Prerequisites

Requirements before installing the protector.

    AWS Service Dependencies

    The following table describes the AWS services that may be a part of your Protegrity installation.

    Service

    Description

    Lambda

    Provides serverless compute for Protegrity protection operations and the ESA integration to fetch policy updates or deliver audit logs.

    KMS

    Provides secrets for envelope policy encryption/decryption for Protegrity.

    Secrets Manager

    Provides secrets management for the ESA credentials.

    S3

    Intermediate storage location for the encrypted ESA policy layer.

    Kinesis

    Required if Log Forwarder is to be deployed. Amazon Kinesis is used to batch audit logs sent from protector function to ESA.

    VPC & NAT Gateway

    Optional. Provides a private subnet to communicate with an on-prem ESA.

    CloudWatch

    Application and audit logs, performance monitoring, and alerts. Scheduling for the policy agent.

    ESA Version Requirements

    The Protector and Log Forwarder functions require a security policy from a compatible ESA version.

    The table below shows compatibility between different Protector and ESA versions.

    Protector VersionESA Version
    8.x9.09.1 & 9.210.0
    2.xNoYes*No
    3.0.x & 3.1.xNoNoYesNo
    3.2.xNoNoYes*
    4.0.xNoNoNoYes

    Legend

    Yes

    Protector was designed to work with this ESA version

    No

    Protector will not work with this ESA version

    *

    Backward compatible policy download supported:

    • Data elements and features which are common between this and previous ESA versions will be downloaded
    • Data elements and features which are new to this ESA version and do not exist in previous ESA version will not be downloaded

    Prerequisites

    RequirementDetail
    Protegrity distribution and installation scriptsThese artifacts are provided by Protegrity
    Protegrity ESA 10.0+The Cloud VPC must be able to obtain network access to the ESA
    AWS AccountRecommend creating a new sub-account for Protegrity Serverless
    Athena Engine Version 3Only Athena engine version 3 is supported. The product may work in Athena engine version 2, but it is deprecated and all users are encouraged to upgrade.

    Required Skills and Abilities

    Role / Skillset

    Description

    AWS Account Administrator

    To run CloudFormation (or perform steps manually), create/configure a VPC and IAM permissions.

    Protegrity Administrator

    The ESA credentials required to extract the policy for the Policy Agent

    Network Administrator

    To open firewall to access ESA and evaluate AWS network setup

    What’s Next


    Last modified : January 07, 2026