Quick Start
To get started with Panther, you'll need:
An AWS account (preferably dedicated to Panther)
An IAM user/role with permissions to create and manage the necessary resources
We've provided the following IAM roles for least privilege deployments:
​Terraform​
We recommend deploying Panther into its own dedicated AWS account.
The steps below use a preconfigured CloudFormation template to deploy Panther. To deploy from source, follow the instructions here.
First, navigate to the AWS CloudFormation console and create a new stack.
Use the following template URL to install the latest version in the us-east-1 region:
https://panther-community-us-east-1.s3.amazonaws.com/v1.5.1/panther.yml
The template URL is of the following form:
https://panther-<EDITION>-<REGION>.s3.amazonaws.com/<VERSION>/panther.yml
Where:
EDITION is
communityorenterpriseREGION is one of:
us-east-1,us-east-2, orus-west-2Be sure the template region matches the region in which you are deploying Panther
​Additional regions are available when deploying from source​
VERSION is the latest tagged release​
On the next page, choose a stack name (e.g. "panther") and configure the name and email for the first Panther user:
This is the initial admin user account. You can edit the user and invite additional users after Panther is deployed. You can also set the CompanyDisplayName here if you like. All other parameters can be ignored.
On the next page, you can skip all the advanced stack settings. Acknowledge the warnings and deploy the stack.
Alternatively, you can deploy Panther using a nested stack in your own CloudFormation pipeline, using a Terraform template, or by building and deploying from source.
AWSTemplateFormatVersion: 2010-09-09Description: My Panther deployment​Resources:Panther:Type: AWS::CloudFormation::StackProperties:TemplateURL: !Sub https://panther-community-${AWS::Region}.s3.amazonaws.com/v1.5.1/panther.ymlParameters:CompanyDisplayName: AwesomeCoFirstUserEmail: user@example.comFirstUserGivenName: AliceFirstUserFamilyName: Jones
When deploying this template, you will need to include all capabilities:
aws cloudformation deploy --template-file template.yml --stack-name panther --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND
resource "aws_cloudformation_stack" "panther" {name = "panther"template_url = "https://panther-community-<REGION>.s3.amazonaws.com/v1.5.1/panther.yml"capabilities = ["CAPABILITY_IAM", "CAPABILITY_NAMED_IAM", "CAPABILITY_AUTO_EXPAND"]parameters = {CompanyDisplayName = "AwesomeCo"FirstUserEmail = "user@example.com"FirstUserGivenName = "Alice"FirstUserFamilyName = "Jones"}}
Once the deployment has finished, you will get an invitation email from no-reply@verificationemail.com with your temporary login credentials. If you don't see it, be sure to check your spam folder.
By default, Panther generates a self-signed certificate, which will cause most browsers to present a warning page:
​
​
Your connection is encrypted, and it's generally safe to continue. However, the warning exists because self-signed certificates do not protect you from man-in-the-middle attacks; for this reason production deployments should provide their own CertificateArn parameter value.
Congratulations! You are now ready to use Panther. Follow the steps below to complete your setup:
Invite your team in
Settings>Users>Invite UserConfigure destinations to receive generated alerts
Onboard data for real-time log analysis​
Write custom rules based on internal business logic
Onboard AWS accounts for cloud security scans​
Write custom policies for supported AWS resources​
Enterprise Only: Query collected logs with data explorer​
To uninstall Panther, simply delete the main "panther" stack (substituting whatever stack name you chose during deployment). This will automatically remove everything except:
S3 buckets and their data
A few empty CloudWatch log groups
You can easily find and delete these manually, or you can run mage teardown (see development).
