Prerequisites

Requirements before installing the protector.

AWS Services

The following table describes the AWS services that may be a part of your Protegrity installation.

Service	Description
Lambda	Provides serverless compute for Protegrity protection operations and the ESA integration to fetch policy updates or deliver audit logs.
API Gateway	Provides the endpoint and access control.
KMS	Provides secrets for envelope policy encryption/decryption for Protegrity.
Secrets Manager	Provides secrets management for the ESA credentials .
S3	Intermediate storage location for the encrypted ESA policy layer.
Kinesis	Required if Log Forwarder is to be deployed. Amazon Kinesis is used to batch audit logs sent from protector function to ESA.
VPC & NAT Gateway	Optional. Provides a private subnet to communicate with an on-prem ESA.
CloudWatch	Application and audit logs, performance monitoring, and alerts. Scheduling for the policy agent.

ESA Version Requirements

The Protector and Log Forwarder functions require a security policy from a compatible ESA version.

The table below shows compatibility between different Protector and ESA versions.

Note

For the latest up-to-date information refer to: Protegrity Compatibility Matrix

Protector Version	ESA Version
Protector Version	8.x	9.0	9.1 & 9.2	10.0
2.x	No	Yes	*	No
3.0.x & 3.1.x	No	No	Yes	No
3.2.x	No	No	Yes	*
4.0.x	No	No	No	Yes

Legend
Yes	Protector was designed to work with this ESA version
No	Protector will not work with this ESA version
*	Backward compatible policy download supported: Data elements and features which are common between this and previous ESA versions will be downloaded Data elements and features which are new to this ESA version and do not exist in previous ESA version will not be downloaded

Legend

Yes

Protector was designed to work with this ESA version

Protector will not work with this ESA version

Backward compatible policy download supported:

Data elements and features which are common between this and previous ESA versions will be downloaded
Data elements and features which are new to this ESA version and do not exist in previous ESA version will not be downloaded

Prerequisites

Requirement	Detail
Protegrity distribution and installation scripts	These artifacts are provided by Protegrity
Protegrity ESA 10.0+	The Cloud VPC must be able to obtain network access to the ESA
AWS Account	Recommend creating a new sub-account for Protegrity Serverless

Required Skills and Abilities

Role / Skillset	Description
AWS Account Administrator	To run CloudFormation (or perform steps manually), create/configure a VPC and IAM permissions.
Protegrity Administrator	The ESA credentials required to extract the policy for the Policy Agent
Network Administrator	To open firewall to access ESA and evaluate AWS network setup

Cheat Sheet Recommendation

Tip

During the installation you will need output of steps, such as resources names and ids. We recommend copying the following cheat sheet into a notepad and fill in the information as you progress with the installation.

AWS Account ID: ___________________

AWS Region (AwsRegion): ___________________

S3 Bucket name (ArtifactS3Bucket): ___________________

KMS Key ARN (AWS_KMS_KEY_ID): ___________________

ProtectLambdaPolicyName: __________________

Role ARN (LambdaExecutionRoleArn): ___________________

ApiGatewayId: ________________________________

ProtectFunctionName: __________________________

ProtectLayerName: _____________________________

ESA IP address: ___________________

VPC name: ___________________

Subnet name: ___________________

Policy Agent Security Group Id: ___________________

ESA Credentials Secret Name: ___________________

Policy Name: ___________________

Agent Lambda IAM Execution Role Name: ___________________

What’s Next

Pre-Configuration

Feedback

Was this page helpful?

Last modified : January 07, 2026