I have onboarded an AWS account as part of Panther's cloud security scanning feature, and I've also onboarded a real-time scanning integration (like CloudTrail or CloudWatch Events). However, I now wish to disable real-time scanning for this account. Is this possible?
Currently, Panther doesn't support a simple workflow for disabling real-time scanning for a cloud account. Instead, you'll need to follow these steps:
- Prevent real-time updates from reaching Panther. This can be done by disabling the CloudTrail log source, applying a filter to ignore logs for this account ID, or disabling the CloudWatch Events pipeline.
- Delete and recreate the cloud account integration in Panther.
Note that failure to complete step 2 will cause Panther to flag the cloud account integration as unhealthy after 24 hours of no real-time updates being received. There currently isn't a way to override this health status, so if you wish to avoid the "unhealthy" label, remaking the integration is required.