lambda run seeds the secret into the AWS account—its output will direct you to a page in AWS where you can modify the secret to add credentials. The second lambda run verifies connectivity with the newly created secret against the Snowflake account, and yields the ARN of the new, validated secret.

In your AWS console, navigate to the Lambda service.
- Ensure you are working in the same region your Snowflake account is deployed in.
Find your PantherSnowflakeCredentialBootstrap lambda.
Click the Test tab.
In Test event action ensure Create new event is selected.
In the Event name field, provide a name.
In the Event JSON editor, replace its contents with a single key/value pair, where the key is host and the value is your Snowflake account URL:
```
{
    "host": "<org-name>-<account-name>.snowflakecomputing.com"
}
```
In the upper-right corner, click Test.
When the test is complete (and has run successfully), click the Details dropdown to see the results.
Copy the outputted URL, and open it in a new browser tab.
Modify the secret:
1. On the Secret value tile, click Retrieve secret value.
2. Click Edit.
3. Update the value of the password key with the password for your pantheraccountadmin Snowflake user.
4. Click Save.
Return to the browser tab open to your PantherSnowflakeCredentialBootstrap lambda.
Still in the Test tab, in the Event JSON editor, update the event to:
```
{
    "validate": "true"
}
```
In the upper-right corner, click Test.
- The response to this call, if successful, will include the ARN of the newly created secret.
Save the outputted ARN value in a secure location, as you will need to provide it to your Panther support team in a later step.

PreviousConfiguring AWS for Cloud Connected (Legacy)NextSnowflake Connected (Legacy)

Last updated 17 hours ago

Was this helpful?