Cloud Accounts

Overview

Panther's Cloud Security works by scanning AWS accounts, modeling the Resources within them, and using Policies to detect misconfigurations.
This feature can be used to power your compliance and improve your cloud security posture. Common security misconfigurations detectable by Panther include:
  • S3 Buckets without encryption
  • Security Groups allowing inbound SSH traffic from 0.0.0.0/0
  • Access Keys being older than 90 days
  • IAM policies that are too permissive
When adding a new AWS account, Panther runs a baseline scan and models all of the resources in your account. Account scans are performed daily to ensure the most consistent state possible. This works by using an assumable IAM Role with ReadOnly permissions.
Resource updates can be configured to track changes in real-time using CloudTrail or CloudWatch Events.

Adding Your Account(s)

The first step is to add a new AWS account source by navigating to Integrations > Cloud Accounts > Connect an account:
Enter your account Name and AWS Account ID. You may also indicate which AWS Regions, Resource Types, and Resources by Region you would like to exclude from cloud scanning. This can help prevent too many alerts from being generated by regions and resources known to be misconfigured.
Click Continue Setup, then launch the CloudFormation Console directly, download the generated template or create the role manually:
Clicking the Launch Console button will open CloudFormation in the AWS account you are currently logged into with pre-populated stack variables:
Make sure to check the acknowledgement in the Capabilitiesbox
Click the Create stack button. After about 15 seconds, the stack's Status should change to CREATE_COMPLETE. If there is an error creating the stack, then an IAM role with the same name may already exist in your account.
Back in the UI, click Continue, then Save Source to complete this setup:
On the Finish Setup screen, we ask you to set up a CloudTrail Log Source to enable Real Time Scanning. If you have already configured a Log Source containing CloudTrail Logs or if you would like to configure this later, you may skip.
By default, Panther will perform scans daily.
In the next section, we will talk about two options available to get events in near real-time.

Real-Time Monitoring via CloudTrail Log source

If you have already created a Log Source containing CloudTrail logs for the account(s) you are interested in monitoring, you do not need to follow the steps below. If you would like faster than 15-minute results of changes in your environment, see the Real-Time Monitoring via CloudWatch Events section.

Prerequisites

  • An S3 bucket is configured to receive CloudTrail events.

Connecting a New Log Source

Navigate to Integrations -> Log Sources -> New Log Source -> AWS -> S3 Bucket
Then, enter the Name, AWS Account ID, and Bucket Name. Optionally, enter a KMS Key, Stream Type, S3 Prefix filter, and S3 Prefix Ignore Filter. Lastly, choose the three log types outlined below (AWS.CloudTrail, AWS.CloudTrailDigest, AWS.CloudTrailInsight). Click Continue.
Next, you will be asked to Setup an IAM role. You will see options to:
  • Launch Console - brings you into an AWS Console you may already be signed into. The information filled out on the previous screens will be used in the stack.
  • Get Template - Download the template to review or run from your own workflow
  • Create the role yourself
Once the role has been created, grab the RoleArn and paste it into the field. Then, Continue Setup.
Before clicking Finish Setup, we recommend configuring an alarm that will trigger an alert if this log source does not receive any events within the interval you choose.

Real-Time Monitoring via CloudWatch Events

Using this method doesn't require a CloudTrail Log Source within Panther. CloudWatch Events enable alerting of changes in your environment as fast as 1 minute.
Within panther-auxiliary, review the panther-cloudwatch-events.yml file. This YAML file contains the CloudFormation stack information necessary to configure Panther's real-time CloudWatch Event collection.
It works by creating CloudWatch Event rules which feed to Panther's SQS Queue proxied by a local SNS topic in each region.

CloudFormation

After downloading the panther-cloudwatch-events.yml file, launch your AWS Console, and navigate to CloudFormation. Then:
  • Create stack With new resources (standard).
  • Specify template, tick the Upload a template file
  • Choose file -> panther-cloudwatch-events.yml
  • Next

Specify stack details

  • Stack name: panther-real-time-events
  • MasterAccountId:
  • QueueArn: arn:aws:sqs:<PantherRegion>:<PantherAccountID>:panther-aws-events-queue
  • Next

Configure stack options

  • Next

Review panther-real-time-events

  • Next
This will take a few minutes to complete. Once it is done, you may onboard your Cloud Account!
When you get to the Finish Setup Screen, you may skip configuring a CloudTrail Log source.
Last modified 2mo ago