Prerequisites

Requirements before installing the protector.

    AWS Services

    The following table describes the AWS services that may be a part of your Protegrity installation.

    Service

    Description

    Lambda

    Provides serverless compute for Protegrity protection operations and the ESA integration to fetch policy updates or deliver audit logs.

    KMS

    Provides secrets for envelope policy encryption/decryption for Protegrity.

    Secrets Manager

    Provides secrets management for the ESA credentials.

    S3

    Intermediate storage location for the encrypted ESA policy layer.

    Kinesis

    Required if Log Forwarder is to be deployed. Amazon Kinesis is used to batch audit logs sent from protector function to ESA.

    VPC & NAT Gateway

    Optional. Provides a private subnet to communicate with an on-prem ESA.

    CloudWatch

    Application and audit logs, performance monitoring, and alerts. Scheduling for the policy agent.

    ESA Version Requirements

    The Protector and Log Forwarder functions require a security policy from a compatible ESA version.

    The table below shows compatibility between different Protector and ESA versions.

    Protector VersionESA Version
    8.x9.09.1 & 9.210.0
    2.xNoYes*No
    3.0.x & 3.1.xNoNoYesNo
    3.2.xNoNoYes*
    4.0.xNoNoNoYes

    Legend

    Yes

    Protector was designed to work with this ESA version

    No

    Protector will not work with this ESA version

    *

    Backward compatible policy download supported:

    • Data elements and features which are common between this and previous ESA versions will be downloaded
    • Data elements and features which are new to this ESA version and do not exist in previous ESA version will not be downloaded

    Prerequisites

    RequirementsDescription
    Protegrity distribution and installation scriptsThese artifacts are provided by Protegrity
    Protegrity ESA 10.0+The Cloud VPC must be able to obtain network access to the ESA
    AWS AccountRecommend creating a new sub-account for Protegrity Serverless
    Redshift cluster (Enterprise Edition)Must be in the same region as Protegrity Protect Lambda

    Required Skills and Abilities

    RequirementsDescription
    AWS Account AdministratorTo run CloudFormation (or perform steps manually), create/configure a VPC and IAM permissions.
    Protegrity AdministratorThe ESA credentials required to extract the policy for the Policy Agent
    Redshift AdministratorAccount Admin access required to setup access
    Network AdministratorTo open firewall to access ESA and evaluate AWS network setup

    What’s Next


    Last modified : January 07, 2026