PantherDeploymentRoletemplate that creates an IAM role with relatively least privilege access configured for deploying Panther. Note that this role has the ability to create arbitrary IAM entities, so privilege escalation is trivial. Panther needs this permission to create the least-privilege roles used by the Panther application itself, but the
PantherDeploymentRoleshould be treated as a sensitive administrator role.
s3:SetBucketEncryption, and SCPs relating to the KMS service.
PantherAuditRole) has been removed from the account before deploying Panther, as namespace conflicts may cause deployments to fail.
PantherDeploymentRoleto deploy Panther, be sure to name the root stack something with a
panther-prefix. The name of the root stack will be pre-pended to any resources created by the stack, and the
PantherDeploymentRolelimits its access in part by restricting its permissions to only affect resources that start with the name
FirstUserEmail(required): a Panther admin invite will be sent to this email address. Updates to this value are ignored after the first successful deploy.
OnboardSelf: whether you want Panther to onboard its own AWS account for monitoring.
SentryEnvironment: by default, application errors are sent to Sentry for us to triage. We strongly recommend keeping this enabled with the default value (
prod), but if that's not an option for you, you can disable the Sentry integration by setting this to a blank string.
SupportRoleIdentityAccountId: by default, a read-only SupportRole is deployed with Panther which our on-call engineers can assume to triage application errors. This role does not have access to your data and we’d encourage you to keep it enabled so we can deliver a better support experience. However, if you prefer, this role can be disabled by setting the
SupportRoleIdentityAccountIdto a blank string.
OpsRoleIdentityAccountId: a non-empty value will deploy an OperationsRole with service-level admin permissions for migrations, data recoveries, and other operational emergencies. We recommend keeping this role disabled until necessary (it's off by default).
panther-pulumiCodeBuild project (in v1.22+). For example:
aws codebuild start-build --project-name panther-pulumi
1.10.Xand want to upgrade to version
1.13.X, we recommend first upgrading to the highest patch version of
1.12.X, and then finally
1.13.X. This ensures there are no migration issues.
PantherDeploymentRoleto deploy Panther, make sure you update the
PantherDeploymentRoleto the correct version for the version of Panther you are deploying. If you are on version
1.13.Xand wish to upgrade to version
1.14.X, make sure the
PantherDeploymentRoleis also on version
1.14.Xbefore upgrading. Here is the
Replace template URL, and insert the
TemplateURLfor the desired version of Panther you wish to deploy. The template URL should be in this format:
PantherDeploymentRole, some upgrades may require modifications to the CloudFormation parameters.
PipLibrariesparameter to remove the following libraries as they are now included by default (you may keep any 3rd party libraries):