SNS
This page will walk you through configuring SNS as a Destination for your Panther alerts. This is a simple way to send notifications to email addresses, multiple queues, and more.
The SNS Destination requires a Topic ARN. When an alert is forwarded to an SNS Destination, it publishes a JSON string to that topic:
From the AWS SNS console, create a new Topic or navigate to the topic you wish to add as a destination. Copy the ARN out and into the Panther Destinations configuration, then select the topic. We will be editing its permissions so Panther can publish messages to it:
After selecting the SNS topic, select the Edit button then scroll down and expand the Access policy section:
After expanding the Access policy section, add the following statement to the Statement block:
{"Sid": "AllowPantherAlarming","Effect": "Allow","Principal": {"AWS": "arn:aws:iam::<PANTHER-ACCOUNT-ID>:root"},"Action": "sns:Publish","Resource": "arn:aws:sns:us-west-2:123456789012:example-topic"}
Be sure to replace the Resource field with the ARN of your own SNS Topic, and the Principal with the AWS account ID where Panther is deployed.
When specifying the Principal, you can find the account ID where Panther is running in the Settings -> General page of your Panther deployment:
Enter this account ID as part of the principal:
Select the
Save changesbutton to confirm your changes, and your SNS Topic will now be able to receive Panther alerts
