To analyze infrastructure, Panther utilizes Python Policies to represent the desired state of a resource.
Policies work by:
Defining a single
With a single
True if the resource is compliant or
False if the resource is not compliant
Python provides high flexibility in defining your logic. Built-in Python libraries can also be loaded with
import statements at the top, with support for the following 3rd party libraries:
AWS SDK for Python
JSON Schema for Python
Parse AWS ARNs and Policies
Easy HTTP Requests
By default, policies are loaded and enabled from Panther's curated packs. You can also write your own policies based on internal use cases.
Policies contain the logic to determine vulnerable resources along with metadata and remediation settings.
Additional context on the policy
A human readable name for the policy
A unique identifier for a policy, generally in the form of
A URL explaining more details on the configuration, often site documentation
The type of resource(s) to analyze with the policy
A URL to detailed instructions on how to fix the issue
The potential impact of a misconfiguration
Resource Id patterns to ignore in the policy
One or more categorizations of a policy
No risk, simply informational
Name formatting, missing tags. General best practices for ops.
Little to no risk if exploited
Non sensitive information leaking such as system time and OS versions.
Moderate risk if exploited
Expired credentials, missing protection against accidental data loss, encryption settings, best practice settings for audit tools.
Very damaging if exploited
Large gaps in visibility, directly vulnerable infrastructure, misconfigurations directly related to data exposure.
Causes extreme damage if exploited
Public data or systems, leaked access keys.
To view all Policies in the Panther UI, click the
Policies button on the sidebar.
Policies can be filtered and sorted based on:
Initially, a Policy's
status will be
Insufficient data until an event matching the given log type is analyzed. Once it's analyzed, Alerts will dispatch via the configured Output for the policy's severity and will show up in the Policy Dashboard.
To display an overview of all
Failing Policies, click the Panther Icon in the top left to open the Dashboard. The Dashboard allows Policies to be sorted by Severity on the top right, to allow for easier drill-downs into failing Policies.