PantherDeploymentRoletemplate that creates an IAM role with relatively least privilege access configured for deploying Panther. Note that this role has the ability to create arbitrary IAM entities, so privilege escalation is trivial. Panther needs this permission to create the least-privilege roles used by the Panther application itself, but the
PantherDeploymentRoleshould be treated as a sensitive administrator role.
s3:SetBucketEncryption, and SCPs relating to the KMS service.
PantherAuditRole) has been removed from the account before deploying Panther, as namespace conflicts may cause deployments to fail.
PantherDeploymentRoleto deploy Panther, be sure to name the root stack something with a
panther-prefix. The name of the root stack will be pre-pended to any resources created by the stack, and the
PantherDeploymentRolelimits its access in part by restricting its permissions to only affect resources that start with the name
FirstUserEmail(required): a Panther admin invite will be sent to this email address. Updates to this value are ignored after the first successful deploy.
OnboardSelf: whether you want Panther to onboard its own AWS account for monitoring.
SentryEnvironment: by default, application errors are sent to Sentry for us to triage. We strongly recommend keeping this enabled with the default value (
prod), but if that's not an option for you, you can disable the Sentry integration by setting this to a blank string.
SupportRoleIdentityAccountId: by default, a read-only SupportRole is deployed with Panther which our on-call engineers can assume to triage application errors. This role does not have access to your data and we’d encourage you to keep it enabled so we can deliver a better support experience. However, if you prefer, this role can be disabled by setting the
SupportRoleIdentityAccountIdto a blank string.
OpsRoleIdentityAccountId: a non-empty value will deploy an OperationsRole with service-level admin permissions for migrations, data recoveries, and other operational emergencies. We recommend keeping this role disabled until necessary (it's off by default).
DataLakeForwarderMemory: Memory to use for Cloud Security DataLake Forwarder lambdas. The default setting is 256, with a maximum value of 2048 and a minimum value of 256.
MaxLookupTableCompressedSizeMB: The maximum size (in MB) of the Gzip-compressed data backing a Lookup Table. The default setting is 200, with a maximum value of 400.
CloudSecurityScanSegments: Segments to use in table scans. The default setting is 5, with a minimum value of 5.
ReplayAPIReservedConcurrency: Reserved concurrency for
panther-replay-log-pusherLambda function. The default setting is 40, with a minimum value of 0.
EnablePantherAuditLogIngestion: Enable ingestion of Audit Logs from this instance of Panther, within this instance of Panther. The default setting is
false, with allowed values of
PantherAuditLogsExpirationDays: The expiration in days for Panther Audit Logs - applies to an S3 lifecycle policy. The default setting is 1825, with a minimum value of 30.
SnapshotScanWindowMinutes: If non-zero, deduplicate scan requests in minutes. The default setting is 0, with a minimum value of 0.
SnowflakeRBACSecretARN: ARN pointing at the AWS secret with configuration and credentials for the PANTHER_RBAC Snowflake user. The allowed pattern is
MessageForwarderReservedConcurrency: Reserved concurrency for panther-message-forwarder Lambda function (has no effect if EnableLambdaReservedConcurrency=false). The default setting is 50, with a minimum value of 0.
EnableReplays: Enables or disables the ability to run replays. The default value is
true, with allowed values of
PythonRuntime: The python runtime for AWS Lambda functions. The default value is
python3.7, with allowed values of
ReplayProcessorReservedConcurrency: Reserved concurrency for panther-replay-results-processor Lambda function. The default value is 40, with a minimum value of 0.
SnapshotPollerLambdaMemorySize: Snapshot Poller (Cloud Security) Lambda memory size in MB. The default value is 1024, with a minimum value of 1024 and a maximum value of 10240.
panther-pulumiCodeBuild project (in v1.22+). For example:
aws codebuild start-build --project-name panther-pulumi
1.10.Xand want to upgrade to version
1.13.X, we recommend first upgrading to the highest patch version of
1.12.X, and then finally
1.13.X. This ensures there are no migration issues.
PantherDeploymentRoleto deploy Panther, make sure you update the
PantherDeploymentRoleto the correct version for the version of Panther you are deploying. If you are on version
1.13.Xand wish to upgrade to version
1.14.X, make sure the
PantherDeploymentRoleis also on version
1.14.Xbefore upgrading. Here is the
Replace template URL, and insert the
TemplateURLfor the desired version of Panther you wish to deploy. The template URL should be in this format:
PantherDeploymentRole, some upgrades may require modifications to the CloudFormation parameters.
PipLibrariesparameter to remove the following libraries as they are now included by default (you may keep any 3rd party libraries):