This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Snowflake

Protector for Snowflake on AWS.

1: Overview
2: Installation

2.1: Pre-Configuration
2.2: Prerequisites
2.3: Protect Service Installation
2.4: Policy Agent Installation

2.5: Audit Log Forwarder Installation

2.6:
2.7:
2.8:

3: Understanding Snowflake Objects

3.1: External Functions

3.2: Snowflake Masking Policies

4: Performance

4.1: Performance Considerations
4.2: Sample Benchmarks
4.3: Concurrency
4.4: Concurrency Tuning
4.5: Log Forwarder Performance Tuning
4.6:
4.7:
4.8:
4.9:

5: Audit Logging

6: No Access Behavior
7: Upgrading To The Latest Version
8: Known Limitations
9: Appendices

9.1: Sample Snowflake External Function
9.2: Installing the Policy Agent and Protector in Different AWS Accounts
9.3: Integrating Cloud Protect with PPC (Protegrity Provisioned Cluster)
9.4: Policy Agent - Custom VPC Endpoint Hostname Configuration
9.5: Protection Methods
9.6: Configuring Regular Expression to Extract Policy Username
9.7: Associating ESA Data Store With Cloud Protect Agent

This section describes the high-level architecture of the product for integration with Snowflake, the installation procedures, and provides guidance on performance. This section focuses on Protegrity-specific aspects and should be consumed with the corresponding Snowflake documentation.

This guide may also be used with the Protegrity Enterprise Security Administrator Guide, which explains the mechanism for managing the data security policy.

1 - Overview

Solution overview and features.

Solution Overview

Snowflake Protector on AWS is a cloud native, serverless product for fine-grained data protection with Snowflake™, a managed Cloud data warehouse. This enables invocation of the Protegrity data protection cryptographic methods from the Snowflake SQL execution context. The benefits of serverless include rapid auto-scaling, performance, low administrative overhead, and reduced infrastructure costs compared to a server-based solution.

This product provides data protection services invoked by External User Defined Functions (UDFs) within Snowflake. The UDFs act as a client transmitting micro-batches of data to the serverless Protegrity Lambda function. User queries may generate hundreds or thousands of parallel requests to perform security operations. Protegrity’s serverless function is designed to scale and yield reliable query performance under such load.

Snowflake Protector on AWS utilizes a data security policy maintained by an Enterprise Security Administrator (ESA), similar to other Protegrity products. Using regular SQL database queries or tools, such as, Tableau™, authorized users can perform de-identification (protect) and re-identification (unprotect) operations on data within the managed Cloud data warehouse. A user’s individual capabilities are subject to privileges and policies defined by the Enterprise Security Administrator.

The following data ingestion patterns are available with your managed Cloud data warehouse:

Data protection at source applications: In this case, sensitive data is already de-identified (protected) across the enterprise wherever it resides, including the managed data warehouse. Protected data can be ingested directly into your managed Cloud data warehouse. Depending on usage patterns, this ensures that your managed data warehouse is not brought into scope for PCI, PII, GDPR, HIPPA, and other compliance policies.
Data protection using the Extract-Transform-Load (ETL) pattern: In this case, sensitive data may be transformed with a Protegrity protector either on-premise or in the Cloud before it is ingested into Snowflake.
Data protection using the Extract-Load-Transform (ELT) pattern: In this case, sensitive data is protected after it lands into the target system typically through a temporary landing table. It uses the native data warehouse’s compute engine with Protegrity to protect incoming data at very high throughput rates. After the data is protected, the intermediate loading tables are dropped as part of the ingestion workflow.

Analytics on Protected Data

Protegrity’s format and length preserving tokenization scheme make it possible to perform analytics directly on protected data. Tokens are join-preserving so protected data can be joined across datasets. Often statistical analytics and machine learning training can be performed without the need to re-identify protected data. However, a user or service account with authorized security policy privileges may re-identify subsets of data using the Snowflake Protector on AWS service.

Features

Snowflake Protector on AWS incorporates Protegrity’s patent-pending vaultless tokenization capabilities into cloud-native serverless technology. Combined with an ESA security policy, the protector provides the following features:

Role-based access control (RBAC) to protect and unprotect (re-identify) data depending on the user privileges.
Policy enforcement features of other Protegrity application protectors.

For more information about the available protection options, such as, data types, Tokenization or Encryption types, or length preserving and non-preserving tokens, refer to Protection Methods Reference.

Deployment Architecture

The Protegrity product should be deployed in the customer’s Cloud account within the same AWS region as the Snowflake cluster. The product incorporates Protegrity’s vaultless tokenization engine within an AWS Lambda Function. The encrypted data security policy from an ESA is deployed periodically as a static resource through an AWS Lambda Layer. The policy is decrypted in memory at runtime within the Lambda. This architecture allows Protegrity to be highly available and scale very quickly without direct dependency on any other Protegrity services.

The product exposes a remote data protection service invoked from external User Defined Functions (UDFs), a native feature of specific Cloud databases. The UDFs can be invoked through direct SQL queries or database views. The external UDF makes parallel API calls to the serverless Protegrity Lambda function via the AWS API Gateway to perform protect and unprotect data operations. Each network REST request includes a micro-batch of data to process and a secure context header generated by the database with the username and a Protegrity context header with the data element type, and operation to perform. The product applies the ESA security policy including user authorization and returns a corresponding response. Security operations on sensitive data performed by protector can be audited. The product can be configured to send audit logs to ESA for reporting and alerting purposes via optional component called Log Forwarder explained in details in the next section of this guide.

The security policy is synchronized through another serverless component called the Protegrity Policy Agent. The agent operates on a configurable schedule, fetches the policy from the ESA, performs additional envelope encryption using Amazon KMS, and deploys the policy into the Lambda Layer used by the serverless product. This solution can be configured to automatically provision the static policy or the final step can be performed on-demand by an administrator. The policy takes effect immediately for all new requests. There is no downtime for users during this process.

The following diagram shows the high-level architecture described above.

The following diagram shows a reference architecture for synchronizing the security policy from ESA.

The Protegrity Policy Agent requires network access to an Enterprise Security Administrator (ESA). Most organizations install the ESA on-premise. Therefore, it is recommended that the Policy Agent is installed into a private subnet with a Cloud VPC using a NAT Gateway to enable this communication through a corporate firewall.

The ESA is a soft appliance that must be pre-installed on a separate server. It is used to create and manage security policies.

For more information about installing the ESA, and creating and managing policies, refer the Policy Management Guide.

Log Forwarding Architecture

Audit logs are by default sent to CloudWatch as long as the function’s execution role has the necessary permissions. The Protegrity Product can also be configured to send audit logs to ESA. Such configuration requires deploying Log Forwarder component which is available as part of Protegrity Product deployment bundle. The diagram below shows additional resources deployed with Log Forwarder component.

The log forwarder component includes Amazon Kinesis data stream and the forwarder Lambda function. Amazon Kinesis stream is used to batch audit records before sending them to forwarder function, where similar audit logs are aggregated before sending to ESA. Aggregation rules are described in the Protegrity Log Forwarding guide. When the protector function is configured to send audit logs to log forwarder, audit logs are aggregated on the protector function before sending to Amazon Kinesis. Due to specifics of the Lambda runtime lifecycle, audit logs may take up to 15 minutes before being sent to Amazon Kinesis. Protector function exposes configuration to minimize this time which is described in the protector function installation section.

The security of audit logs is ensured by using HTTPS connection on each link of the communication between protector function and ESA. Integrity and authenticity of audit logs is additionally checked on log forwarder which verifies individual logs signature. The signature verification is done upon arrival from Amazon Kinesis before applying aggregation. If signature cannot be verified, the log is forwarded as is to ESA where additional signature verification can be configured. Log forwarder function uses client certificate to authenticate calls to ESA.

To learn more about individual audit log entry structure and purpose of audit logs, refer to Audit Logging section in this document. Installation instructions can be found in Audit Log Forwarder installation.

