Upgrading To The Latest Version

Instructions for upgrading the protector.

    Download the Latest Version

    You can download the latest version of the deployment package from https://my.protegrity.com. Navigate to Data Protection > Cloud Protect to download the latest version.

    After downloading the deployment package from the Protegrity Portal, unzip the package to extract the artifact files. In the AWS Console, navigate to the S3 bucket that was previously created to upload deployment artifacts (see: Create S3 bucket for Installing Artifacts).

    Upload the following artifacts to the S3 bucket:

    - -
    • protegrity-protect-<version>.zip
    • protegrity-agent-<version>.zip
    • protegrity-external-extension-<version>.zip
    • protegrity-sample-policy-<version>.zip
    • protegrity-protect-<version>.zip
    • protegrity-agent-<version>.zip
    • protegrity-external-extension-<version>.zip
    • protegrity-sample-policy-<version>.zip
    • protegrity-protect-<version>.zip
    • protegrity-agent-<version>.zip
    • protegrity-external-extension-<version>.zip
    • protegrity-sample-policy-<version>.zip
    • protegrity-athena-protect-udfs-<version>.jar
    • protegrity-external-extension-<version>.zip
    • protegrity-agent-<version>.zip
    • protegrity-sample-policy-<version>.zip

    If the release version matches your existing deployment, you don’t need to upload it again. Save the following artifacts on your local system so that you have them available during the next steps:

    - -
    • pty_protect_cf.json
    • pty_agent_cf.json
    • pty_protect_cf.json
    • pty_agent_cf.json
    • pty_protect_api_cf.json
    • pty_agent_cf.json
    • pty_log_forwarder_cf.json
    • pty_athena_protect_cf.json
    • pty_agent_cf.json

    Perform the following steps to upgrade the Agent Lambda and Protect Lambda separately.

    Disable Protegrity Agent Function CloudWatch Event Rule

    Cloud Watch Event Rule is used to periodically run Protegrity Agent Function to synchronize policy from ESA. This functionality is optional when deploying Protegrity Serverless Solution. If the Event Rule is enabled, it must be disabled temporarily for the time of the upgrade process.

    Follow the steps below to determine if your deployment uses Event Rule and disable it.

    1. Go to AWS Cloud Formation and select existing Protegrity deployment stack.

    2. Select Resources tab from the top portion of the screen.

    3. Check if there is a resource with ScheduledRule LogicalID. If there is no such resource you can skip to Upgrading Policy Agent Lambda section. If the scheduled rule is there, continue with the next steps in this section.

    4. Click on the Physical ID link in the ScheduledRule row. The link opens Policy Agent Event Rule configuration.

    5. Select Disable from the top-right portion of the screen. This will disable the rule. You will re-enable it after the upgrade process is complete.

    Upgrading Policy Agent Lambda

    1. Go to AWS Lambda console and select existing Protegrity Agent Lambda.

    2. Click Actions in top right portion of the screen. Select Publish new version. Click Publish. The version of Agent Lambda you just created will serve as restore point in the case you needed to rollback the upgrade.

    3. Go to Lambda Configuration > Environment variables.

    4. Record environment variables values. You will use them later to configure upgraded Lambda Function. You can use the aws cli command below to save the function variables into the local json file:

      aws lambda get-function-configuration --function-name \
arn:aws:lambda:<aws_region>:<aws_account>:function:<function_name> \
--query Environment > <function_name>_env_config.json

    5. Go to AWS Cloud Formation and select existing Protegrity Agent deployment stack.

    6. Select Update. Check Replace current template > Upload a template file.

    7. Upload pty_agent_cf.json file and select Next.

    8. Click Next until Review window and then select Update stack.

    9. Wait for the Cloud Formation to complete.

    10. Navigate back to Agent Lambda Function.

    1. Go to Configuration > Environment variables. Replace placeholder values with values recorded in previous step. Alternatively, you can run the following aws cli command to update function configuration using json file saved in the previous steps:

      aws lambda update-function-configuration --function-name \
arn:aws:lambda:<aws_region>:<aws_account>:function:<function_name> \
--environment file://./<function_name>_env_config.json

    2. If you are upgrading from versions prior to v3.0, backup and remove existing policy from the bucket defined by AWS_POLICY_S3_BUCKET property, so that the policy can be re-downloaded and re-encrypted with new ‘key commitment’ feature.

