I want to use Panther's Cloud Account feature and onboard my AWS accounts. But I have many AWS accounts, and it seems I can only do this one at a time. Is there a way to onboard many AWS accounts at once?
Specifically for the Cloud Accounts feature, Panther doesn't have a way to onboard many AWS accounts at once, but there are a few caveats on how to make this easier, depending on the functionality you are looking for.
The primary benefit of using the Cloud Account feature is to allow Panther to treat your AWS resources as resources in Panther. Once Panther has knowledge of the various resources in your AWS account, you can run policies (Python detections specifically for evaluating the state of a Cloud Account resource) on those resources.
Depending on whether or not you desire the ability to run policies on your AWS resources you have 2 options:
- Option 1: I do wish to run policy detections on my AWS resources
To run policies on AWS resources, you will need your AWS account onboarded into Panther as a Cloud Account.
The first part of the process - connecting the Cloud Account - is always a manual process. The second part, setting up an IAM role, can be automated by taking advantage of StackSets. You can create a StackSet in your organization that will deploy a CloudFormation Stack to each account in your org. This CloudFormation Stack would create the IAM Role needed for Panther to scan resources in that AWS account. By doing this, you can automate the role creation part of Cloud Account onboarding. And then you would only need to finish onboarding by entering the AWS account ID in the onboarding wizard.
See the CloudFormation template in Github that creates the IAM role that each AWS account needs in order to allow Panther to scan resources.
Option 2: I don't need to run policy detections on my AWS resources
If you don't have a need for treating your AWS resources as resources in Panther, and don't wish to use Policies, you could try an alternative option: Set up CloudTrail across an AWS organization that will output the CloudTrail logs to a single S3 bucket, and then you can ingest those logs into Panther from 1 single log source. This only requires setup to be done once, and then you can ingest all data about actions across all of your AWS resources through 1 single bucket. This data would then be available under the CloudTrail log type and log table.
It's important to note that if you choose this option, you won't have resources show up in Panther, and you won't be able to run policy detections. You will, however, be able to run rule detections on the CloudTrail log events.