The audit log forwarding requires network access from the cloud to the ESA. Most organizations install the ESA on-premise. Therefore, it is recommended that the Log Forwarder Function is installed into a private subnet with a Cloud VPC using a NAT Gateway to enable this communication through a corporate firewall.

Snowflake Connectivity

Request authorization between Snowflake’s AWS VPC to the customer’s AWS API-Gateway occurs using a Snowflake integration enabled by an AWS cross-account IAM role created within the customer’s AWS account. The API Gateway authorizes each request, limiting access to the Snowflake AWS IAM user and external ID established through a Snowflake API Integration object. The following figure illustrates the Protegrity Snowflake Integration architecture.

Snowflake’s API Integration Object

The Snowflake API Integration Object provides a connection between your Snowflake VPC and your AWS account where the Protegrity product is hosted. Creating this connection requires setting up the API Gateway and the IAM shared account role. These steps are provided in the installation.

The following figure shows how trust is established between Snowflake and the product.

2 - Installation

Product Installation Guide.

2.1 - Pre-Configuration

Configuration steps prior product installation.

Determine AWS Region

Query the AWS region where the Snowflake cluster is running. This is the region in which Protegrity Serverless must be installed.

To determine AWS region:

Login to Snowflake
In the SQL console, run the following query.
```
select current_region();
```
Record the AWS region (e.g. us-east-1).
AWS Region: ___________________

Provide AWS sub-account

Identify or create an AWS account where the Protegrity solution will be installed. It is recommended that a new AWS sub-account be created. This can provide greater security controls and help avoid conflicts with other applications that might impact regional account limits. An individual with the Cloud Administrator role will be required for some subsequent installation steps.

AWS Account ID: ___________________

AWS Region (AwsRegion): ___________________

Create S3 bucket for Installing Artifacts

This S3 bucket will be used for the artifacts required by the CloudFormation installation steps. This S3 bucket must be created in the region that is defined in Provide AWS sub-account

Sign in to the AWS Management Console and open the Amazon S3 console.
Change region to the one determined in Provide AWS sub-account
Click Create Bucket.
Enter a unique bucket name:
For example, protegrity-install.us-west-2.example.com
Upload the installation artifacts to this bucket. Protegrity will provide the following three artifacts:
- protegrity-protect-<version>.zip
- protegrity-agent-<version>.zip
- protegrity-external-extension-<version>.zip
- protegrity-sample-policy-<version>.zip
  Important
  The deployment package you receive from Protegrity must be extracted to reveal the Protegrity artifacts. CloudFormation requires them in the provided .zip format. Do not extract the individual Protegrity artifacts. Upload these artifacts to the S3 bucket created.
S3 Bucket name (ArtifactS3Bucket): ___________________

Create KMS Key

The Amazon Key Management Service (KMS) provides the ability for the Protegrity Serverless solution to encrypt and decrypt the Protegrity Security Policy.

Note

It is recommended to host the KMS key in a separate AWS sub-account. This allows dual control, separating the responsibility between the key administrator and the Protegrity Serverless account administrator.

To create KMS key:

In the AWS sub-account where the KMS key will reside, select the region.
Navigate to Key Management Service > Create Key.
Configure the key settings:
- Key type: Asymmetric
- Key usage: Encrypt and decrypt
- Key spec: RSA_4096
- Click Next
Create alias and optional description, such as, Protegrity-Serverless and click Next.
Define key administrative permissions, the IAM user who will administrate the key.
Note
It is recommended the administrator be different than the administrator of the Protegrity Serverless account
Click Next.
Define the key usage permissions.
In Other AWS accounts, enter the AWS account id used for the Protegrity Serverless installation.
Continue on to create the key. If there is a concern this permission is overly broad, then you can return later to restrict access to the role of two Protegrity Serverless Lambda as principals. Click to open the key in the list and record the ARN.
KMS Key ARN (AWS_KMS_KEY_ID): ___________________
Download the public key from the KMS key. Navigate to the key in KMS console, select the Public key tab, and click Download. Save the PEM file. This public key will be added to the ESA data store as an export key. Refer to Exporting Keys to Datastore for instructions on adding the public key to the data store.
Note
This step is not applicable for ESA versions lower than 10.2.
KMS Public Key PEM file: ___________________

Create IAM Account Role

An IAM role is used to authorize Snowflake to access the future Protect Lambda resource.

To create IAM account role:

From the AWS console, login to the AWS sub-account where Protegrity will be hosted.
Access IAM, select roles and then Create Role.
Select AWS account from the list of trusted entities types.
Select your AWS Account Id as a placeholder value. You will update this field later when configuring Snowflake access.
Select Require external ID and enter the following placeholder value.
REPLACE_ME_WITH_EXTERNAL_ID
Click Next.
Continue and click Next
Enter a Role name, for example, Snowflake.
After the role is created, click on the role. Record the following information:
- Role Name (DBRoleName): ____________________
- Role ARN: ____________________

2.2 - Prerequisites

Requirements before installing the protector.

AWS Services

The following table describes the AWS services that may be a part of your Protegrity installation.

Service	Description
Lambda	Provides serverless compute for Protegrity protection operations and the ESA integration to fetch policy updates or deliver audit logs.
API Gateway	Provides the endpoint and access control.
KMS	Provides secrets for envelope policy encryption/decryption for Protegrity.
Secrets Manager	Provides secrets management for the ESA credentials .
S3	Intermediate storage location for the encrypted ESA policy layer.
Kinesis	Required if Log Forwarder is to be deployed. Amazon Kinesis is used to batch audit logs sent from protector function to ESA.
VPC & NAT Gateway	Optional. Provides a private subnet to communicate with an on-prem ESA.
CloudWatch	Application and audit logs, performance monitoring, and alerts. Scheduling for the policy agent.

ESA Version Requirements

The Protector and Log Forwarder functions require a security policy from a compatible ESA version.

The table below shows compatibility between different Protector and ESA versions.

Note

For the latest up-to-date information refer to: Protegrity Compatibility Matrix

Protector Version	ESA Version
Protector Version	8.x	9.0	9.1 & 9.2	10.0
2.x	No	Yes	*	No
3.0.x & 3.1.x	No	No	Yes	No
3.2.x	No	No	Yes	*
4.0.x	No	No	No	Yes

Legend
Yes	Protector was designed to work with this ESA version
No	Protector will not work with this ESA version
*	Backward compatible policy download supported: Data elements and features which are common between this and previous ESA versions will be downloaded Data elements and features which are new to this ESA version and do not exist in previous ESA version will not be downloaded

Legend

Yes

Protector was designed to work with this ESA version

Protector will not work with this ESA version

Backward compatible policy download supported:

Data elements and features which are common between this and previous ESA versions will be downloaded
Data elements and features which are new to this ESA version and do not exist in previous ESA version will not be downloaded

Prerequisites

Requirement	Detail
Protegrity distribution and installation scripts	These artifacts are provided by Protegrity
Protegrity ESA 10.0+	The Cloud VPC must be able to obtain network access to the ESA
AWS Account	Recommend creating a new sub-account for Protegrity Serverless
Snowflake cluster (Enterprise Edition)

Required Skills and Abilities

Role / Skillset	Description
AWS Account Administrator	To run CloudFormation (or perform steps manually), create/configure a VPC and IAM permissions.
Protegrity Administrator	The ESA credentials required to extract the policy for the Policy Agent
Network Administrator	To open firewall to access ESA and evaluate AWS network setup
Snowflake Administrator	Account Admin access required to setup access

2.3 - Protect Service Installation

Product Installation Guide.

Preparation

Ensure that all the steps in Pre-Configuration are performed.
Login to the AWS account console where - Snowflake Protector on AWS will be installed.
Ensure that the required CloudFormation templates provided by Protegrity are available on your local computer.