    3. If you are upgrading from version prior to 1.6.1 please follow the steps below, otherwise the upgrade process is completed.

    4. From AWS Console, navigate to IAM > Policies

    5. Search for the Agent Lambda IAM Policy created in Create Agent Lambda IAM policy

    6. Click on the policy, then select Edit Policy. Select JSON tab.

    7. Add the following statement to the list of policy statements.

      
{
  "Sid": "LambdaGetConfiguration",
  "Effect": "Allow",
  "Action": [
      "lambda:GetFunctionConfiguration"
  ],
  "Resource": [
      "arn:aws:lambda:*:*:function:*"
  ]
}

    8. Click Review Policy, then Save Changes. Wait for the changes to save.

    Upgrading Log Forwarder Lambda

    • Publish Log Forwarder Lambda Version

      Publishing a version of the Log Forwarder Lambda allows to roll-back to pre-existing version if upgrade fails

      1. Go to AWS Lambda console and select existing Protegrity Log Forwarder Lambda.

      2. Click Actions in top right portion of the screen. Select Publish new version. Click Publish.

      3. Record the Lambda version number. It will be displayed at the top of the screen. You can also retrieve it from the Lambda function view, under Versions tab.

        Log Forwarder Lambda version number for roll-backs: ___________________

    • Disable Kinesis Trigger

      Disabling Kinesis trigger ensures there are no unprocessed or re-processed events while function is upgraded.

      1. Go to AWS Lambda console and select existing Protegrity Log Forwarder Lambda.
      2. Select Configuration tab > Triggers
      3. Check Kinesis trigger and click Edit button
      4. Uncheck Activate trigger and click Save
      5. Wait for function to stop processing events by monitoring function in Monitor tab

    • Upgrade Forwarder Lambda Version

      Upgrade Log Forwarder function with new code

      1. Go to AWS Cloud Formation and select existing Protegrity Log Forwarder deployment stack.
      2. Select Update Stack > Make a direct update.
      3. Select Replace existing template > Upload a template file.
      4. Upload pty_log_forwarder_cf file and select Next.
      5. Click Next until Review window and then select Update stack.
      6. Wait for the Cloud Formation to complete.

    • Enable Kinesis Trigger

      1. Go to AWS Lambda console and select existing Protegrity Log Forwarder Lambda.
      2. Select Configuration tab > Triggers
      3. Check Kinesis trigger and click Edit button
      4. Check Activate trigger and click Save Log Forwarder function will now start processing events from where it left off when Kinesis trigger was disabled.

    • Monitor and roll-back

      Monitor Log Forwarder function for errors in its CloudWatch logs and in Montior tab. To roll back function to the previous version if any errors occur follow these steps:

      1. Go to AWS Lambda console and select existing Protegrity Log Forwarder Lambda.

      2. Select Configuration tab > Triggers

      3. Expand Details section of Kinesis trigger and record UUID value

      4. Execute the following AWS CLI command to move Kinesis trigger to previous version of Log Forwarder Lambda that was created earlier and recorded as Log Forwarder Lambda version number for roll-backs. Substitute kinesis-mapping-uuid, log-forwarder-function-name, version-for-roll-backs with your values:

        
aws lambda update-event-source-mapping --uuid <kinesis-mapping-uuid> --function-name <log-forwarder-function-name>:<version-for-roll-backs>

      5. Find Kinesis trigger attached to previous version of Log Forwarder Lambda by navigating Versions tab > Version number link in the Versions column Kinesis trigger is now moved to previous version of Log Forwarder Lambda function.

    Upgrading Protect Lambda

    Diagram below illustrates upgrade steps.

    Snowflake Function Upgrade Steps

    Redshift Function Upgrade Steps

    Cloud API Function Upgrade Steps

    Athena Function Upgrade Steps

    • Publish Protect Lambda Version

      Publishing a version of the Protect Lambda allows updating it without interruptions to the existing traffic.

