Appendices on

Installing the Policy Agent and Protector in Different AWS Accounts

Mon, 01 Jan 0001 00:00:00 +0000

The Policy Agent Lambda function and Protect Lambda functions can be installed in separate AWS accounts. However, additional configuration is required to authorize the Policy Agent to provision the security policy to a remote Protect Lambda function.

Integrating Cloud Protect with PPC (Protegrity Provisioned Cluster)

Mon, 01 Jan 0001 00:00:00 +0000

This guide describes how to configure the Protegrity Policy Agent and Log Forwarder to connect to a Protegrity Provisioned Cluster (PPC), highlighting the differences from connecting to ESA.

Key Differences: PPC vs ESA

Feature	ESA 10.2	PPC (this guide)
Datastore Key Fingerprint	Optional/Recommended	Required
CA Certificate on Agent	Optional/Recommended	Optional/Recommended
CA Certificate on Log Forwarder	Optional/Recommended	Not supported
Client Certificate Authentication from Log Forwarder	Optional/Recommended	Not supported
IP Address	ESA IP address	PPC address

Prerequisites

Access to PPC and required credentials.
Tools: curl, kubectl installed.

Policy Agent Setup with PPC

Important

When connecting to PPC, the Policy Agent requires the PTY_DATASTORE_KEY fingerprint. For ESA 10.2, the fingerprint is optional but recommended. See Policy Agent Installation for general setup steps.

Follow these instructions as a guide for understanding specific inputs for Policy Agent integrating with PPC:

Policy Agent - Custom VPC Endpoint Hostname Configuration

Mon, 01 Jan 0001 00:00:00 +0000

The Policy Agent uses default endpoint hostnames to communicate with other AWS services (for example, secretsmanager.amazonaws.com). This configuration will only work in VPCs where Amazon-provided DNS is available (default VPC configuration with private DNS option enabled for the endpoint). If your VPC uses custom DNS, follow the instructions below to configure the Policy Agent Lambda to use custom endpoint hostnames.

Note

This configuration is only available with the Cloud Protect version 1.5.0 or higher. For more information about the upgrade instructions, refer to Upgrading to the Latest Version.

Identify DNS Hostnames

To identify DNS hostnames:

Redshift Cross-Account Configuration

Mon, 01 Jan 0001 00:00:00 +0000

Cross-Account Configuration

Important

These steps are only required IF the Protegrity solution is installed in a separate AWS account from the Amazon Redshift cluster.

The following figure illustrates the Protegrity Redshift Integration architecture when Protegrity Solution is installed on separate from Amazon Redshift Cluster Account.

Redshift Account IAM Configuration

This step creates Redshift IAM role with permissions to assume role in separate account.

Create Redshift IAM policy:

Sample Redshift External Function

Mon, 01 Jan 0001 00:00:00 +0000

Sample Redshift External Function

Method: Tokenization
Type: ALPHA

Redshift Data Types	Redshift Max Size	Protegrity Max Size
VARCHAR	4K (4,096 bytes)	4K (4,096 bytes)
CHAR



External Function Sample Definitions:
`CREATE EXTERNAL FUNCTION PTY_PROTECT_ALPHA ( val varchar ) RETURNS varchar VOLATILE lambda '<replace_with_protect_function_name>:Production' iam_role 'arn:aws:iam::<REPLACE_WITH_YOUR_AWS_ACCOUNT>:role/<REPLACE_WITH_IAM_ROLE_NAME>';`

Sample EF Calls:
`SELECT PTY_PROTECT_ALPHA ('Hello World');`
`SELECT PTY_UNPROTECT_ALPHA('rfDtw sLMJK');`


Method: Tokenization
Type: NUMERIC Configuring Regular Expression to Extract Policy Username Mon, 01 Jan 0001 00:00:00 +0000 Configuring Regular Expression to Extract Policy Username Cloud Protect Lambda Function exposes USERNAME_REGEX configuration to allow extraction of policy username from user in the request. USERNAME_REGEX Lambda Environment configuration The USERNAME_REGEX configuration can be used to extract policy username from user in the request. The following are allowed values for USERNAME_REGEX: 1 - Default build-in regular expression is used: `^arn:aws:(?:iam\|sts)::[0-9]{12}:(?:role\|user\|group\|assumed\-role\|federated\-user)\/([\w\/+=,.\-]{1,1024}\|[\w\/+=,.\-@]{1,1024})(?:@[a-zA-Z0-9\-]{1,320}(?:\.\w+)+)?$` ^User regex$ - Custom regex with one capturing group. This group is used to extract the username. Examples below show different regular expression values and the resulting policy user. Associating ESA Data Store With Cloud Protect Agent Mon, 01 Jan 0001 00:00:00 +0000 Associating ESA Data Store With Cloud Protect Agent ESA controls which policy is deployed to protector using concept of data store. A data store may contain a list of IP addresses identifying servers allowed to pull the policy associated with that specific data store. Data store may also be defined as default data store, which allows any server to pull the policy, provided it does not belong to any other data stores. Node registration occurs when the policy server (in this case the policy agent) makes a policy request to ESA, where the agent’s IP address is identified by ESA.

Appendices on

Installing the Policy Agent and Protector in Different AWS Accounts

Integrating Cloud Protect with PPC (Protegrity Provisioned Cluster)

Key Differences: PPC vs ESA

Prerequisites

Policy Agent Setup with PPC

Important

Policy Agent - Custom VPC Endpoint Hostname Configuration

Note

Identify DNS Hostnames

Redshift Cross-Account Configuration

Cross-Account Configuration

Important

Redshift Account IAM Configuration

Sample Redshift External Function

Sample Redshift External Function

Configuring Regular Expression to Extract Policy Username

Configuring Regular Expression to Extract Policy Username

Associating ESA Data Store With Cloud Protect Agent

Associating ESA Data Store With Cloud Protect Agent