AWS Config
Connecting AWS Configuration logs to your Panther Console
Overview
Panther supports ingesting Amazon Web Services (AWS) Config configuration snapshot logs via AWS S3. Panther does not support AWS Config History logs.
How to onboard AWS Config logs to Panther
After AWS Config is configured to generate configuration snapshot logs via the AWS CLI, they will be sent to an S3 bucket.
To then pull these logs into Panther, you will need to set up an S3 bucket in the Panther Console.
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “AWS Config,” then click its tile.
On the next screen, the Transport Mechanism dropdown in the upper right corner will be populated with the AWS S3 Bucket option.
Click Start Setup.
Follow Panther’s documentation for configuring S3 for data transport.
While configuring the S3 bucket source in Panther, configure the following exclusion filters:
*_Config_*ConfigHistory*.json.gz. This will ensure that Panther ignores S3 objects containing unsupported Config History logs.*/OversizedChangeNotification/*.json.gz. This will ensure that Panther ignores S3 objects containing unsupported change SNS notifications.
Panther-built detections
See Panther's prewritten AWS rules in the panther-analysis Github repository.
Supported AWS Config logs
AWS.Config
Record and evaluate snapshots of your AWS resources' configurations. For more information, see AWS's documentation on how Config works.
The Panther-managed AWS.Config schema is specially designed to extract events out of a configurationItems envelope, which is how they arrive from AWS. This works based on the S3 key name. If you clone this schema and/or try to apply it on files that are not named in the same way that AWS names them, you may receive classification failures.
Last updated
Was this helpful?