How can I use boto3 in Panther detections?
QUESTION
Is there any template when I want to use boto3 in my Panther detection?
ANSWER
When using boto3 in your detections, first you'll need a session to assume the role. For accessing it within a detection, you could create a helper function in a global helper file that gets the credentials, and then you need to implement the resource pull in your detection.
You can find relevant details in this AWS documentation: Switching to an IAM role (AWS API).
Example
See an example below:
boto3_helper.py
import boto3 def get_aws_credentials(_): sts_client = boto3.client('sts') assumed_role_object=sts_client.assume_role( RoleArn="to be populated", RoleSessionName="AssumeRoleSession1") return assumed_role_object['Credentials']
Please note that you can find more details about RoleArn, mentioned in the above statement, in step 1 of this article: How can I access my own AWS resources from my Python Detections? Can I store secrets in Panther?
For any resource that you can pull/have access to with your role, you can use the following template to access your AWS account resources.
detection.py
from boto3_helper import get_aws_credentials def rule(event): credentials = get_aws_credentials() AWS_REGION = "Populate with your AWS Region" s3_resource=boto3.resource( 's3', region_name=AWS_REGION, aws_access_key_id=credentials['AccessKeyId'], aws_secret_access_key=credentials['SecretAccessKey'], aws_session_token=credentials['SessionToken'], )