Create Protect Lambda IAM Execution Policy

This task defines a policy used by the Protegrity Lambda function to write CloudWatch logs and access the KMS encryption key to decrypt the policy.

Perform the following steps to create the Lambda execution role and required policies:

From the AWS IAM console, select Policies > Create Policy.

Select the JSON tab and copy the following sample policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CloudWatchWriteLogs",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "*"
    },
    {
      "Sid": "KmsDecrypt",
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt"
      ],
      "Resource": [
        "arn:aws:kms:*:*:key/*"
      ]
    }
  ]
}

For the KMS policy, replace the Resource with the ARN for the KMS key created in a previous step.
Select Next, type in a policy name, for example, ProtegrityProtectLambdaPolicy and Create Policy. Record the policy name:
ProtectLambdaPolicyName:__________________

Create Protect Lambda IAM Role

The following steps create the role to utilize the policy defined in Create Protect Lambda IAM Execution Policy.

To create protect lambda IAM execution role:

From the AWS IAM console, select Roles > Create Role.
Select AWS Service > Lambda > Next.
In the list, search and select the policy created in Create Protect Lambda IAM Execution Policy.
Click Next
Type the role name, for example, ProtegrityProtectRole
Click Create role
Record the role ARN.
Role ARN (LambdaExecutionRoleArn): ___________________

Installing through CloudFormation

The following steps describe the deployment of the Lambda function.

To install through CloudFormation:

Access CloudFormation and select the target AWS Region.
Click Create Stack and choose With new resources.
Specify the template.
Select Upload a template file.
Upload the Protegrity-provided CloudFormation template called pty_protect_cf.json and click Next.
Specify the stack details. Enter a stack name.
Note
The stack name will be appended to all the services created by the template.

Enter the required parameters. All the values were generated in Pre-Configuration.

Parameter	Description
DBRoleName	Name of the account role created in the pre-configuration step
ArtifactS3Bucket	Name of S3 bucket created in the pre-configuration step
LambdaExecutionRoleArn	The ARN of Lambda role created in the prior step
MinLogLevel	Minimum log level for protect function. Allowed Values: off, severe, warning, info, config, all

The log forwarder parameters can be provided later after log forwarder is deployed. If you are not planning to deploy log forwarder you can skip this step.

Parameter	Description
KinesisLogStreamArn	The ARN of the AWS Kinesis stream where audit logs will be sent for aggregation
AuditLogFlushInterval	Time interval in seconds used to accumulate audit logs before sending to Kinesis. Default value: 30. See Log Forwarder Performance section for more details.

Click Next with defaults to complete CloudFormation.
After CloudFormation is completed, select the Outputs tab in the stack.
Record the following values:
- ApiGatewayId: ________________________________
- ProtectFunctionName: __________________________
- ProtectFunctionProductionAlias: __________________________
- ProtectLayerName: _____________________________
- SnowflakeApiAllowedPrefixes: ____________________
- SnowflakeApiAwsRoleARN: _______________________

Snowflake Configuration

The following sections will configure Snowflake to access the API Gateway. The CloudFormation installation installed a sample policy that can be used to smoke test the installation.

Ensure that the current user can assume the Account Administrator role. This role must be created.

Create the Snowflake API Integration Object

From the Snowflake console worksheet, select the role ACCOUNTADMIN.
Paste the following text and replace the two parameters <SnowflakeApiAwsRoleARN> and <SnowflakeApiAllowedPrefixes> with values recorded in the last installation step of Installing through CloudFormation, then run the following Data Definition Language (DDL) in the console to create API integration object:
```
create or replace api integration protegrity_api 
api_provider = aws_api_gateway api_aws_role_arn = '<SnowflakeApiAwsRoleARN>' 
enabled = true 
api_allowed_prefixes = ('<SnowflakeApiAllowedPrefixes>');
```

Note

The name of the object protegrity_api can be replaced with a name of your choice, however the name you choose must be used consistently throughout the installation steps below.

Describe the API Integration Object

We require values generated by the Snowflake integration object to complete configuring the API Gateway resource policy.

To describe API integration objects:

Run the following query in the console.

DESCRIBE API INTEGRATION protegrity_api;

Record the following output values from the resulting query:
- API_AWS_IAM_USER_ARN: ___________________
- API_AWS_EXTERNAL_ID: ___________________

Update IAM Access Role Policy

This step allows the Snowflake IAM account to assume the role required to invoke the API Gateway resource.

To update API Integration Objects:

Return to theAWS Console > IAM > Roles and find the IAM role created earlier. For example, Snowflake.
Navigate to Trust Relationships > Edit trust policy.

Modify the Policy Document replacing the placeholder values indicated in the following snippet as API_AWS_IAM_USER_ARN and API_AWS_EXTERNAL_ID with the values recorded from the Snowflake integration object in Describe the API Integration Object.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "<API_AWS_IAM_USER_ARN>"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<API_AWS_EXTERNAL_ID>"
        }
      }
    }
  ]
}

Test Connectivity

Perform the following steps to verify if Snowflake is working correctly with the Protegrity product.

Access the Snowflake SQL console.

Copy and paste the following snippet into a worksheet.

CREATE OR REPLACE SECURE EXTERNAL FUNCTION PTY_UNPROTECT_SAMPLE_POLICY(VAL VARCHAR)
    RETURNS VARCHAR(16777216)
    IMMUTABLE
    API_INTEGRATION = PROTEGRITY_API
    HEADERS = (
      'X-Protegrity-HCoP-Rules'=
      '{"jsonpaths":[{"op_type":"unprotect","data_element":"alpha"}]}'
    )
    CONTEXT_HEADERS = (CURRENT_USER,CURRENT_TIMESTAMP,CURRENT_ACCOUNT)
    COMMENT='Unprotects text using an alpha token type.'
    AS '<SnowflakeApiAllowedPrefixes>';

Replace the placeholder value indicated substituting your API Gateway URL captured in the stack outputs (SnowflakeApiAllowedPrefixes).

Run the following protect in the console:

select pty_unprotect_sample_policy('UtfVk UHgcD!');

Verify that the string hello world! is returned.

Troubleshooting

Error

Action

Snowflake: 403 unauthorized

Ensure that the resource policy on the API Gateway is correct
Ensure that the IAM role Trust is accurate
Ensure that the API Gateway is deployed (or try deploying it again)

Snowflake: 5xx error

Try running the Lambda directly. Open the Lambda function and create the following test case:``` { “body”: “{ "data":[ [0," ‘UtfVk UHgcD!’"] ] }”, “headers”: { “sf-context-current-user”: “test”, “sf-custom-x-protegrity-hcop-rules”: “{"jsonpaths":[{"op_type":"unprotect","data_element":"alpha"}]}”, “sf-external-function-current-query-id”: “test-id” } }


If this step fails, then check the console for the meaningful error.

</td></tr></tbody>
</table>

2.4 - Policy Agent Installation

Install the policy agent.

The following sections will install the Policy Agent. The Policy Agent polls the ESA and deploys the policy to Protegrity Serverless as a static resource. Some of the installation steps are not required for the operation of the software but recommended for establishing a secure environment. Contact Protegrity Professional Services for further guidance on configuration alternatives in the Cloud.

Important

If you are deploying Policy Agent with Protegrity Provisioned Cluster (PPC), refer to the PPC Appendix: Policy Agent Certificate and Key Guidance for specific instructions on obtaining and using the CA certificate and datastore key fingerprint. The steps in this section are specific to ESA and may differ for PPC. Be sure to follow the PPC documentation for the most accurate and up-to-date setup guidance.

ESA Server

Policy Agent Lambda requires ESA server running and accessible on TCP port 443.

Note down ESA IP address:

ESA IP Address (EsaIpAddress): ___________________

Certificates on ESA

Note

If you are deploying Policy Agent with Protegrity Provisioned Cluster (PPC), see PPC Appendix: Policy Agent Certificate Guidance for specific instructions on obtaining and using the CA certificate. The steps in this section are specific to ESA and may differ for PPC.

