QUESTION

 Is there any template when I want to use boto3 in my Panther detection?

ANSWER

When using boto3 in your detections, first you'll need a session to assume the role. For accessing it within a detection, you could create a helper function in a global helper file that gets the credentials, and then you need to implement the resource pull in your detection.

You can find relevant details in this AWS documentation: Switching to an IAM role (AWS API).

Example

See an example below:

boto3_helper.py
 import boto3

def get_aws_credentials():
 sts_client = boto3.client('sts')
 assumed_role_object=sts_client.assume_role(
 RoleArn="to be populated",
 RoleSessionName="AssumeRoleSession1")
 return assumed_role_object['Credentials'] 

Please note that you can find more details about RoleArn, mentioned in the above statement, in step 1 of this article:📄 How can I access my own AWS resources from my Python Detections? Can I store secrets in Panther?

For any resource that you can pull/have access to with your role, you can use the following template to access your AWS account resources.

detection.py
 from boto3_helper import get_aws_credentials

def rule(event):
 credentials = get_aws_credentials()

 AWS_REGION = "Populate with your AWS Region"

 s3_resource=boto3.resource(
 's3', region_name=AWS_REGION,
 aws_access_key_id=credentials['AccessKeyId'],
 aws_secret_access_key=credentials['SecretAccessKey'],
 aws_session_token=credentials['SessionToken'],
 )