QUESTION

Do I need to enable Raw Message Delivery when setting up SNS to SQS data ingestion in Panther?

ANSWER

Raw Message Delivery must be enabled for direct SNS to SQS data ingestion in Panther, but it is not required for a S3 to SNS to SQS ingestion setup.

• For direct SNS → SQS ingestion: Raw Message Delivery must be enabled because of how AWS SNS handles message formatting. This ensures the messages are correctly formatted as clean, structured JSON that Panther can process. Without Raw Message Delivery, the JSON structure would not match what Panther expects, preventing it from applying the appropriate schema.

• For S3 → SNS → SQS ingestion: Raw Message Delivery is not required. When AWS S3 sends notifications (such as when a new file is uploaded), it automatically formats and sends the message as structured JSON.

For more information about setting up SNS/SQS data sources, see Panther's SNS to SQS documentation.