Whether your ESA is configured with default self-signed certificate or your corporate CA certificate, Policy Agent can validate authenticity of ESA connection using CA certificate. The process for both scenarios is the same:

Obtain CA certificate
Convert CA certificate to a value accepted by Policy Agent
Provide converted CA certificate value to Policy Agent

To obtain self-signed CA certificate from ESA:

Log in to ESA Web UI.
Select Settings > Network > Manage Certificates.
Hover over Server Certificate and click on download icon to download the CA certificate.
To convert downloaded CA certificate to a value accepted by Policy Agent, open the downloaded PEM file in text editor and replace all new lines with escaped new line: \n.
To escape new lines from command line, use one of the following commands depending on your operating system:
Linux Bash:
```
awk 'NF {printf "%s\\n",$0;}' ProtegrityCA.pem > output.txt
```
Windows PowerShell:
```
(Get-Content '.\ProtegrityCA.pem') -join '\n' | Set-Content 'output.txt'
```
Record the certificate content with new lines escaped.
ESA CA Server Certificate (EsaCaCert): ___________________
This value will be used to set PTY_ESA_CA_SERVER_CERT or PTY_ESA_CA_SERVER_CERT_SECRET Lambda variable in section Policy Agent Lambda Configuration

For more information about ESA certificate management refer to Certificate Management Guide in ESA documentation.

Identify or Create a new VPC

Establish a VPC where the Policy Agent will be hosted. This VPC will need connectivity to the ESA. The VPC should be in the same account and region established in Pre-Configuration.

VPC name: ___________________

VPC Subnet Configuration

Identify or create a new subnet in the VPC where tha Lambda function will be connected to. It is recommended to use a private subnet.

Subnet name: ___________________

NAT Gateway For ESA Hosted Outside AWS Network

If ESA server is hosted outside of the AWS Cloud network, the VPC configured for Lambda function must ensure additional network configuration is available to allow connectivity with ESA. For instance if ESA has a public IP, the Lambda function VPC must have public subnet with a NAT server to allow routing traffic outside of the AWS network. A Routing Table and Network ACL may need to be configured for outbound access to the ESA as well.

VPC Endpoints Configuration

If an internal VPC was created, then add VPC Endpoints, which will be used by the Policy Agent to access AWS services. Policy Agent needs access to the following AWS services:

Type	Service name
Interface	com.amazonaws.{REGION}.secretsmanager
Interface	com.amazonaws.{REGION}.kms
Gateway	com.amazonaws.{REGION}.s3
Interface	com.amazonaws.{REGION}.lambda

Identify or Create Security Groups

Policy Agent and cloud-based ESA appliance use AWS security groups to control traffic that is allowed to leave and reach them. Policy Agent runs on schedule and is mostly concerned with allowing traffic out of itself to ESA and AWS services it depends on. ESA runs most of the time and it must allow Policy Agent to connect to it.

Policy Agent security group must allow outbound traffic using rules described in the table below. To edit security group navigate:

From VPC > Security Groups > Policy Agent Security Group configuration.

Type	Protocol	Port Range	Destination	Reason
Custom TCP	TCP	443	Policy Agent Lambda SG	ESA Communication
HTTPS	TCP	443	Any	AWS Services

Record Policy Agent security group ID:

Policy Agent Security Group Id: ___________________

Policy Agent will reach out to ESA on port 443. Create following inbound security group rule for cloud-based ESA appliance to allow connections from Policy Agent:

Type	Protocol	Port Range	Source
Custom TCP	TCP	443	Policy Agent Lambda SG

Creating ESA Credentials

Policy Agent Lambda requires ESA credentials to be provided as one of the three options.

Note

The username and password of the ESA user requires role with Export Resilient Package and Can Create JWT Token permissions. Security Administrator is one of the predefined roles which contains the above permissions, however for separation of duties it is recommended to create custom role.

Option 1: Secrets Manager

Creating secrets manager secret with ESA username and password.

From the AWS Secrets Manager Console, select Store New Secret.
Select Other Type of Secrets.
Specify the username and password key value pair.
Select the encryption key or leave default AWS managed key.
Specify the Secret Name and record it.
ESA Credentials Secret Name: __________________

Option 2: KMS Encrypted Password

ESA password is encrypted with AWS KMS symmetric key.

Create AWS KMS symmetric key which will be used to encrypt ESA password. See Create KMS Key for instructions on how to create KMS symmetric key using AWS console.
Record KMS Key ARN.
ESA PASSWORD KMS KEY ARN: __________________
Run AWS CLI command to encrypt ESA password. Below you can find sample Linux aws cli command. Replace <key_arn> with KMS symmetric key ARN.
```
aws kms encrypt --key-id <key_arn> --plaintext $(echo '<esa_password>' | base64 )
```

Sample output.

{
  "CiphertextBlob": "esa_encrypted_password",
  "KeyId": "arn:aws:kms:region:aws_account:key/key_id ",
  "EncryptionAlgorithm": "SYMMETRIC_DEFAULT"
}

Record ESA username and encrypted password.
ESA USERNAME: __________________
ESA ENCRYPTED PASSWORD: __________________

Option 3: Custom AWS Lambda function

With this option ESA username and password are returned by a custom AWS Lambda function. This method may be used to get the username and password from external vaults.

Create AWS Lambda in any AWS supported runtime.

There is no input needed.

The Lambda function must return the following response schema.

response:
type: object
  properties:
    username: string
    password: string

For example,

example output: {"username": "admin", "password": "Password1234"}

Sample AWS Lambda function in Python:
```
import json

def lambda_handler(event, context):

    return {"username": "admin", "password": "password1234"}
```
Warning
Protegrity does not recommend hardcoding ESA username and password in the clear.

Record the Lambda name:
Custom AWS lambda for ESA credentials: _______________

Create Agent Lambda IAM Policy

Follow the steps below to create Lambda execution policies.

Create Agent Lambda IAM policy

From AWS IAM console, select Policies > Create Policy.

Select JSON tab and copy the following snippet.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EC2ModifyNetworkInterfaces",
      "Effect": "Allow",
      "Action": [
        "ec2:CreateNetworkInterface",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DeleteNetworkInterface"
      ],
      "Resource": "*"
    },
    {
      "Sid": "CloudWatchWriteLogs",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "*"
    },
    {
      "Sid": "LambdaUpdateFunction",
      "Effect": "Allow",
      "Action": [
        "lambda:UpdateFunctionConfiguration"
      ],
      "Resource": [
        "arn:aws:lambda:*:*:function:*"
      ]
    },
    {
      "Sid": "LambdaReadLayerVersion",
      "Effect": "Allow",
      "Action": [
        "lambda:GetLayerVersion",
        "lambda:ListLayerVersions"
      ],
      "Resource": "*"
    },
    {
      "Sid": "LambdaDeleteLayerVersion",
      "Effect": "Allow",
      "Action": "lambda:DeleteLayerVersion",
      "Resource": "arn:aws:lambda:*:*:layer:*:*"
    },
    {
      "Sid": "LambdaPublishLayerVersion",
      "Effect": "Allow",
      "Action": "lambda:PublishLayerVersion",
      "Resource": "arn:aws:lambda:*:*:layer:*"
    },
    {
      "Sid": "S3GetObject",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::*/*"
    },
    {
      "Sid": "S3PutObject",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::*/*"
    },
    {
      "Sid": "KmsEncrypt",
      "Effect": "Allow",
      "Action": [
        "kms:GetPublicKey"
      ],
      "Resource": [
        "arn:aws:kms:*:*:key/*"
      ]
    },
    {
      "Sid": "SecretsManagerGetSecret",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue"
      ],
      "Resource": [
        "arn:aws:secretsmanager:*:*:secret:*"
      ]
    },
    {
      "Sid": "LambdaGetConfiguration",
      "Effect": "Allow",
      "Action": [
          "lambda:GetFunctionConfiguration"
      ],
      "Resource": [
          "arn:aws:lambda:*:*:function:*"
      ]
    }
  ]
}

Replace wildcard * with the region, account, and resource name information where required.

