How do I get copies of logs from Panther S3 buckets into my own AWS account S3 buckets?

Last updated: August 22, 2024

QUESTION

 How do I mirror the Panther S3 bucket where my logs live into my own AWS account?

ANSWER

  1. Contact Panther Support to request your Panther log data to be pushed to your S3 bucket. Provide the name of the bucket and the AWS account ID the bucket exists in.

  2. Apply this bucket policy to that bucket (replacing "destination" with the name of the bucket)

{
    "Version":"2012-10-17",
    "Id":"",
    "Statement":[
        {
            "Sid":"Set permissions for objects",
            "Effect":"Allow",
            "Principal":{
                "AWS":"arn:aws:iam::<Your_Panther_AWS_Account_ID>:role/panther-data-replication-role-<Your_Panther_AWS_Region>"
            },
            "Action":["s3:ReplicateObject", "s3:ReplicateDelete"],
            "Resource":"arn:aws:s3:::destination/*"
        },
        {
            "Sid":"Set permissions on bucket",
            "Effect":"Allow",
            "Principal":{
                "AWS":"arn:aws:iam::<Your_Panther_AWS_Account_ID>:role/panther-data-replication-role-<Your_Panther_AWS_Region>"
            },
            "Action":["s3:List*", "s3:GetBucketVersioning", "s3:PutBucketVersioning"],
            "Resource":"arn:aws:s3:::destination"
        }
    ]
}

Panther will then provision the bucket replication.