I've worked through the steps to set up a role for allowing the Panther detections engine to use my secrets in AWS. Is it possible to assume multiple roles like this, in a single detection? For example, if I had a role for multiple AWS accounts (one role to access information from each account), could one detection assume all of these roles?
Technically yes, it's possible to assume multiple roles in a single detection. For example, you could iterate through each AWS account, spin up a Boto3 session for that one, then when that's done, do a new Boto3 session for the next account, and so on.
We generally recommend sticking to a single assumable role, because:
• Detections time out after about 30 seconds, so detection code is unlikely to successfully check very many accounts, due to the time required to manage API calls etc. This could be worked around by using a separate detection for each account, allowing for multiple AWS accounts to be accounted for, but resulting in more than one.
• Configuring all of your AWS accounts with new roles and attaching those roles to the Panther detections engine is a manual process. But if you're careful, and willing to spend the time on it, this can also be ok.