This step is required if KMS is used to encrypt ESA password.

Add policy entry below. Replace ESA PASSWORD KMS KEY ARN with the value recorded in Option 2: KMS Encrypted Password.


  {
    "Sid": "KmsDecryptEsaPassword",
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "**ESA PASSWORD KMS KEY ARN**"
    ]
  }

Select Next type in the policy name and Create Policy. Record policy name:
Policy Name: ___________________

Create Agent Lambda IAM Role

Perform the following steps to create Agent Lambda execution IAM role.

To create agent Lambda IAM role:

From AWS IAM console, select Roles > Create Role.
Select AWS Service > Lambda > Next.
Select the policy created in Create Agent Lambda IAM policy.
Proceed to Name, Review and Create.
Type the role name, for example, ProtegrityAgentRole and click Confirm.
Select Create role.
Record the role ARN.
Agent Lambda IAM Execution Role Name: ___________________

Corporate Firewall Configuration

If an on-premise firewall is used, then the firewall must allow access from the NAT Gateway to an ESA. The firewall must allow access from the NAT Gateway IP to ESA via port 443 and 443.

CloudFormation Installation

Create the Policy Agent in the VPC using the CloudFormation script provided by Protegrity.

Access the CloudFormation service.
Select the target installation region.
Create a stack with new resources.
Upload the Policy Agent CloudFormation template (file name: pty_agent_cf.json).

Specify the following parameters for Cloud Formation:

Parameter	Description	Note
VPC	VPC where the Policy Agent will be hosted	Identify or Create a new VPC
Subnet	Subnet where the Policy Agent will be hosted	VPC Subnet Configuration
PolicyAgentSecurityGroupId	Security Group Id, which allows communication between the Policy Agent and the ESA	Identify or Create Security Groups
LambdaExecutionRoleArn	Agent Lambda IAM execution role ARN allowing access to the S3 bucket, KMS encryption Key, Lambda and Lambda Layer	Create Agent Lambda IAM Role
ArtifactS3Bucket	S3 bucket name with deployment package for the Policy Agent	Use S3 Bucket name recorded in Create S3 bucket for Installing Artifacts
CreateCRONJob	Set to True to create a CloudWatch schedule for the agent to run.	Default: False

Policy Agent Lambda Configuration

After the CloudFormation stack is deployed, the Policy Agent Lambda must be configured with parameters recorded in earlier steps. From your AWS Console, navigate to lambda and select the following Lambda.

Protegrity_Agent<STACK_NAME>_

Select Configuration tab and scroll down to the Environment variables section. Select Editand replace all entries with the actual values.

Parameter	Description	Notes
PTY_ESA_IP	ESA IP address or hostname	ESA Server
PTY_ESA_CA_SERVER_CERT	ESA self-signed CA certificate or your corporate CA certificate used by policy Agent Lambda to ensure ESA is the trusted server.	Recorded in step Certificates on ESA Note For PPC deployments, see PPC Appendix: Policy Agent Certificate Guidance for details on obtaining and using the CA certificate. In case ESA is configured with publicly signed certificates, the PTY_ESA_CA_SERVER_CERT configuration will be ignored.
PTY_ESA_CA_SERVER_CERT_SECRET	This configuration option fulfills the same function as PTY_ESA_CA_SERVER_CERT but supports larger configuration values, making it the recommended choice. The value should specify the name of the AWS Secrets Manager secret containing the ESA self-signed CA certificate. The secret value should be set to the json with “PTY_ESA_CA_SERVER_CERT” key and PEM formated CA certificate content value as shown below. `{ "PTY_ESA_CA_SERVER_CERT":"-----BEGIN CERTIFICATE----- MIIF..." }`	Recorded in step Certificates on ESA Note For PPC deployments, see PPC Appendix: Policy Agent Certificate Guidance for details on obtaining and using the CA certificate. In case ESA is configured with publicly signed certificates, the PTY_ESA_CA_SERVER_CERT_SECRET configuration will be ignored. When both PTY_ESA_CA_SERVER_CERT and PTY_ESA_CA_SERVER_CERT_SECRET are configured the PTY_ESA_CA_SERVER_CERT_SECRET takes precedence.
PTY_ESA_CREDENTIALS_SECRET	ESA username and password (encrypted value by AWS Secrets Manager)	Option 1: Secrets Manager
PTY_DATASTORE_KEY	ESA policy datastore public key fingerprint (64 char long) e.g. 123bff642f621123d845f006c6bfff27737b21299e8a2ef6380aa642e76e89e5.	Note This configuration is not applicable for ESA versions lower than 10.2. The export key is the public part of an asymmetric key pair created in a Create KMS Key. A user with Security Officer permissions adds the public key to the data store in ESA via Policy Management > Data Stores > Export Keys. The fingerprint can then be copied using the Copy Fingerprint icon next to the key. Refer to Exporting Keys to Datastore for details. Note For PPC deployments, see PPC Appendix: Policy Agent Certificate and Key Guidance for details on obtaining and using the datastore key fingerprint.
AWS_KMS_KEY_ID	KMS key id or full ARN e.g. arn:aws:kms:us-west-2:112233445566:key/bfb6c4fb-509a-43ac-b0aa-82f1ca0b52d3	Create KMS Key
AWS_POLICY_S3_BUCKET	S3 bucket where the encrypted policy will be written	S3 bucket of your choice
AWS_POLICY_S3_FILENAME	Filename of the encrypted policy stored in S3 bucket	Default: protegrity-policy.zip
AWS_PROTECT_FN_NAME	Comma separated list of Protect function names or ARNs	ProtectFunctionName(s), recorded in CloudFormation Installation
DISABLE_DEPLOY	This flag can be either 1 or 0. If set to 1, then the agent will not update PTY_PROTECT lambda with the newest policy. Else, the policy will be saved in the S3 bucket and deployed to the Lambda Layer	Default: 0
AWS_POLICY_LAYER_NAME	Lambda layer used to store the Protegrity policy used by the PTY_PROTECT function
POLICY_LAYER_RETAIN	Number of policy versions to retain as backup. (e.g. 2 will retain the latest 2 policies and remove older ones). -1 retains all.	Default: 2
POLICY_PULL_TIMEOUT	Time in seconds to wait for the ESA to send the full policy	Default: 20s
ESA_CONNECTION_TIMEOUT	Time in seconds to wait for the ESA response	Default: 5s
LOG_LEVEL	Application and audit logs verbiage level	Default: INFO Allowed values: DEBUG – the most verbose, INFO, WARNING, ERROR – the least verbose
PTY_CORE_EMPTYSTRING	Override default behavior. Empty string response values are returned as null values. For instance: (un)protect(’’) -> null (un)protect(’’) -> ''	Default: empty Allowed values: null empty
PTY_CORE_CASESENSITIVE	Specifies whether policy usernames should be case sensitive	Default: no Allowed values: yes no
PTY_ADDIPADDRESSHEADER	When enabled, agent will send its source IP address in the request header. This configuration works in conjunction with ESA hubcontroller configuration ASSIGN_DATASTORE_USING_NODE_IP (default=false). See Associating ESA Data Store With Cloud Protect Agent for more information.	Default: yes Allowed values: yes no
PTY_ESA_USERNAME	Plaintext ESA username which is used together with PTY_ESA_ENCRYPTED_PASSWORD as an optional ESA credentials	Option 2: KMS Encrypted Password Presence of this parameter will cause PTY_ESA_CREDENTIALS_SECRET to be ignored
PTY_ESA_ENCRYPTED_PASSWORD	ESA password encrypted with KMS symmetric key. Example AWS cli command to generate the value: `aws kms encrypt --key-id <your key ARN> --plaintext '<your-esa-password-base64>'`	Option 2: KMS Encrypted Password Presence of this parameter will cause PTY_ESA_CREDENTIALS_SECRET to be ignored Value must be base64 encoded
EMPTY_POLICY_S3	This flag can be either 1 or 0. If set to 1, then the agent will remove the content of the policy file in S3 bucket, but will keep the checksum in the metadata. Else, the policy will be saved in the S3 bucket and not removed.	Default: 0
PTY_ESA_CREDENTIALS_LAMBDA	Lambda function to return ESA credentials	Recorded in step Option 3: Custom AWS Lambda function LAMBDA FOR ESA CREDENTIALS. Presence of PTY_ESA_USERNAME, or PTY_ESA_CREDENTIALS_SECRET will cause this value to be ignored. The Policy Agent Lambda must have network access and IAM permissions to invoke the custom ESA Credentials Lambda you have created in Option 3: Custom AWS Lambda function.

