To get started with Panther, you'll need:
An AWS account (preferably dedicated to Panther) in a supported region​
An IAM user/role with permissions to create and manage the necessary resources
We've provided the following IAM roles for least privilege deployments:
​Terraform​
The steps below use a preconfigured CloudFormation template to deploy Panther. To deploy from source, follow the instructions here.
Panther can be deployed to any of the following regions:
ap-northeast-1
(Tokyo)
ap-northeast-2
(Seoul)
ap-south-1
(Mumbai)
ap-southeast-1
(Singapore)
ap-southeast-2
(Sydney)
ca-central-1
(Canada)
eu-north-1
(Stockholm)
eu-west-1
(Ireland)
eu-west-2
(London)
eu-west-3
(Paris)
sa-east-1
(São Paulo)
us-east-1
(N. Virginia)
us-east-2
(Ohio)
us-west-1
(N. California)
us-west-2
(Oregon)
First, navigate to the AWS CloudFormation console and create a new stack. Enter the template URL customized for your AWS region and Panther edition and version:
https://panther-<EDITION>-<REGION>.s3.amazonaws.com/<VERSION>/panther.yml
Where:
EDITION is community
or enterprise
REGION is any of the supported regions​
Be sure the template region matches the region in which you are deploying Panther
VERSION is the latest tagged release​
For example, to deploy the latest community version in us-east-1
, use the following template:
https://panther-community-us-east-1.s3.amazonaws.com/v1.14.2/panther.yml
On the next page, choose a stack name (e.g. "panther") and configure the name and email for the first Panther user:
This is the initial admin user account. You can edit the user and invite additional users after Panther is deployed. You can also set the CompanyDisplayName
here if you like. All other parameters can be ignored.
On the next page, you can skip all the advanced stack settings. Acknowledge the warnings and deploy the stack.
Alternatively, you can deploy Panther using a nested stack in your own CloudFormation pipeline, using a Terraform template, or by building and deploying from source.
AWSTemplateFormatVersion: 2010-09-09Description: My Panther deployment​Resources:Panther:Type: AWS::CloudFormation::StackProperties:TemplateURL: !Sub https://panther-community-${AWS::Region}.s3.amazonaws.com/v1.14.3/panther.ymlParameters:CompanyDisplayName: AwesomeCoFirstUserEmail: user@example.comFirstUserGivenName: AliceFirstUserFamilyName: Jones
When deploying this template, you will need to include all capabilities:
aws cloudformation deploy --template-file template.yml --stack-name panther --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND
resource "aws_cloudformation_stack" "panther" {name = "panther"template_url = "https://panther-community-<REGION>.s3.amazonaws.com/v1.14.3/panther.yml"​capabilities = ["CAPABILITY_IAM","CAPABILITY_NAMED_IAM","CAPABILITY_AUTO_EXPAND"]​parameters = {CompanyDisplayName = "AwesomeCo"FirstUserEmail = "user@example.com"FirstUserGivenName = "Alice"FirstUserFamilyName = "Jones"}}
Once the deployment has finished, you will get an invitation email from no-reply@verificationemail.com
with your temporary login credentials. If you don't see it, be sure to check your spam folder.
By default, Panther generates a self-signed certificate, which will cause most browsers to present a warning page:
​​
Your connection is encrypted, and it's generally safe to continue. However, the warning exists because self-signed certificates do not protect you from man-in-the-middle attacks; for this reason production deployments should provide their own CertificateArn
parameter value.
Congratulations! You are now ready to use Panther. Follow the steps below to complete your setup:
Invite your team in Settings
> Users
> Invite User
Configure destinations to receive generated alerts
Write custom rules based on internal business logic
Onboard AWS accounts for cloud security scans​
Write custom policies for supported AWS resources​
Enterprise Only: Query collected logs with data explorer​
To uninstall Panther, simply delete the main "panther" stack (substituting whatever stack name you chose during deployment). This will automatically remove everything except S3 buckets and the data they contain.
You can easily find and delete these manually, or you can run mage teardown
(see development).