Pre-Configuration

Configuration steps before installing the protector.

    Provide AWS sub-account

    Identify or create an AWS account where the Protegrity solution will be installed. It is recommended that a new AWS sub-account be created. This can provide greater security controls and help avoid conflicts with other applications that might impact regional account limits. An individual with the Cloud Administrator role will be required for some subsequent installation steps.

    AWS Account ID: ___________________

    AWS Region (AwsRegion): ___________________

    Determine AWS Region

    Determine the AWS region where the Amazon Redshift cluster is running. This is the region in where the Protegrity solution must be installed.

    AWS Region (AccountRegion): ___________________

    Create S3 bucket for Installing Artifacts

    This S3 bucket will be used for the artifacts required by the CloudFormation installation steps. This S3 bucket must be created in the region that is defined in Provide AWS sub-account

    1. Sign in to the AWS Management Console and open the Amazon S3 console.

    2. Change region to the one determined in Provide AWS sub-account

    3. Click Create Bucket.

    4. Enter a unique bucket name:

      For example, protegrity-install.us-west-2.example.com

    5. Upload the installation artifacts to this bucket. Protegrity will provide the following three artifacts:

      • protegrity-protect-<version>.zip
      • protegrity-agent-<version>.zip
      • protegrity-external-extension-<version>.zip
      • protegrity-sample-policy-<version>.zip

      S3 Bucket name (ArtifactS3Bucket): ___________________

    Create KMS Key

    The Amazon Key Management Service (KMS) provides the ability for the Protegrity Serverless solution to encrypt and decrypt the Protegrity Security Policy.

    To create KMS key:

    1. In the AWS sub-account where the KMS key will reside, select the region.

    2. Navigate to Key Management Service > Create Key.

    3. Configure the key settings:

      • Key type: Asymmetric
      • Key usage: Encrypt and decrypt
      • Key spec: RSA_4096
      • Click Next

    4. Create alias and optional description, such as, Protegrity-Serverless and click Next.

    5. Define key administrative permissions, the IAM user who will administrate the key.

    6. Click Next.

    7. Define the key usage permissions.

    8. In Other AWS accounts, enter the AWS account id used for the Protegrity Serverless installation.

    9. Continue on to create the key. If there is a concern this permission is overly broad, then you can return later to restrict access to the role of two Protegrity Serverless Lambda as principals. Click to open the key in the list and record the ARN.

      KMS Key ARN (AWS_KMS_KEY_ID): ___________________

    10. Download the public key from the KMS key. Navigate to the key in KMS console, select the Public key tab, and click Download. Save the PEM file. This public key will be added to the ESA data store as an export key. Refer to Exporting Keys to Datastore for instructions on adding the public key to the data store.

      KMS Public Key PEM file: ___________________

    Create IAM Account Role

    An IAM role is used to authorize Redshift to access the future Protect Lambda resource.

    To create IAM account role:

    1. From the AWS console, access IAM, select Roles and then Create Role.

    2. In Trusted entity type section, select AWS service

    3. In Use case section, for Service or use case, select Redshift.

    4. For Use case, select Redshift – Customizable.

    5. Click Next to advance to Add Permissions step.

    6. Click Next to skip Add Permissions step.

    7. Enter a Role name, for example, RedshiftProtegrity.

    8. Click Create role.

    9. After the role is created, click on the role. Record the following information:

      • Role Name (DBRoleName): ____________________
      • Role ARN (DBRoleARN): ____________________

    What’s Next


    Last modified : December 04, 2025