How do I configure AWS Trust Policy for Panther Integration
Last updated: December 19, 2024
Question
While Panther uses a fully isolated single-tenant deployment model, which eliminates the need for an external ID to prevent confused deputy problems, you can still configure a more specific AWS trust policy for added security. How do I set up a tighter-scoped role for granting AWS role assumption to Panther?
ANSWER
To configure a more specific AWS trust policy for Panther integration, you can add the following policy under the IAM Role's Trust relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<panther-master-account-id>:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:PrincipalArn": [
"arn:aws:iam::<panther-master-account-id>:role/panther-Core-",
"arn:aws:iam::<panther-master-account-id>:role/panther-log-processor-",
"arn:aws:iam::<panther-master-account-id>:role/panther-source-api-",
"arn:aws:iam::<panther-master-account-id>:role/panther-data-archiver-",
"arn:aws:iam::<panther-master-account-id>:role/panther-holding-tank-*"
]
},
"Bool": {
"aws:SecureTransport": "true"
}
}
}
]
}Important considerations:
Replace
<panther-master-account-id>with the actual Panther master account ID provided to you.Ensure that you are trusting all the roles prefixed with
panther-from the master account.Using a reduced-scope policy may cause issues when new ingestion features are released, so it's recommended to include all the roles as shown in the example.
This configuration allows for a more specific trust policy while still maintaining the necessary access for Panther's functionality.
For more information on Panther's security model and why an external ID is not required, you can refer to our documentation on security without AWS external ID.