Protect Service Installation

Install the protect service.

Protect Service Installation

The following sections install the Cloud Protect serverless Lambda function.

Preparation

Ensure that all the steps in Pre-Configuration are performed.

Login to the AWS account console where Protegrity Serverless will be installed.
Ensure that the required CloudFormation templates provided by Protegrity are available on your local computer.

Create Protect Lambda IAM Execution Policy

This task defines a policy used by the Protegrity Lambda function to write CloudWatch logs and access the KMS encryption key to decrypt the policy.

Perform the following steps to create the Lambda execution role and required policies:

From the AWS IAM console, select Policies > Create Policy.

Select the JSON tab and copy the following sample policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CloudWatchWriteLogs",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "*"
    },
    {
      "Sid": "KmsDecrypt",
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt"
      ],
      "Resource": [
        "arn:aws:kms:*:*:key/*"
      ]
    }
  ]
}

For the KMS policy, replace the Resource with the ARN for the KMS key created in a previous step.
Select Next, type in a policy name, for example, ProtegrityProtectLambdaPolicy and Create Policy. Record the policy name:
ProtectLambdaPolicyName:__________________

Create Protect Lambda IAM Role

The following steps create the role to utilize the policy defined in Create Protect Lambda IAM Execution Policy.

To create protect lambda IAM execution role:

From the AWS IAM console, select Roles > Create Role.
Select AWS Service > Lambda > Next.
In the list, search and select the policy created in Create Protect Lambda IAM Execution Policy.
Click Next
Type the role name, for example, ProtegrityProtectRole
Click Create role
Record the role ARN.
Role ARN (LambdaExecutionRoleArn): ___________________

Install using CloudFormation

The following steps describe the deployment of the Lambda function.

Access CloudFormation and select the target AWS Region in the console.
Click Create Stack and choose With new resources.
In Specify template section select Upload a template file.
Click Choose file to upload the Protegrity-provided CloudFormation template called pty_athena_protect_cf.json and click Next.
Specify stack details. Enter stack name.
Note
The stack name will be appended to all the services created by the template.

Enter the required parameters. All the values were generated in the pre-configuration steps.

Parameter	Description
ArtifactS3Bucket	Name of S3 bucket created in the pre-configuration step
LambdaExecutionRoleArn	The ARN of Lambda role created in the prior step
PolicyUser	Name of the Policy User that will be passed as an environment variable to the lambda function. With protegrity-sample-policy-<version>.zip, you can set this value to policyuser.
PolicyUserConfig	The settings for POLICY_USER_CONFIG. Default Value: 0, Values: [0,1,2]. Note See Policy User for information on POLICY_USER_CONFIG.
UsernameRegex	The settings for USERNAME_REGEX. Default Value: Not Set, Values: “1” or regex expression. Note See Policy User and Configuring Regular Expression to Extract Policy Username for information on USERNAME_REGEX.
MinLogLevel	Minimum log level for protect function. Allowed Values: off, severe, warning, info, config, all

The log forwarder parameters can be provided later after log forwarder is deployed. If you are not planning to deploy log forwarder you can skip this step.

Log Forwarder Parameters	Description
KinesisLogStreamArn	The ARN of the AWS Kinesis stream where audit logs will be sent for aggregation
AuditLogFlushInterval	Time interval used to accumulate audit logs before sending to Kinesis

Proceed to the last step of the Create Stack wizard with defaults and click Submit to create CloudFormation stack.
After CloudFormation is completed, select the Outputs tab in the stack. Record the following values:
ProtectFunctionName: __________________________
ProtectFunctionProductionAlias: __________________________
ProtectLayerName: _____________________________

Test Connectivity

Perform the following steps to verify Athena is working correctly with Protegrity.

Access the Athena console.

Copy and paste the following snippet into a worksheet.

USING EXTERNAL FUNCTION unprotect(val varchar, el varchar) RETURNS varchar 
     LAMBDA '<replace_with_athena_protect_function_name>:Production'
SELECT unprotect('UtfVk UHgcD!', 'alpha')

Replace the placeholder value with the lambda function name
Run the above Query
Verify that the string hello world! is returned.

Note

See Granting access to use the Cloud Protect UDF for information on Athena query permissions.

Troubleshooting Tips

Error	Action
User: <USER_ARN> is not authorized to perform: glue:GetDatabases on resource: arn:aws:glue:<AWS_REGION>:<AWS_ACCOUNT>:catalog (Service: AmazonDataCatalog; Status Code: 400; Error Code: AccessDeniedException; Request ID: <REQUEST_ID>; Proxy: null)	Verify user has Glue permission GetDatabases
User: <USER_ARN> is not authorized to perform: glue:GetTables on resource: arn:aws:glue: <AWS_REGION>:<AWS_ACCOUNT>:catalog (Service: AmazonDataCatalog; Status Code: 400; Error Code: AccessDeniedException; Request ID: <REQUEST_ID>; Proxy: null)	Verify user has Glue permission GetTables
Insufficient permissions to execute the query	Verify user has InvokeFunction permission for the protect lambda function
Access denied when writing output to url: s3://<BUCKET_NAME>/Unsaved/<YEAR>/<MONTH>/<DAY>/<QUERY_ID>.csv Please ensure you are allowed to access the S3 bucket. If you are encrypting query results with KMS key, please ensure you are allowed to access your KMS key	Verify user has S3 permission PutObject for the query result location bucket. If using KMS encryption, verify the required KMS permissions.
You do not seem to have access to the S3 location of your query results. Please confirm your account has access to the S3 location where your query results are saved and try again. If you are using KMS to encrypt query results, please ensure you have permission to access your KMS key.	Verify user has S3 permission GetObject for the query result location bucket. If using KMS encryption, verify the required KMS decrypt permissions.
User: <USER_ARN>is not authorized to perform: athena:<ACTION> on resource: arn:aws:athena:<AWS_REGION>:<ACCOUNT>:workgroup/<WORKGROUP> (Service: AmazonAthena; Status Code: 400; Error Code: AccessDeniedException; Request ID: <REQUEST_ID>; Proxy: null)	Verify user has the permissions: StartQueryExecution GetQueryResults GetWorkGroup StopQueryExecution GetQueryExecution
java.lang.RuntimeException: Failed to initialize MemoryUtil. Was Java started with `–add-opens=java.base/java.nio=ALL-UNNAMED`? (See https://arrow.apache.org/docs/java/install.html)	Verify that the environment variable `JAVA_TOOL_OPTIONS=--add-opens=java.base/java.nio=ALL-UNNAMED` has been added to the protect function.

What’s Next

Install Policy Agent

Feedback

Was this page helpful?

Last modified : January 21, 2026