Test Installation

Open the Lambda and configure Test to execute the lambda and specify the default test event. Wait for around 20 seconds for the Lambda to complete. If policy is downloaded successfully, then a success message appears.

Navigate to the AWS_POLICY_S3_BUCKET bucket and verify that the AWS_POLICY_S3_FILENAME file was created.

Troubleshooting

Lambda Error	Example Error	Action
Task timed out after x seconds	`2020-10-06T23:40:54.121Z 2dc84942-b5cc-4be9-aa4c-965f322307e4 Task timed out after 90.09 seconds`	Ensure that there is network connectivity between the Lambda and ESA. Check the Security groups and/or Network firewall configuration When using internal VPC, AWS Lambda needs to have access to AWS Network. The Policy Agent Lambda can start using Secrets Manager with Amazon VPC endpoints by creating an Amazon VPC endpoint for Secrets Manager.
ESA connection error. Failed to download certificates
Policy Pull takes a long time	`{ "errorMessage": "Timeout! Unable to download policy in 20 seconds.", "errorType": "Exception", "stackTrace": [...] }`	Increase POLICY_PULL_TIMEOUT. Ensure that there is at least 1 policy with datastore matching the Lambda Policy Agent. Other considerations: Policy has default datastore. Policy has datastores matching AWS lambda IP range (check the subnet IP Range). Lambda function has static IP, and at least one Data store has matching IP.
ESA connection error. Failed to download certificates. HTTP response code: 401	`{ "errorMessage": "ESA connection error. Failed to download certificates. HTTP response code: 401.", "errorType": "ConnectionError", "stackTrace": [...] }`	Ensure that the PTY_ESA_CREDENTIALS_SECRET has correct ESA username and password
An error occurred (AccessDeniedException) when calling xyz operation	`xyz Access Denied: Exception Traceback (most recent call last): … Exception: xyz Access Denied`	Ensure that the Lambda execution role has permission to call the xyz operation
Access Denied to Secret Manager.	`Secrets Manager Access Denied: Exception Traceback (most recent call last): … Exception: Secrets Manager Access Denied`	Ensure that the Lambda execution role has permissions to get the Secret Manager secret name. Ensure that the Lambda execution role has permission to get the Secret Manager secret Encryption Key.
Master Key xyz unable to generate data key		Ensure that the Lambda can access xyz CMK key
The S3 bucket server-side encryption is enabled, the encryption key type is SSE-KMS but the Policy Agent execution IAM role doesn’t have permissions to encrypt using the KMS key .	`[ERROR] PolicyAgentException: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied`	Add the following permissions to the Policy Agent excution role. `kms:Decrypt kms:GenerateDatakey` Note When the KMS key and the Policy Agent Lambda are in separate accounts, update both the AWS KMS key and the Policy Agent execution role.
The S3 bucket has bucket policy to only allow access from within the VPC.	`An error occurred (AccessDeniedException) when calling the PublishLayerVersion operation: Your access has been denied by S3, please make sure your request credentials have permission to GetObject for BUCKET_NAME/FILENAME. S3 Error Code: AccessDenied. S3 Error Message: Access Denied`	The Policy Agent publishes a new Lambda Layer version, and the Lambda Layer service uploads the policy file from the s3 bucket and the upload request is originated from the AWS service outside the Policy Agent Lambda VPC. Update the S3 bucket resource policy to allow access from AWS Service. Sample security policy to lock down access to the vpc: `{ "Version": "2012-10-17", "Statement": [ { "Sid": "VpcRestrictions", "Effect": "Deny", "Principal": { "AWS": "" }, "Action": "s3:Object", "Resource": [ "arn:aws:s3:::<s3_bucket_name>/*", "arn:aws:s3:::<s3_bucket_name>" ], "Condition": { "Bool": { "aws:ViaAWSService": "false" }, "StringNotEquals": { "aws:sourceVpc": "<vpc_id>" } } } ] }`

Additional Configuration

Strengthen the KMS IAM policy by granting access only to the required Lambda function(s).

Finalize the IAM policy for the Lambda Execution Role. Ensure to replace wildcard * with the region, account, and resource name information where required.

For example,

"arn:aws:lambda:*:*:function:*" -> "arn:aws:lambda:us-east-1:account:function:function_name"

Policy Agent Schedule

If specified in CloudFormation Installation, the agent installation created a CloudWatch event rule, which checks for policy update on an hourly schedule. This schedule can be altered to the required frequency.

Under CloudWatch > Events > Rules, find Protegrity_Agent_{stack_name}. Click Action > Edit Set the cron expression. A cron expression can easily be defined using CronMaker, a free online tool. Refer to http://www.cronmaker.com.

2.5 - Audit Log Forwarder Installation

Install the audit log forwarder.

The following sections show steps how to install Audit Log Forwarder component in the AWS Cloud. The Log Forwarder deployment allows for the audit logs generated by Protector to be delivered to ESA for auditing and governance purposes. Log Forwarder component is optional and is not required for the Protector Service to work properly. See Log Forwarding Architecture section in this document for more information. Some of the installation steps are not required for the operation of the software but recommended for establishing a secure environment. C ontact Protegrity for further guidance on configuration alternatives in the Cloud.

Note

The installation steps below assume that the Log Forwarder is going to be installed in the same AWS account as the corresponding Protect Lambda service. For instructions on how to install Log Forwarder in the AWS account separate than the Protect Lambda, please contact Protegrity.

ESA Audit Store Configuration

ESA server is required as the recipient of audit logs. Verify the information below to ensure ESA is accessible and configured properly.

ESA server running and accessible on TCP port 9200 (Audit Store) or 24284 (td-agent).
Audit Store service is configured and running on ESA. Applies when audit logs are output to Audit Store directly or through td-agent. For information related to ESA Audit Store configuration, refer to Audit Store Guide.
(Optional) td-agent is configured for external input. For more information related to td-agent configuration, refer to ESA guide Sending logs to an external security information and event management (SIEM).

Certificates on ESA

Note

This section is optional. If CA certificate is not provided, the Log Forwarder will skip server certificate validation and will connect to ESA without verifying that it is a trusted server.

If you are deploying Log Forwarder with Protegrity Provisioned Cluster (PPC), certificate authorization and CA validation are not supported. Configuration steps related to certificates in this section do not apply to PPC. See Integrating Cloud Protect with PPC (Protegrity Provisioned Cluster): Log Forwarder Setup with PPC for details.

By default, ESA is configured with self-signed certificates, which can optionally be validated using a self-signed CA certificate supplied in the Log Forwarder configuration. If no CA certificate is provided, the Log Forwarder will skip server certificate validation.

Note

Certificate Validation can be bypassed for testing purposes, see section: Install through CloudFormation

If ESA is configured with publicly signed certificates, this section can be skipped since the forwarder Lambda will use the public CA to validate ESA certificates.

