Pre-Configuration
Provide AWS sub-account
Identify or create an AWS account where the Protegrity solution will be installed. It is recommended that a new AWS sub-account be created. This can provide greater security controls and help avoid conflicts with other applications that might impact regional account limits. An individual with the Cloud Administrator role will be required for some subsequent installation steps.
AWS Account ID: ___________________
AWS Region (AwsRegion): ___________________
Create S3 bucket for Installing Artifacts
This S3 bucket will be used for the artifacts required by the CloudFormation installation steps. This S3 bucket must be created in the region that is defined in Determine AWS Region.
To create S3 bucket for installing artifacts:
Access the AWS S3 Management Console.
Change region to the one determined in Determine AWS Region
Click Create Bucket.
Enter a unique bucket name:
For example, protegrity-install.us-west-2.example.com.
Click Create Bucket.
Upload the installation artifacts to this bucket. Protegrity will provide the following three artifacts.
- protegrity-athena-protect-udfs-<version>.jar
- protegrity-agent-<version>.zip
- protegrity-sample-policy-<version>.zip
- protegrity-external-extension-<version>.zip
Important
The deployment package you receive from Protegrity must be extracted to reveal the Protegrity artifacts. CloudFormation requires them in the provided .zip format. Do not extract the individual Protegrity artifacts. Upload these artifacts to the S3 bucket created.
S3 Bucket name (ArtifactS3Bucket): ___________________
Create KMS Key
The Amazon Key Management Service (KMS) provides the ability for the Protegrity Serverless solution to encrypt and decrypt the Protegrity Security Policy.
Note
It is recommended to host the KMS key in a separate AWS sub-account. This allows dual control, separating the responsibility between the key administrator and the Protegrity Serverless account administrator.To create KMS key:
In the AWS sub-account where the KMS key will reside, select the region.
Navigate to Key Management Service > Create Key.
Configure the key settings:
- Key type: Asymmetric
- Key usage: Encrypt and decrypt
- Key spec: RSA_4096
- Click Next
Create alias and optional description, such as, Protegrity-Serverless and click Next.
Define key administrative permissions, the IAM user who will administrate the key.
Note
It is recommended the administrator be different than the administrator of the Protegrity Serverless accountClick Next.
Define the key usage permissions.
In Other AWS accounts, enter the AWS account id used for the Protegrity Serverless installation.
Continue on to create the key. If there is a concern this permission is overly broad, then you can return later to restrict access to the role of two Protegrity Serverless Lambda as principals. Click to open the key in the list and record the ARN.
KMS Key ARN (AWS_KMS_KEY_ID): ___________________
Download the public key from the KMS key. Navigate to the key in KMS console, select the Public key tab, and click Download. Save the PEM file. This public key will be added to the ESA data store as an export key. Refer to Exporting Keys to Datastore for instructions on adding the public key to the data store.
Note
This step is not applicable for ESA versions lower than 10.2.KMS Public Key PEM file: ___________________
What’s Next
Feedback
Was this page helpful?