AWS on

Mon, 01 Jan 0001 00:00:00 +0000

The following diagram shows a reference architecture for synchronizing the security policy from ESA.

The Protegrity Policy Agent requires network access to an Enterprise Security Administrator (ESA). Most organizations install the ESA on-premise. Therefore, it is recommended that the Policy Agent is installed into a private subnet with a Cloud VPC using a NAT Gateway to enable this communication through a corporate firewall.

The ESA is a soft appliance that must be pre-installed on a separate server. It is used to create and manage security policies.

Mon, 01 Jan 0001 00:00:00 +0000

This guide describes how to configure the Protegrity Policy Agent and Log Forwarder to connect to a Protegrity Provisioned Cluster (PPC), highlighting the differences from connecting to ESA.

Key Differences: PPC vs ESA

Feature	ESA 10.2	PPC (this guide)
Datastore Key Fingerprint	Optional/Recommended	Required
CA Certificate on Agent	Optional/Recommended	Optional/Recommended
CA Certificate on Log Forwarder	Optional/Recommended	Not supported
Client Certificate Authentication from Log Forwarder	Optional/Recommended	Not supported
IP Address	ESA IP address	PPC address

Prerequisites

Access to PPC and required credentials.
Tools: curl, kubectl installed.

Policy Agent Setup with PPC

Important

When connecting to PPC, the Policy Agent requires the PTY_DATASTORE_KEY fingerprint. For ESA 10.2, the fingerprint is optional but recommended. See Policy Agent Installation for general setup steps.

Follow these instructions as a guide for understanding specific inputs for Policy Agent integrating with PPC:

Mon, 01 Jan 0001 00:00:00 +0000

Create Protect Lambda IAM Execution Policy

This task defines a policy used by the Protegrity Lambda function to write CloudWatch logs and access the KMS encryption key to decrypt the policy.

Perform the following steps to create the Lambda execution role and required policies:

From the AWS IAM console, select Policies > Create Policy.

Select the JSON tab and copy the following sample policy.

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Sid": "CloudWatchWriteLogs",
 "Effect": "Allow",
 "Action": [
 "logs:CreateLogGroup",
 "logs:CreateLogStream",
 "logs:PutLogEvents"
 ],
 "Resource": "*"
 },
 {
 "Sid": "KmsDecrypt",
 "Effect": "Allow",
 "Action": [
 "kms:Decrypt"
 ],
 "Resource": [
 "arn:aws:kms:*:*:key/*"
 ]
 }
 ]
}

For the KMS policy, replace the Resource with the ARN for the KMS key created in a previous step.

Mon, 01 Jan 0001 00:00:00 +0000

Create Protect Lambda IAM Role

The following steps create the role to utilize the policy defined in Create Protect Lambda IAM Execution Policy.

To create protect lambda IAM execution role:

From the AWS IAM console, select Roles > Create Role.
Select AWS Service > Lambda > Next.
In the list, search and select the policy created in Create Protect Lambda IAM Execution Policy.
Click Next
Type the role name, for example, ProtegrityProtectRole

Mon, 01 Jan 0001 00:00:00 +0000

Upgrading Policy Agent Lambda

Note

If the release version of the artifact zip file has not changed since the previous installation, you can skip the Agent Lambda upgrade.

Go to AWS Lambda console and select existing Protegrity Agent Lambda.
Click Actions in top right portion of the screen. Select Publish new version. Click Publish. The version of Agent Lambda you just created will serve as restore point in the case you needed to rollback the upgrade.

Mon, 01 Jan 0001 00:00:00 +0000

Upgrading Log Forwarder Lambda

Note

If you are upgrading protector to one of these versions: [3.2.2, 3.2.3], skip this section and follow instruction to install new Log Forwarder Audit Log Forwarder Installation.

Publish Log Forwarder Lambda Version

Publishing a version of the Log Forwarder Lambda allows to roll-back to pre-existing version if upgrade fails
1. Go to AWS Lambda console and select existing Protegrity Log Forwarder Lambda.
2. Click Actions in top right portion of the screen. Select Publish new version. Click Publish.

Mon, 01 Jan 0001 00:00:00 +0000

Upgrading Protect Lambda

Note

If the release version of the artifact zip file has not changed since the previous installation, you can skip the Protect Lambda upgrade.

Diagram below illustrates upgrade steps.

Mon, 01 Jan 0001 00:00:00 +0000

Re-enable Protegrity Agent Function CloudWatch Event Rule

If the Event Rule was disabled at the beginning of the upgrade process, you must re-enabled it. Follow the steps below to re-enable Policy Agent Event rule.

Go to the Protegrity Agent Cloud Formation Stack.
Select Resources tab from the top portion of the screen.
Click on the Physical ID link in the ScheduledRule row. The link opens Policy Agent Event Rule configuration.

Mon, 01 Jan 0001 00:00:00 +0000

Disable Protegrity Agent Function CloudWatch Event Rule

Cloud Watch Event Rule is used to periodically run Protegrity Agent Function to synchronize policy from ESA. This functionality is optional when deploying Protegrity Serverless Solution. If the Event Rule is enabled, it must be disabled temporarily for the time of the upgrade process.

Follow the steps below to determine if your deployment uses Event Rule and disable it.

Go to AWS Cloud Formation and select existing Protegrity deployment stack.

Mon, 01 Jan 0001 00:00:00 +0000

Download the Latest Version

You can download the latest version of the deployment package from https://my.protegrity.com. Navigate to Data Protection > Cloud Protect to download the latest version.

After downloading the deployment package from the Protegrity Portal, unzip the package to extract the artifact files. In the AWS Console, navigate to the S3 bucket that was previously created to upload deployment artifacts (see: Create S3 bucket for Installing Artifacts).

Note

Only extract the deployment package and not the files in it.

Upload the following artifacts to the S3 bucket: