Panther can scan any number of AWS accounts. Each cloud resource is associated with the related account's label (Prod, Dev, Test, etc).
The first step is to add a new AWS account source by navigating to Cloud Security
> Sources
> Add Account
:
Enter your account Name
and AWS Account ID
.
If you want to enable real-time scans or automatic remediation, make sure to tick the boxes here!
Click Next
, then download the generated template or click directly into the CloudFormation Console:
Clicking the Launch Stack
button will open CloudFormation in the AWS account you are currently logged into with pre-populated stack variables:
Make sure to check the acknowledgement in the Capabilities
box
Click the Create stack
button. After about 15 seconds, the stack's Status
should change to CREATE_COMPLETE
. If there is an error creating the stack, then an IAM role with the same name may already exist in your account.
Back in the UI, click Next
, then Save Source
to complete this setup:
The next section will detail how to monitor changes to AWS resources in real-time.
To configure real-time events to Panther from multiple regions and accounts, we can use AWS CloudFormation StackSets.
The following diagram illustrates this with an example model:
In this case, the account running Panther will act as the Administrator
account to manage stack creation and updates.
All other accounts to onboard will act as Target
accounts to send CloudWatch logs to Panther.
The Administrator
account may also be the Target
account. To run and scan a single AWS account, this will always be the case, and both IAM roles are required.
First, create the CloudFormation StackSet Admin role in the main Panther account to manage the deployment of real-time events in your target accounts.
From the CloudFormation Console, create a new stack, select Template is ready
, and enter the following Amazon S3 URL
:
https://s3-us-west-2.amazonaws.com/panther-public-cloudformation-templates/panther-stackset-iam-admin-role/latest/template.yml
Click the acknowledgements and create the stack.
This IAM role allows the CloudFormation StackSet to assume roles in target accounts and orchestrate the configuration of real-time events:
{"Version": "2012-10-17","Statement": [{"Action": "sts:AssumeRole","Resource": "arn:aws:iam::*:role/PantherCloudFormationStackSetExecutionRole-<PantherRegion>","Effect": "Allow"}]}
This IAM Role is only assumable by the Panther Deployment account.
In order for target accounts to be onboarded, you must have checked the "Real-Time AWS Resource Scan" box during the account setup.
Login to the Administrator
account's AWS Console, and open the CloudFormation StackSets page:
Click the Create StackSet
button on the top right, select Template is ready
, and enter the following Amazon S3 URL
:
https://s3-us-west-2.amazonaws.com/panther-public-cloudformation-templates/panther-cloudwatch-events/latest/template.yml
Click Next
.
Name the StackSet panther-real-time-events
.
Enter the 12-digit AWS Account ID where Panther is deployed in the MasterAccountId
field.
In the QueueArn
field, paste the following (substituting the AWS account ID of the account running Panther):
arn:aws:sqs:<PantherRegion>:<PantherAccountID>:panther-aws-events-queue
Click Next
.
Under the Permissions tab, add the IAM admin role name:
PantherCloudFormationStackSetAdminRole-<MASTER_ACCOUNT_REGION>
And the IAM execution role name:
PantherCloudFormationStackSetExecutionRole-<MASTER_ACCOUNT_REGION>
Click Next
.
Add the AWS Account IDs of the Target Accounts in the Account numbers field, separated by commas.
Select Add all regions
or a list of desired regions, set Maximum concurrent accounts
to 5, and click Next
.
Click Submit
at the bottom of the page to create the StackSet.
To check on the status of the StackSet, check the Operations
tab:
Awesome! You should now have real-time CloudWatch events sending to Panther.
To add more accounts to the StackSet above, use the following steps:
Make sure you have at least one AWS Account Source configured with the DeployCloudWatchEventSetup
set totrue
Sign in to the Administrator
account's AWS Console
On the CloudFormation StackSets page, select the panther-real-time-events
StackSet
Select the Actions
button on the top right and select Add new stacks to StackSet
Add the new AWS account ID's into the Account numbers field, specify regions, and click through to the Submit
button