7/7/25: Using PantherDeploymentUpdaterRole to automatically manage upgrades to PantherDeploymentRole

Last updated: October 30, 2025

Overview

If you are a Cloud Connected Panther customer, you can now manage upgrades of your PantherDeploymentRole automatically, using an “updater role” named PantherDeploymentUpdaterRole. This setup is currently supported through CloudFormation.

If you'd prefer to not use the updater role, please notify Panther support. To update your PantherDeploymentRole ahead of the Panther release, manually apply the latest CloudFormation template, found here: 🔗 Download template

Background on PantherDeploymentRole

PantherDeploymentRole is an AWS IAM role Panther uses to deploy Panther (both initially, and during version upgrades). It must remain up-to-date with necessary permissions for deployments to succeed. Without using the PantherDeploymentUpdaterRole, you may need to manually update PantherDeploymentRole before new version upgrades.

You can always track changes to policies attached to PantherDeploymentRole by viewing its CloudFormation template here or by using the Terraform version here.

How PantherDeploymentUpdaterRole works

PantherDeploymentUpdaterRole is created by its own CloudFormation stack that's installed using a similar trust relationship and parameters as the PantherDeploymentRole. Unlike PantherDeploymentRole, however, we expect permission changes for PantherDeploymentUpdaterRole to be rare.

Before Panther performs version upgrades, we will use the PantherDeploymentUpdaterRole to check PantherDeploymentRole and apply permission updates, if necessary.

How to set up PantherDeploymentUpdaterRole

To set up the PantherDeploymentUpdaterRole:

Verify the name of your existing PantherDeploymentRole CloudFormation stack, as this will be used as a parameter when you deploy the template in the next step.
- The default value is PantherDeploymentRoleStack.
Deploy the CloudFormation template by following the CloudFormation documentation on how to create a CloudFormation stack from a template either using the CloudFormation console or using the AWS CLI.
Be sure to create a new CloudFormation stack—do not import resources into an existing stack.
- If you deploy the template using the CloudFormation console, take note of the following values:
  - Stack name: PantherDeploymentUpdaterRoleStack
  - Template URL: https://panther-public-cloudformation-templates.s3.us-west-2.amazonaws.com/panther-deployment-updater-role/latest/template.yml
  - Parameters:
    - DeploymentRoleStackName: The name of your existing PantherDeploymentRole CloudFormation stack you verified in Step 1.
    - IdentityAccountId: Value provided by Panther directly
    - OpsAccountId: Value provided by Panther directly
- If you deploy the template using the AWS CLI, replace the following values in the command below, then run it:
  - <REGION OF CURRENT PANTHERDEPLOYMENTROLE STACK>: The region where your PantherDeploymentRole is located
  - <STACKNAME>: The name of your existing PantherDeploymentRole CloudFormation stack you verified in Step 1
  - <IDENTITYACCOUNTID>: Value provided by Panther directly
  - <OPSACCOUNTID>: Value provided by Panther directly
  Example command:
```
aws cloudformation create-stack \
     --region <REGION OF CURRENT PANTHERDEPLOYMENTROLE STACK> \
     --stack-name PantherDeploymentUpdaterRoleStack \
     --template-url https://panther-public-cloudformation-templates.s3.us-west-2.amazonaws.com/panther-deployment-updater-role/latest/template.yml \
     --capabilities CAPABILITY_NAMED_IAM \
     --parameters \
         ParameterKey=DeploymentRoleName,ParameterValue=PantherDeploymentRole \
         ParameterKey=IdentityAccountId,ParameterValue=<IDENTITYACCOUNTID> \
         ParameterKey=OpsAccountId,ParameterValue=<OPSACCOUNTID> \
```
(Optional) Ask Panther support to verify the deployment was successful.