Protect Service Installation

Preparation

1. Ensure that all the steps in Pre-Configuration are performed.

2. Login to the AWS account console where Amazon Redshift Protector will be installed.

3. Ensure that the required CloudFormation templates provided by Protegrity are available on your local computer.

Create Protect Lambda IAM Execution Policy

This task defines a policy used by the Protegrity Lambda function to write CloudWatch logs and access the KMS encryption key to decrypt the policy.

Perform the following steps to create the Lambda execution role and required policies:

1. From the AWS IAM console, select Policies > Create Policy.

2. Select the JSON tab and copy the following sample policy.

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Sid": "CloudWatchWriteLogs",
         "Effect": "Allow",
         "Action": [
           "logs:CreateLogGroup",
           "logs:CreateLogStream",
           "logs:PutLogEvents"
         ],
         "Resource": "*"
       },
       {
         "Sid": "KmsDecrypt",
         "Effect": "Allow",
         "Action": [
           "kms:Decrypt"
         ],
         "Resource": [
           "arn:aws:kms:*:*:key/*"
         ]
       }
     ]
   }
   

3. For the KMS policy, replace the Resource with the ARN for the KMS key created in a previous step.

4. Select Next, type in a policy name, for example, ProtegrityProtectLambdaPolicy and Create Policy. Record the policy name:

   ProtectLambdaPolicyName:__________________

Create Protect Lambda IAM Role

The following steps create the role to utilize the policy defined in Create Protect Lambda IAM Execution Policy.

To create protect lambda IAM execution role:

1. From the AWS IAM console, select Roles > Create Role.

2. Select AWS Service > Lambda > Next.

3. In the list, search and select the policy created in Create Protect Lambda IAM Execution Policy.

4. Click Next

5. Type the role name, for example, ProtegrityProtectRole

6. Click Create role

7. Record the role ARN.

   Role ARN (LambdaExecutionRoleArn): ___________________

Install through CloudFormation

The following steps describe the deployment of the Lambda function.

To install through CloudFormation:

1. Access CloudFormation and select the target AWS Region in the console.

2. Click Create Stack and choose With new resources.

3. Specify the template.

4. Select Upload a template file.

5. Upload the Protegrity-provided CloudFormation template called pty_protect_cf.json and click Next.

6. Specify the stack details. Enter a stack name.

   Note

   The stack name will be appended to all the services created by the template.

7. Enter the required parameters. All the values were generated in the pre-configuration steps.

   Parameter	Description
   DBRoleName	Name of the account role created in the pre-configuration step
   ArtifactS3Bucket	Name of S3 bucket created in the pre-configuration step
   LambdaExecutionRoleArn	The ARN of Lambda role created in the prior step
   MinLogLevel	Minimum log level for protect function. Allowed Values: off, severe, warning, info, config, all
   UsernameRegex	If set, the effective policy user will be extracted from the user in the request. Note See Configuring Regular Expression to Extract Policy Username to learn how to extract username from the request

8. If you are not planning to deploy log forwarder you can skip this step. The log forwarder parameters can be provided later after log forwarder is deployed.

   Log Forwarder Parameters	Description
   KinesisLogStreamArn	The ARN of the AWS Kinesis stream where audit logs will be sent for aggregation
   AuditLogFlushInterval	Time interval in seconds used to accumulate audit logs before sending to Kinesis. Default value: 30. See Log Forwarder Performance section for more details.

9. Proceed to the last step of the Create Stack wizard with defaults and click Submit to create CloudFormation stack.

10. Select Outputs tab of the stack after stack is created.

11. Record the following values:

    ProtectFunctionName: __________________________

    ProtectFunctionProductionAlias: __________________________

    ProtectLayerName: _____________________________

Protect Lambda Configuration

After CloudFormation stack is deployed, the Protect Lambda default configuration can be changed using Lambda environment configuration. See below for list of available configuration and instructions how to update it.

• List of Protect Lambda Environment Variables

  Variable Name	Description	Notes
  LOG_REDSHIFT_CLUSTER_ARN	When enabled, Redshift cluster ARN is recorded in CloudWatch audit log.	Set LOG_REDSHIFT_CLUSTER_ARN = 1 to enable. See Audit Logging for audit log examples.

• Updating Lambda Configuration

  From your AWS console, navigate to Lambda and select the following Lambda:

  Protegrity_Protect_<STACK_NAME>

  Select Configuration tab and scroll down to the Environment variables section. Select Edit then Add environment variable. For the list of allowed variables and corresponding values refer to the table above.

Delete API Gateway (Optional)

CloudFormation created an API Gateway that makes this product compatible with Snowflake. However, this service is not required for Amazon Redshift so it may be optionally removed.

To delete API Gateway:

1. From Services, access API Gateway.

2. Select the API Gateway service that is created.

   Note

   Sort by Created date. The name will have the same extension as the stack name created above

3. Click Actions > Delete.

Add Lambda Protect IAM Permissions to Role

To add inline Lambda Protect IAM permissions to role:

1. Select the role created in section Create IAM Account Role (DBRoleName).

   Tip

   Sort descending by created date.

2. In the Permissions tab, click Add inline policy.

3. Select the JSON tab and copy the following sample policy.

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Sid": "ProtegrityProtectInvokePermission",
         "Effect": "Allow",
         "Action": "lambda:InvokeFunction",
         "Resource": "arn:aws:lambda:*:*:function:*"
       }
     ]
   }
   

4. Edit the Resource value in the snippet with the ARN of the Protect Lambda function to further restrict privileges.

Attach IAM Account Role to Redshift

Perform the following steps to allow Redshift to invoke the Protect Lambda function.

Attach the IAM role (DBRoleName) created in Create IAM Account Role to the Redshift cluster.

To attach IAM account role to Redshift:

1. From the AWS console, access Amazon Redshift and click on the cluster.

2. Select Actions > Manage IAM Roles.

3. Under Available IAM roles, select Enter ARN.

4. Enter the Role ARN recorded in Create Protect Lambda IAM Role.

5. Click Add IAM role.

   Note

   After attaching the role, wait for the cluster to complete modification status (in the cluster status) before proceeding to test connectivity.

Test Connectivity

Perform the following steps to verify if Redshift is working correctly with the Protegrity product.

To test the connectivity:

1. Access the Redshift SQL console.

2. Copy and paste the following snippet into a worksheet.

   CREATE OR REPLACE EXTERNAL FUNCTION pty_unprotect_alpha(varchar) RETURNS varchar
   VOLATILE lambda '<replace_with_protect_function_name>:Production' iam_role 'arn:aws:iam::<you-awsaccount-
   number>:role/<role-name>
   

3. Replace the placeholder values with the lambda function name and role created in earlier steps.

4. Run the following command in the console:

   select pty_unprotect_alpha('UtfVk UHgcD!')
   

5. Verify that the string hello world! is returned.

Troubleshooting Tips

What’s Next

• Install Policy Agent