      1. Go to AWS Lambda console and select existing Protegrity Protect Lambda.

      2. Go to Lambda Configuration > Environment variables.

      3. Record environment variables values. You will use them later to configure upgraded Lambda Function. You can use the aws cli command below to save the function variables into the local json file:

        aws lambda get-function-configuration --function-name \
arn:aws:lambda:<aws_region>:<aws_account>:function:<function_name> \
--query Environment > <function_name>_env_config.json

      4. Click Actions in top right portion of the screen. Select Publish new version. Click Publish.

      5. Record the Lambda version number. It will be displayed at the top of the screen. You can also retrieve it from the Lambda function view, under Versions tab.

        Protect Lambda version number: ___________________

      6. If you are upgrading a Cloud Protect Redshift version 1.x to 2.x/3x, you must recreate your Redshift external function definitions with Protect Lambda Function version appended to the Lambda Function name. See example below.

        CREATE OR REPLACE EXTERNAL FUNCTION PTY_PROTECT_TEST ( val varchar )
    RETURNS varchar
    VOLATILE lambda
    'Protegrity_Protect_test:<protect_lambda_version_number>' iam_role
    'arn:aws:iam::123456789212:role/example_role';

    • Run protect service upgrade

      In this step, the Protect service including Lambda $LATEST version will be updated using Cloud Formation template. The Lambda version created in previous step will be used to serve existing traffic during the upgrade process.

      1. Go to AWS Cloud Formation and select existing Protegrity deployment stack.

      2. Select Update. Check Replace current template > Upload a template file.

      3. Upload pty_protect_cf.json file and select Next.

      4. Update ProtectFunctionProductionVersion parameter with Protect Lambda version number recorded in step 3.

      6. Click Next until Review window and then select Update stack.

      7. Wait for the Cloud Formation to complete.

      8. Go back to Lambda console and select Protect Lambda.

      9. Go to Configuration > Environment variables. Replace placeholder values with values recorded in previous step. Alternatively, you can run the following aws cli command to update function configuration using json file saved in the previous steps:

        aws lambda update-function-configuration --function-name \
arn:aws:lambda:<aws_region>:<aws_account>:function:<function_name> \
--environment file://./<function_name>_env_config.json

      10. Navigate to Aliases tab. Verify that Production alias points to the lambda version you specified in the cloud formation template.

      11. The upgraded Protect Lambda is configured with a sample policy. Run Agent Lambda Function before continuing with next steps.

    • Finalize upgrade

      In this step, the Protect Lambda will be configured to serve traffic using $LATEST version upgraded in the previous step.

      1. Go back to Protegrity AWS Cloud Formation deployment stack.

      2. Select Update. Check Use Current template.

      3. Update ProtectFunctionProductionVersion parameter with the following value: $LATEST.

      4. Click Next until Review window and then select Update stack.

      5. Go back to Lambda console and select Protect Lambda.

      6. From the Lambda console, verify that Latest alias points to $LATEST version.

      7. Test your function to make sure it works as expected.

      8. If you are upgrading a Cloud Protect Redshift version 1.x to 2.x/3x, you must recreate your Redshift external function definitions with Protect Lambda Function version appended to the Lambda Function name. See example below.

        CREATE OR REPLACE EXTERNAL FUNCTION PTY_PROTECT_TEST ( val varchar )
    RETURNS varchar
    VOLATILE lambda
    'Protegrity_Protect_test:Production' iam_role
    'arn:aws:iam::123456789212:role/example_role';

      9. If you need to rollback to older version of Protect Lambda, you can re-run the cloud formation with ProtectFunctionProductionVersion parameter set to the previous version of Protect Lambda.

    Re-enable Protegrity Agent Function CloudWatch Event Rule

    If the Event Rule was disabled at the beginning of the upgrade process, you must re-enabled it. Follow the steps below to re-enable Policy Agent Event rule.

    1. Go to the Protegrity Agent Cloud Formation Stack.

    2. Select Resources tab from the top portion of the screen.

    3. Click on the Physical ID link in the ScheduledRule row. The link opens Policy Agent Event Rule configuration.

    4. Select Enable from the top-right portion of the screen. This will enable the rule. You will re-enable it after the upgrade process is complete.


    Last modified : December 02, 2025