A collection of templates used to create auxiliary infrastructure in support of a Panther deployment. They are used during deployment (when Panther onboards itself), when onboarding a new source from the web app, or just to serve as examples.
We refer to the AWS account where Panther itself is deployed as the master account. Accounts which Panther scans or pulls log data from are called satellite accounts. An account can function as both - in fact, by default, Panther onboards its own account for cloud security and log analysis.
These templates are primarily for satellite accounts. For example, panther-cloudsec-iam creates IAM roles which Panther Cloud Security can assume to scan your AWS account.
Each template is provided in CloudFormation and Terraform formats for your convenience.
The default trust principals for various IAM roles and one SNS topic policy sid are the entire master account (arn::<account number>:root). Since the Panther role names are autogenerated, their exact values aren't known ahead of time. After Panther is deployed, however, you can restrict these trust principals by role. Below are the patterns you can use to find the exact role names in your account to configure least privilege trust principals. Note that the exact naming convention will vary based on how you deployed Panther. If searching in the AWS console, use the textual part of the name near the end, e.g. PollerFunctionRole.
AWS configuration scanning
arn:aws:iam::\${var.master_account_id}:role/panther-<...>-PollerFunctionRole-<...>arn:aws:iam::\${var.master_account_id}:role/panther-<...>-SourceApiFunctionRole-<...>
These role names are approximations. The true role name is calculated based on a number of different factors, including the name you give to the master stack and the deployment method you use. In order to guarantee you're getting the right name, you can run the following commands with the AWS CLI to find the role ARNs you need to trust:
$ aws lambda get-function-configuration --function-name panther-snapshot-pollers | grep \"Role\"
$ aws lambda get-function-configuration --function-name panther-source-api | grep \"Role\"
arn:aws:iam::${var.master_account_id}:role/PantherCloudFormationStackSetAdminRole-${var.aws_region}arn:aws:iam::${var.master_account_id}:role/panther-<...>-SourceApiFunctionRole-<...>
The first role is generally hard coded, but the second role is autogenerated. To find the exact name, you can run the following command:
$ aws lambda get-function-configuration --function-name panther-source-api | grep \"Role\"
-- Note: no Panther component ever assumes the PantherCloudFormationStackSetExecutionRole. The StackSet Execution role allows admins to manually to deploy StackSets that create "real time notifications" from the master account using the AWS CloudFormation service. If you plan to use this role, the PantherCloudFormationStackSetAdminRole (see separate template) has to be created in the master account. If you plan to apply the "Cloudwatch Events" to satellite accounts via Terraform directly, you will not need the StackSetExecution role or the StackSetAdmin role and should not deploy them.
"Real time notifications" of changes in AWS configuration
You will not need the contents of this template if you are using the StackSetExecution/StackSetAdmin roles (above) to create the Panther components with Stack Sets for real time notifications.
- the ARN of the IAM identity that is creating the cross-account subscription from the master account to the satellite account; this will not be a Panther component; an example is the AWS IAM
useridentity you use to deploy configurations in the master account, but your particular deployment method will determine which identity is actually creating the subscription
Log analysis
arn:aws:iam::\${var.master_account_id}:role/panther-<...>-LogProcessorFunctionRole-<...>arn:aws:iam::\${var.master_account_id}:role/panther-<...>-SourceApiFunctionRole-<...>
Both of these role names are autogenerated. To find the exact names, you can run the following commands:
$ aws lambda get-function-configuration --function-name panther-log-processor | grep \"Role\"
$ aws lambda get-function-configuration --function-name panther-source-api | grep \"Role\"
Log Analysis analog to CloudWatch event notifications for cloud security real time notifications
- the ARN of the IAM identity that is creating the cross-account subscription from the master account to the satellite account; this will not be a Panther component; an example is the AWS IAM
useridentity you use to deploy configurations in the master account, but your particular deployment method will determine which identity is actually creating the subscription
Note: the deployment role was previously available as a terraform template, but has been deprecated in favor of a CloudFormation implementation. Please see cloudformation/panther-deployment-role.yml.