To obtain the self-signed CA certificate from ESA:

Download ESA CA certificate from the /etc/ksa/certificates/plug directory of the ESA
After certificate is downloaded, open the PEM file in text editor and replace all new lines with escaped new line: \n.
To escape new lines from command line, use one of the following commands depending on your operating system:
Linux Bash:
```
awk 'NF {printf "%s\\n",$0;}' ProtegrityCA.pem > output.txt
```
Windows PowerShell:
```
(Get-Content '.\ProtegrityCA.pem') -join '\n' | Set-Content 'output.txt'
```
Record the certificate content with new lines escaped.
ESA CA Server Certificate (EsaCaCert): ___________________
This value will be used to set PtyEsaCaServerCert cloudformation parameter in section Install through CloudFormation

For more information about ESA certificate management refer to Certificate Management Guide in ESA documentation.

AWS VPC Configuration

Log forwarder Lambda function requires network connectivity to ESA, similar to Policy Agent Lambda function. Therefore, it can be hosted in the same VPC as Policy Agent.

Separate VPC can be used, as long as it provides network connectivity to ESA.

Note

AWS Lambda service uses permissions in log forwarder function execution role to create and manage network interfaces. Lambda creates a Hyperplane ENI and reuses it for other VPC-enabled functions in your account that use the same subnet and security group combination. Each Hyperplane ENI can handle thousands of connections/ports as the Lambda function scales up. If more connections are needed AWS Lambda service creates additional Hyperplane ENIs. There’s no additional charge for using a VPC or a Hyperplane ENI. Refer to AWS official Lambda Hyperplane ENIs docs for more information.

VPC Name: ___________________

VPC Subnet Configuration

Log Forwarder can be connected to the same subnet as Policy Agent or separate one as long as it provides connectivity to ESA.

Subnet Name: ___________________

NAT Gateway For ESA Hosted Outside AWS Network

VPC Endpoint Configuration

Log Forwarder Lambda function requires connectivity to Secrets Manager AWS service. If the VPC identified in the steps before has no connectivity to public internet through the NAT Gateway, then the following service endpoint must be configured:

com.amazonaws.{REGION}.cloudwatch
com.amazonaws.{REGION}.secretsmanager
com.amazonaws.{REGION}.kms

Security Group Configuration

Security groups restrict communication between Log Forwarder Lambda function and the ESA appliance. The following rules must be in place for ESA and Log Forwarder Lambda function.

From VPC > Security Groups > Log Forwarder Security Group configuration.

Type	Protocol	Port Range	Destination	Reason
Custom TCP	TCP	9200	Log Forwarder Lambda SG	ESA Communication

Record the name of Log Forwarder security group name.

Log Forwarder Security Group Id: ___________________

The following port must be open for the ESA. If the ESA is running in the Cloud, then create the following security.

Note

If an on-premise firewall is used, then the firewall must allow access from the NAT Gateway to an ESA. The firewall must allow access the NAT Gateway IP access to ESA via port 9200.

ESA Security Group configuration

Type	Protocol	Port Range	Source
Custom TCP	TCP	9200	Log Forwarder Lambda SG

Configure ESA Audit Store Credentials

Note

This section is optional. If client certificate authentication is not set up, the Log Forwarder will connect to ESA without authentication credentials.

Audit Log Forwarder can optionally authenticate with ESA using certificate-based authentication with a client certificate and certificate key. If used, both the certificate and certificate key will be stored in AWS Secrets Manager.

Download the following certificates from the /etc/ksa/certificates/plug directory of the ESA:

client.key
client.pem

After certificates are downloaded, open each PEM file in text editor and replace all new lines with escaped new line: \n. To escape new lines from command line, use one of the commands below depending on your operating system.

Linux Bash:

awk 'NF {printf "%s\\n",$0;}' client.key > private_key.txt
awk 'NF {printf "%s\\n",$0;}' client.pem > public_key.txt

Windows PowerShell:

(Get-Content '.\client.key') -join '\n' | Set-Content 'private_key.pem'
(Get-Content '.\client.pem') -join '\n' | Set-Content 'public_key.pem'

For more information on how to configure client certificate authentication for Audit Store on ESA refer to Audit Store Guide.

To create secret with ESA client certificate/key pair in AWS Secrets Manager.

From the AWS Secrets Manager Console, select Store New Secret.
Select Other Type of Secrets.
Specify the private_key and public_key value pair.
Select the encryption key or leave default AWS managed key.
Specify the Secret Name and record it below.
ESA Client Certificate/Key Pair Secret Name: ___________________
This value will be used to set PtyEsaClientCertificatesSecretId cloudformation parameter in section Install through CloudFormation

Note

If you are deploying Log Forwarder with PPC, do not configure client certificate authentication. See PPC Appendix: Log Forwarder Certificate Guidance for details.

Create Audit Log Forwarder IAM Execution Policy

This task defines a policy used by the Protegrity Log Forwarder Lambda function to write CloudWatch logs, access the KMS encryption key to decrypt the policy and access Secrets Manager for log forwarder user credentials.

Perform the following steps to create the Lambda execution role and required policies:

From the AWS IAM console, select Policies > Create Policy.

Select the JSON tab and copy the following sample policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EC2ModifyNetworkInterfaces",
      "Effect": "Allow",
      "Action": [
        "ec2:CreateNetworkInterface",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DeleteNetworkInterface"
      ],
      "Resource": "*"
    },
    {
      "Sid": "CloudWatchWriteLogs",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "*"
    },
    {
      "Sid": "KmsDecrypt",
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt"
      ],
      "Resource": [
        "arn:aws:kms:*:*:key/*"
      ]
    },
    {
        "Sid": "KinesisStreamRead",
        "Effect": "Allow",
        "Action": [
            "kinesis:GetRecords",
            "kinesis:GetShardIterator",
            "kinesis:DescribeStream",
            "kinesis:DescribeStreamSummary",
            "kinesis:ListShards",
            "kinesis:ListStreams"
        ],
        "Resource": "*"
    },
    {
      "Sid": "SecretsManagerGetSecret",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue"
      ],
      "Resource": [
        "arn:aws:secretsmanager:*:*:secret:*"
      ]
    }
  ]
}

For the KMS policy, replace the Resource with the ARN for the KMS key created in a previous step.
Select Review policy, type in a policy name, for example, ProtegrityLogForwarderLambdaPolicy and Confirm. Record the policy name:
LogForwarderLambdaPolicyName:__________________

Create Log Forwarder IAM Role

Perform the following steps to create Log Forwarder execution IAM role.

To create Log Forwarder IAM role:

From AWS IAM console, select Roles > Create Role.
Select AWS Service > Lambda > Next.
Select the policy created in Create Audit Log Forwarder IAM Execution Policy.
Proceed to Name, Review and Create.
Type the role name, for example, ProtegrityForwarderRole and click Confirm.
Record the role ARN.
Log Forwarder IAM Execution Role Name: ___________________

Installation Artifacts

Audit Log Forwarder installation artifacts are part of the same deployment package as the one used for protect and policy agent services. Follow the steps below to ensure the right artifacts are available for log forwarder installation.

Verify that the Protegrity deployment package is available on your local system, if not, you can download it from the Protegrity portal.
Note
If you maintain multiple Protegrity Cloud Protectors, make sure that the deployment package downloaded for Audit Log Forwarder is the same as the one used for Protect service installation.
Extract the pty_log_forwarder_cf.json cloud formation file from the deployment package.
Check the S3 deployment bucket identified in section Create S3 bucket for Installing Artifacts. Make sure that all Protegrity deployment zip files are uploaded to the S3 bucket.

Install through CloudFormation

The following steps describe the deployment of the Audit Log Forwarder AWS cloud components.

Access CloudFormation and select the target AWS Region in the console.
Click Create Stack and choose With new resources.
Specify the template.
Select Upload a template file.
Upload the Protegrity-provided CloudFormation template called pty_log_forwarder_cf.json and click Next.
Specify the stack details. Enter a stack name.
Note
The stack name will be appended to all the services created by the template.
Enter the required parameters. All the values were generated in the pre-configuration steps.

