The steps below will enable secure access for Panther to pull security logs from S3 bucket(s).
From Log Analysis, click Sources > Add Source > Amazon S3
Field | Required? | Description |
|
| Friendly name of the S3 bucket |
|
| The 12-digit AWS Account ID where the S3 buckets are located |
|
| The S3 Bucket ID/name to onboard |
|
| The list of Log Types contained in the bucket |
|
| The path of the files to analyze, which should not start with the |
|
| If your data is encrypted using KMS-SSE, provide the ARN of the KMS key |
Click Next.
You can deploy the generated stack by either launching the CloudFormation Console or downloading the template and applying it through your own pipeline.
When you click the Launch console link, a new tab will open in your browser and direct you to the AWS Console for the account you are currently logged into.
Make sure you are signed into the AWS Account where you'd like to deploy the stack.
Make sure to check the acknowledgement in the Capabilities box on the bottom
Click the Create stack button. After few seconds, the stack's Status
should change to CREATE_COMPLETE
. If there is an error creating the stack, then either an IAM role with the same name already exists, or you don't have enough permissions to create the role.
Head back to Panther and click on Next, then Save Source to complete the setup.
Congratulations! You have granted Panther the permissions to process your logs in S3.
Now that Panther has the ability to pull log data, you need to configure your S3 buckets to send notifications when new data arrives.
First, create an SNS Topic and SNS Subscription to notify Panther that new data is ready for processing:
Log into the AWS Console of the account that owns the S3 bucket. Select the AWS Region where your S3 buckets are located, navigate to the CloudFormation console, and click on Create Stack (with new resources).
Under the Specify template
section, enter the following Amazon S3 URL:
https://panther-public-cloudformation-templates.s3-us-west-2.amazonaws.com/panther-log-processing-notifications/latest/template.yml
Specify the stack details below:
Field | Description |
| A name of your choice, e.g. |
| The 12 digit AWS Account ID where Panther is deployed |
| The region where Panther is deployed |
| The name of the SNS topic receiving the notification, by default this is |
Click on Next, Next, and then Create Stack.
This stack has one output named SnsTopicArn
.
With the SNS Topic created, the final step is to enable notifications from the S3 buckets.
Navigate to the AWS S3 Console, select the relevant bucket, and click the Properties
tab.
From there, find the Events
card under the Advanced settings
section. Click + Add notification
and use the following settings:
Field | Value |
|
|
|
|
|
|
|
|
| (optional) limits notifications to objects with keys that end in matching characters |
| (optional) limits notifications to objects with keys that start with matching characters |
Click Save
.
Using CloudFormation
This can also be accomplished using CloudFormation with the following examples:
Resources:CloudTrailBucket:Type: AWS::S3::BucketProperties:BucketName: <my-cloudtrail-bucket>NotificationConfiguration:TopicConfigurations:- Topic: arn:aws:sns:<PantherRegion>:<MasterAccountId>:panther-notifications-topicEvent: s3:ObjectCreated:*
{"Resources": {"CloudTrailBucket": {"Type": "AWS::S3::Bucket","Properties": {"BucketName": "my-cloudtrail-bucket","NotificationConfiguration": {"TopicConfigurations": {"Topic": "SNS-TOPIC-ARN","Event": "s3:ObjectCreated:*"}}}}}}
Follow the steps below if you already have an S3 bucket configured to send All object create events
to an SNS Topic.
Create a subscription between your SNS topic and Panther's log processing SQS queue.
Log into the AWS Console for the account where your S3 bucket exists
Navigate to the SNS Console and select the SNS Topic currently receiving events
Note the ARN of this SNS topic
Select the Edit
button and scroll down to the Access Policy
card
Add the statement shown below to the topic's Access Policy
. Populate <PANTHER-MASTER-ACCOUNT-ID>
with the 12-digit account ID where Panther is deployed. Populate SNS-TOPIC-ARN
with the ARN you noted on step #3:
Sid: CrossAccountSubscriptionEffect: AllowPrincipal:AWS: arn:aws:iam::<PANTHER-MASTER-ACCOUNT-ID>:rootAction: sns:SubscribeResource: <SNS-TOPIC-ARN>
{"Sid": "CrossAccountSubscription","Effect": "Allow","Principal": {"AWS": "arn:aws:iam::<MasterAccountId>:root"},"Action": "sns:Subscribe","Resource": "<SNS-TOPIC-ARN>"}
Finally, create the subscription to the Panther Master account's SQS queue.
From the SNS Console, select the Create subscription
button:
Protocol
: Amazon SQS
Endpoint
: arn:aws:sns:<PantherRegion>:<MasterAccountId>:panther-input-data-notifications-queue
Select the Create subscription
button
These are just two basic configurations to integrate with Panther Log Processing.
There are other variations and advanced configurations available for more complex use cases and considerations. For example, instead of using S3 event notifications for CloudTrail data you may have CloudTrail directly notify SNS of the new data.
After log sources are configured, your data can be searched with the Data Analytics page!