AWS Onboarding

Panoptica’s frictionless solution scans your cloud resources, including virtual machines, containers, and serverless deployments. Integration is agentless, secure, and easy to set up. Using read-only roles, Panoptica can connect to a single AWS account, or to an entire organization (in Advanced Mode). This enables Panoptica to scan your resources, analyze the configurations, and maintain your cloud security posture.

📘

Note:

Sufficient privileges to your AWS environment are required to deploy Panoptica.
We recommend using an AdmistratorAccess policy on the role selected to deploy this script.
For details on the privileges required, see AWS Onboarding - Roles, Policies, and Permissions.

To connect your AWS accounts using the Panoptica console UI, select Settings in the main navigation pane, then the Accounts tab. Choose Amazon Web Services, and follow the on-screen steps, which are detailed below.

To connect your AWS accounts using Terraform, please see AWS Onboarding with Terraform.

Onboarding Steps

First decide whether you want to deploy Panoptica in Simple Mode or Advanced Mode.

Both methods deploy a CloudFormation Stack to scan your workloads and serverless functions for CVEs, malware, and weak local user passwords. Advanced Mode adds the option of connecting to an entire AWS Organization, as well as the ability to customize the scan of your workloads and serverless functions.

Click to view Simple Mode instructions

Simple Mode


  1. In Simple Mode, Panoptica can only connect to a single AWS account, so Deploy single account is pre-selected
  2. Type the Account Name as you you want it to appear in Panoptica's console.
  3. Select your region from the drop-down box
  4. Decide whether you want to enable automatic data scanning, to identify PII, PCI, PHI, or secret data in your environment. See Data Type Classification for details. (feature in preview)
  5. Once all fields are complete, the blue Launch Stack button will light up. Click Launch Stack to open the CloudFormation template in your AWS environment.

🚧

Disable Popup Blocker

If you are running a Popup Blocker, please disable it before clicking Launch Stack

  1. Leave the default settings in the CloudFormation − Create Stack screen, and check the box beside I acknowledge that AWS CloudFormation might create IAM resources.
  2. Click Create set
  3. Wait a few minutes for the Stack creation to complete, which will be indicated in the Panoptica platform as well as in AWS.

Once the Stack is deployed, Panoptica will start scanning your AWS resources.

Click to view Advanced Mode instructions

Advanced Mode

  1. In Advanced Mode, Panoptica can connect to a single AWS account, or an AWS organization. Start by choosing the deployment type: Deploy single account or Deploy AWS organization.


  2. Type the Account Name as you you want it to appear in Panoptica's console.

  3. Choose your region from the drop-down box

  4. In Advanced Mode, you can configure how Panoptica executes workload scans. This is the step where you choose your scanning preferences.

    • Enabling Workload Scanning scans your AWS resources for CVEs and malware, as well as local user accounts in your VMs with weak passwords.
      In order to minimize impact to your environment, Panoptica takes a snapshot of the EBS volumes attached to the EC2 instances, then copies and converts those snapshots to new EBS volumes.
      You can choose where you want the snapshots scanned.
      • Selecting External scan scans the snapshots in an external Panoptica account. This calls for less internal resources, but requires more data mobility. The snapshots are shared with the external account, not copied.
      • Selecting Internal Scan scans the snapshots using a dedicated account in your environment. This improves performance and keeps your data local.
        If you select Internal Scan, you'll need to provide the Account ID of the account where the scanning will take place.
    • Enabling Serverless Scanning scans your Lambda functions, using a dedicated Panoptica Lambda
    • Enabling Data Scanning automatically identifies PII, PCI, PHI, or secret data in your environment. See Data Type Classification for details.

🚧

Important

New AWS accounts have reduced concurrency and memory quotas for Lambda functions. AWS raises these quotas automatically based on your usage.
However, if you experience any performance issues, you may need to reserve or provision additional resources for Panoptica's Lambda function.

See the following AWS guides for additional information and assistance:

  1. Once all fields are complete, the blue Launch Stack button will light up. Click Launch Stack to open the CloudFormation template in your AWS environment in a new browser tab. It's best to make sure you're logged into your AWS account beforehand.

🚧

Disable Popup Blocker

If you are running a Popup Blocker, please disable it before clicking Launch Stack

All of the relevant parameters will be pre-loaded in the AWS CloudFormation − Create Stack screen, according to the information you provided in Panoptica's onboarding procedure.

  1. Leave the default settings, and check the box beside I acknowledge that AWS CloudFormation might create IAM resources.
  1. Click Create set
  2. Wait a few minutes for the Stack creation to complete, which will be indicated in the Panoptica platform as well as AWS.

Once the Stack is deployed, Panoptica will start scanning your AWS resources.

AWS Organization

If you selected Deploy AWS Organization in Step 1, you will see additional steps for launching a CloudFormation StackSet after the initial stack creation has completed.

  1. Once the Stack creation is complete, the Launch StackSet button will become active (blue) in the Panoptica console. Click Launch StackSet to open the CloudFormation StackSet template in your AWS environment.
  2. Select the PanopticaSecurityAudit StackSet.
  3. Click Actions on the top-left, and select Add stacks to StackSet.
  4. Select the deployment targets. We recommend deploying to the entire Organization.
  5. Then select the us-east-1 region and click Next.
  6. Check the box beside I acknowledge that AWS CloudFormation might create IAM resources.
  7. Click Submit.

For more details, please see AWS Organization Onboarding.

Once the StackSet is deployed, Panoptica will start scanning your AWS resources.

📘

Roles and permissions

See AWS Onboarding - Roles, Policies, and Permissions for details concerning the roles and policies created when connecting your AWS account to Panoptica.