Installation on

Prerequisites

Mon, 01 Jan 0001 00:00:00 +0000

AWS Service Dependencies

The following table describes the AWS services that may be a part of your Protegrity installation.

Protect Service Installation

Mon, 01 Jan 0001 00:00:00 +0000

Protect Service Installation

The following sections install the Cloud Protect serverless Lambda function.

Mon, 01 Jan 0001 00:00:00 +0000

Configuring Regular Expression to Extract Policy Username

Cloud Protect Lambda Function exposes USERNAME_REGEX configuration to allow extraction of policy username from user in the request.

USERNAME_REGEX Lambda Environment configuration

The USERNAME_REGEX configuration can be used to extract policy username from user in the request. The following are allowed values for USERNAME_REGEX:
- 1 - Default build-in regular expression is used:
```
^arn:aws:(?:iam|sts)::[0-9]{12}:(?:role|user|group|assumed\-role|federated\-user)\/([\w\/+=,.\-]{1,1024}|[\w\/+=,.\-@]{1,1024})(?:@[a-zA-Z0-9\-]{1,320}(?:\.\w+)+)?$
```
- ^User regex$ - Custom regex with one capturing group. This group is used to extract the username. Examples below show different regular expression values and the resulting policy user.

Mon, 01 Jan 0001 00:00:00 +0000

Create Protect Lambda IAM Execution Policy

This task defines a policy used by the Protegrity Lambda function to write CloudWatch logs and access the KMS encryption key to decrypt the policy.

Perform the following steps to create the Lambda execution role and required policies.

To create protect lambda IAM execution policy:

From the AWS IAM console, select Policies > Create Policy.
Select the JSON tab and copy the following sample policy.

Mon, 01 Jan 0001 00:00:00 +0000

Granting access to use the Cloud Protect UDF

The ability to use the Cloud Protect UDF from Athena is controlled through IAM permissions. The Athena user/role must have the InvokeFunction permission to the Cloud Protect Lambda function as shown in the following example:

{ 
 "Version": "2012-10-17", 
 "Statement": [ 
 { 
 "Sid": "ProtectLambdaFunction", 
 "Effect": "Allow", 
 "Action": "lambda:InvokeFunction", 
 "Resource": "<PROTECT_FUNCTION_ARN>" 
 } 
 ] 
}

The policy above would be used in addition to any other IAM policies required to use Amazon Athena. Refer to the AWS Athena example policy for a typical IAM policy.

Mon, 01 Jan 0001 00:00:00 +0000

Policy User

Policy user for protect and unprotect operations can be provided from either Lambda environment variable or federated identity.

POLICY_USER Environment Variable in the Athena Protect Lambda

The Lambda environment variable POLICY_USER, may be set with a default user in the security policy or as a service user.
Federated Identity

When the request contains the federated identity, the policy user maybe the IAM ARN of the user running the SQL query. For example:

Mon, 01 Jan 0001 00:00:00 +0000

Prerequisites

Requirement	Detail
Protegrity distribution and installation scripts	These artifacts are provided by Protegrity
Protegrity ESA 10.0+	The Cloud VPC must be able to obtain network access to the ESA
AWS Account	Recommend creating a new sub-account for Protegrity Serverless
Athena Engine Version 3	Only Athena engine version 3 is supported. The product may work in Athena engine version 2, but it is deprecated and all users are encouraged to upgrade.

Mon, 01 Jan 0001 00:00:00 +0000

AWS Service Dependencies

The following table describes the AWS services that may be a part of your Protegrity installation.

Service

Description

Lambda

Provides serverless compute for Protegrity protection operations and the ESA integration to fetch policy updates or deliver audit logs.

KMS

Provides secrets for envelope policy encryption/decryption for Protegrity.

Secrets Manager

Provides secrets management for the ESA credentials.

Intermediate storage location for the encrypted ESA policy layer.

Mon, 01 Jan 0001 00:00:00 +0000

Required Skills and Abilities

Role / Skillset	Description
AWS Account Administrator	To run CloudFormation (or perform steps manually), create/configure a VPC and IAM permissions.
Protegrity Administrator	The ESA credentials required to extract the policy for the Policy Agent
Network Administrator	To open firewall to access ESA and evaluate AWS network setup