DocumentationAPI Reference

Connect AWS Account

Suggest Edits

Connect accounts

In order to protect your serverless functions in AWS, you simply configure Panoptica in your cloud account. Each AWS region with functions must be added as a separate account.

Connect a single account

These steps will connect a single AWS account to Panoptica. In the process, the Panoptica scanner will be deployed to the account using an AWS CloudFormation Stack. Once connected, the account can be assessed by Panoptica.

  1. Navigate to the SERVERLESS page, and click Connect account on the CLOUD ACCOUNTS tab.
  2. Select AWS as your provider, and choose 'Single Account'. Click DEPLOY.
738
  1. You will be redirected to your AWS account and prompted to create a CloudFormation stack. Check the box I acknowledge that AWS CloudFormation might create IAM resources with custom names, and then click Create stack.

The stack will deploy the Panoptica scanner in your account, and review your functions for any threats or vulnerabilities.

Connect multiple accounts

These steps will connect several AWS accounts (part of the same organization) to Panoptica. Once connected, each account is scanned and managed separately in Panoptica, The process uses AWS CloudFormation Stacks and StackSets. These must be set up in your account (see Prerequisites for stack set operations) .

Each region to be scanned should be added as a separate account.

  1. Navigate to the Serverless page, and click Connect account on the CLOUD ACCOUNTS tab.
  2. Select AWS as your provider, and choose 'Multiple Accounts'.
  3. Copy the external ID presented on the screen, as it is used in later steps. Click SEE DOCUMENTATION to return to these instructions. The remaining steps are performed on AWS.

  1. Connect to your AWS management (master) account as an admin. See Organizations terminology and concepts for details about Organizations in AWS
  2. Navigate to CloudFormation, then select StackSets. Click Create StackSet. Ignore any AWS warnings about an AdministratorAccess policy being attached to an IAM role; this is part of the StackSet setup.
  3. Optionally, select or change the AWS region (in the upper right corner).
  4. In the Create StackSet dialog, Step 1 (Choose a template), make these selections:
    1. Select (or leave selected) Service managed permissions in Permissions.
    2. Select Template is ready.
    3. For Template source, select Amazon S3 URL, and enter this URL https://us-securecn.s3.amazonaws.com/production-template.json
    4. Click Next.

  1. In Step 2 (Specify StackSet details), enter a StackSet name and description.

  1. Paste the external ID value, copied above, in the ExternalID field.
  2. Click Next.
  3. In Step 3 (Configure options), click Next (no options are selected here).
  4. In Step 4 (Set deployment options), select (or leave selected) Deploy new stacks.
2117
  1. For Deployment targets, select Deploy to organization (recommended). This deploys to the entire organization. Alternatively, to deploy to selected organizational units, do not select Deploy to organization. Instead, navigate to the AWS Organizations page, and select Organize accounts. Then enter the specific AWS Organization Units (the ID is shown in the top right).
  2. For Auto deployments, leave the default settings unchanged.
  3. For Specify regions, select specific AWS regions.
  4. For large environments, set the following:
    1. Set Maximum concurrent accounts to Percentage, and set it to 50 (%).
    2. Set the Failure tolerance to Percentage, and set it to 50 (%).
    3. Change Region Concurrency_to _Parallel.
    4. Click Next.
  5. In the Review page, select I acknowledge that AWS CloudFormation might create IAM resources with custom names, and then click Submit.

The StackSet will deploy the Panoptica scanner in your account, and review your functions for any threats or vulnerabilities.

View Connected Accounts

The new account will appear in the CLOUD ACCOUNTS tab of the Serverless page in the Panoptica platform, with status 'Installed'.

Panoptica will automatically scan the configuration of your serverless functions in AWS for any potential security threats. Panoptica will also scan the dependencies that your code uses for any vulnerabilities. The first assessment will be triggered at deployment.

Panoptica will continue to monitor the configuration for any changes, and update the threats identified accordingly.

Updated 29 days ago

What’s Next