When trying to set up an S3 log source in Panther, my SNS topic needs to subscribe to Panther's SQS queue, but this subscription is stuck in "pending confirmation." How do I get this confirmation to succeed?
In general, if you are setting the SNS subscription on your own, you need to have already onboarded the S3 source for the SNS Subscription to be confirmed. As an alternative to the above guidelines, you can also take a look at the following steps:
Create the IAM role that Panther will use to read data from your account, but not yet the subscription! Keep note of the ARN of the IAM role you created.
Go through the Panther onboarding flow in the UI for S3 log sources.
Select I want to setup everything on my own .
Enter the IAM role ARN you created in Step 1.
Now, create the SNS subscription in Terraform.
This "pending confirmation" issue can occur when you try to configure a log source from a new AWS account and when:
You try to set up everything manually
You try to create the log source using a developer workflow method, i.e., with Terraform or the Panther API
Panther tracks internally which AWS accounts are allowed to have a subscription with its SNS topic. Panther only allows accounts to subscribe to its SNS topic if that AWS account has a log source in Panther.
This is not an issue if you use the "Launch Template in UI" option, as that option will automate the whole process for you. But for manual log source creation, you would need to ensure that the log source exists in Panther before the SNS -> SQS subscription is attempted.
This is only necessary for your first log source in a new AWS account. Subsequent log sources in the same AWS account can be created manually, or via any automation you wish as long as the SNS -> SQS subscription has been confirmed from the initial log source creation.
Last but not least, we support cross-region subscriptions, so if your Panther account is set up on one region and your SNS topic is on a different region shouldn’t cause issues.