Skip to content

Latest commit

 

History

History
 
 

terraform

Auxiliary Templates

A collection of templates used to create auxiliary infrastructure in support of a Panther deployment. They are used during deployment (when Panther onboards itself), when onboarding a new source from the web app, or just to serve as examples.

We refer to the AWS account where Panther itself is deployed as the master account. Accounts which Panther scans or pulls log data from are called satellite accounts. An account can function as both - in fact, by default, Panther onboards its own account for cloud security and log analysis.

These templates are primarily for satellite accounts. For example, panther-cloudsec-iam creates IAM roles which Panther Cloud Security can assume to scan your AWS account.

Each template is provided in CloudFormation and Terraform formats for your convenience.

Least Privilege Trust Principals

The default trust principals for various IAM roles and one SNS topic policy sid are the entire master account (arn::<account number>:root). Since the Panther role names are autogenerated, their exact values aren't known ahead of time. After Panther is deployed, however, you can restrict these trust principals by role. Below are the patterns you can use to find the exact role names in your account to configure least privilege trust principals. Note that the exact naming convention will vary based on how you deployed Panther. If searching in the AWS console, use the textual part of the name near the end, e.g. PollerFunctionRole.

"Cloud Security" template

AWS configuration scanning

"panther_audit" role trust principal

  • arn:aws:iam::\${var.master_account_id}:role/panther-<...>-PollerFunctionRole-<...>
  • arn:aws:iam::\${var.master_account_id}:role/panther-<...>-SourceApiFunctionRole-<...>

These role names are approximations. The true role name is calculated based on a number of different factors, including the name you give to the master stack and the deployment method you use. In order to guarantee you're getting the right name, you can run the following commands with the AWS CLI to find the role ARNs you need to trust:

$ aws lambda get-function-configuration --function-name panther-snapshot-pollers | grep \"Role\"

$ aws lambda get-function-configuration --function-name panther-source-api | grep \"Role\"

"panther_cloud_formation_stackset_execution" role trust principal

  • arn:aws:iam::${var.master_account_id}:role/PantherCloudFormationStackSetAdminRole-${var.aws_region}
  • arn:aws:iam::${var.master_account_id}:role/panther-<...>-SourceApiFunctionRole-<...>

The first role is generally hard coded, but the second role is autogenerated. To find the exact name, you can run the following command:

$ aws lambda get-function-configuration --function-name panther-source-api | grep \"Role\"

-- Note: no Panther component ever assumes the PantherCloudFormationStackSetExecutionRole. The StackSet Execution role allows admins to manually to deploy StackSets that create "real time notifications" from the master account using the AWS CloudFormation service. If you plan to use this role, the PantherCloudFormationStackSetAdminRole (see separate template) has to be created in the master account. If you plan to apply the "Cloudwatch Events" to satellite accounts via Terraform directly, you will not need the StackSetExecution role or the StackSetAdmin role and should not deploy them.

"CloudWatch Events" template

"Real time notifications" of changes in AWS configuration

You will not need the contents of this template if you are using the StackSetExecution/StackSetAdmin roles (above) to create the Panther components with Stack Sets for real time notifications.

"panther_events" SNS topic policy "CrossAccountSubscription" sid trust principal

  • the ARN of the IAM identity that is creating the cross-account subscription from the master account to the satellite account; this will not be a Panther component; an example is the AWS IAM user identity you use to deploy configurations in the master account, but your particular deployment method will determine which identity is actually creating the subscription

"Log Analysis" template

Log analysis

"log_processing" role trust principals

  • arn:aws:iam::\${var.master_account_id}:role/panther-<...>-LogProcessorFunctionRole-<...>
  • arn:aws:iam::\${var.master_account_id}:role/panther-<...>-SourceApiFunctionRole-<...>

Both of these role names are autogenerated. To find the exact names, you can run the following commands:

$ aws lambda get-function-configuration --function-name panther-log-processor | grep \"Role\"

$ aws lambda get-function-configuration --function-name panther-source-api | grep \"Role\"

"Log Processing Notifications" template

Log Analysis analog to CloudWatch event notifications for cloud security real time notifications

"policy" SNS topic policy "AllowSubscriptionToPanther" sid trust principal

  • the ARN of the IAM identity that is creating the cross-account subscription from the master account to the satellite account; this will not be a Panther component; an example is the AWS IAM user identity you use to deploy configurations in the master account, but your particular deployment method will determine which identity is actually creating the subscription

"Deployment" template

Programmatic deployment of Panther

"deployment" role trust principal

  • the IAM identity of the external automation principal that is deploying Panther (not a Panther component)