Parameter	Description	Default Value	Required
LogForwarderSubnets	Subnets where the Log Forwarder will be hosted.
LogForwarderSecurityGroups	Security Groups, which allow communication between the Log Forwarder and ESA.		X
LambdaExecutionRoleArn	The ARN of Lambda role created in the prior step.		X
ArtifactS3Bucket	Name of S3 bucket created in the pre-configuration step.		X
LogDestinationEsaIp	IP or FQDN of the ESA instance or cluster.		X
AuditLogOutput	Audit log processor to target on ESA. Allowed values: audit-store, td-agent	audit-store	X
PtyEsaClientCertificatesSecretId	AWS Secrets Manager secret id containing client certificates used for authentication with ESA Audit Store. It is expected that the public key will be stored in a field public_key and the private key in a field named private_key. This parameter is optional. If not provided, Log Forwarder will connect to ESA without client certificate authentication.
EsaTlsDisableCertVerify	Disable certificate verification when connecting to ESA if set to 1. This is only for dev purposes, do not disable in production environment.	0	X
PtyEsaCaServerCert	ESA self-signed CA certificate used by log forwarder Lambda to ensure ESA is the trusted server. Recorded in step Certificates on ESA In case ESA is configured with publicly signed certificates, the PtyEsaCaServerCert configuration will be ignored.
EsaConnectTimeout	Time in seconds to wait for the ESA response. Minimum value: 1.	5	X
EsaVirtualHost	ESA virtual hostname. This configuration is optional and it can be used when proxy server is present and supports TLS SNI extension.
KinesisLogStreamRetentionPeriodHours	The number of hours for the log records to be stored in Kinesis Stream in case log destination server is not available. Minimum value: 24. See Log Forwarder Performance section for more details.	24	X
KinesisLogStreamShardCount	The number of shards that the Kinesis log stream uses. For greater provisioned throughput, increase the number of shards. Minimum value: 1. See Log Forwarder Performance section for more details.	10	X
MinLogLevel	Minimum log level for protect function. Allowed Values: off, severe, warning, info, config, all	severe	X

Click Next with defaults to complete CloudFormation.
After CloudFormation is completed, select the Outputstab in the stack.
Record the following values
KinesisLogStreamArn: ________________________________

Add Kinesis Put Record permission to the Protect Function IAM Role

Login to the AWS account that hosts the Protect Lambda Function.
Search for Protect Lambda Function IAM Execution Role Name created in Create Protect Lambda IAM role.
Under Permissions policies, select Add Permissions > Create inline policy.
In Specify permissions view, switch to JSON.

Copy the policy json from below replacing the placeholder value indicated in the following snippet as <Audit Log Kinesis Stream ARN> with the value recorded in the previous step.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "KinesisPutRecords",
			"Effect": "Allow",
			"Action": "kinesis:PutRecords",
			"Resource": "<Audit Log Kinesis Stream ARN>"
		}
	]
}

When you are finished, choose Next.
On the Review and create page, type a Name, then choose Create policy.

Test Log Forwarder Installation

Testing in this section validates the connectivity between Log Forwarder and ESA. The sample policy included with the initial installation and test event below are not based on your ESA policy. Any logs forwarded to ESA which are not signed with a policy generated by your ESA will not be added to the audit store.

Install Log Forwarder and configure according to previous sections. Log Forwarder configuration MinLogLevel must be at least info level.

Navigate to the log forwarder lambda function.
Select the Test tab.

Copy the json test event into the Event JSON pane.

{
    "Records": [
        {
            "kinesis": {
                "kinesisSchemaVersion": "1.0",
                "partitionKey": "041e96d78c778677ce43f50076a8ae3e",
                "sequenceNumber": "49620336010289430959432297775520367512250709822916263938",
                "data": "eyJpbmdlc3RfdGltZV91dGMiOiIyMDI2LTAzLTI3VDEzOjIzOjEyLjkwNFoiLCJhZGRpdGlvbmFsX2luZm8iOnsiZGVzY3JpcHRpb24iOiJEYXRhIHVucHJvdGVjdCBvcGVyYXRpb24gd2FzIHN1Y2Nlc3NmdWwuIn0sImNsaWVudCI6e30sImNudCI6NCwiY29ycmVsYXRpb25pZCI6InJzLXF1ZXJ5LWlkOjEyMzQiLCJsZXZlbCI6IlNVQ0NFU1MiLCJsb2d0eXBlIjoiUHJvdGVjdGlvbiIsIm9yaWdpbiI6eyJob3N0bmFtZSI6IlBSTy1VUy1QRjNSSEdGOSIsImlwIjoiMTAuMTAuMTAuMTAiLCJ0aW1lX3V0YyI6MTcxMTU1OTEwMH0sInByb2Nlc3MiOnsiaWQiOjJ9LCJwcm90ZWN0aW9uIjp7ImF1ZGl0X2NvZGUiOjgsImRhdGFlbGVtZW50IjoiYWxwaGEiLCJkYXRhc3RvcmUiOiJTQU1QTEVfUE9MSUNZIiwibWFza19zZXR0aW5nIjoiIiwib2xkX2RhdGFlbGVtZW50IjpudWxsLCJvcGVyYXRpb24iOiJVbnByb3RlY3QiLCJwb2xpY3lfdXNlciI6IlBUWURFViJ9LCJwcm90ZWN0b3IiOnsiY29yZV92ZXJzaW9uIjoiMS4yLjErNTUuZzU5MGZlLkhFQUQiLCJmYW1pbHkiOiJjcCIsInBjY192ZXJzaW9uIjoiMy40LjAuMTQiLCJ2ZW5kb3IiOiJyZWRzaGlmdCIsInZlcnNpb24iOiIwLjAuMS1kZXYifSwic2lnbmF0dXJlIjp7ImNoZWNrc3VtIjoiN0VCMkEzN0FDNzQ5MDM1NjQwMzBBNUUxNENCMTA5QzE0OEJGODYwRjE3NEVCMjMxMTAyMEI3RkE1QTY4MjdGQyIsImtleV9pZCI6ImM0MjQ0MzZhLTExMmYtNGMzZi1iMmRiLTEwYmFhOGI1NjJhNyJ9fQ==",
                "approximateArrivalTimestamp": 1626878559.213
            },
            "eventSource": "aws:kinesis",
            "eventVersion": "1.0",
            "eventID": "shardId-000000000000:49620336010289430959432297775520367512250709822916261234",
            "eventName": "aws:kinesis:record",
            "invokeIdentityArn": "arn:aws:iam::555555555555:role/service-role/TestRole",
            "awsRegion": "us-east-1",
            "eventSourceARN": "arn:aws:kinesis:us-east-1:555555555555:stream/CloudProtectEventStream"
        }
    ]
}

Note

The data payload is the base64 encoded audit log. See Audit Logging for detail on audit log contents.

Select Test to execute the test event.
Test is successful if the Log Output of test results contains the following log:
```
[INFO] [kinesis-log-aggregation-format.cpp:77] Aggregated 1 records into 0 aggregated, 1 forwarded and 0 failed records
```
If the log is not present, please consult the Troubleshooting section for common errors and solutions.

Update Protector With Kinesis Log Stream

In this section, Kinesis log stream ARN will be provided to the Protect Function installation.

Note

If the Protector has not been installed, you may provide the KinesisLogStreamArn during protector installation and skip the remainder of this section.

Navigate to the Protector CloudFormation stack created in the protector installation section.
Select Update.
Choose Use existing template > Next.
Set parameter KinesisLogStreamArn to the output value recorded in Install through CloudFormation.
Proceed with Next and Submit the changes.
Continue to the next section once stack status indicates UPDATE_COMPLETE.

Update Policy Agent With Log Forwarder Function Target

Log Forwarder Lambda function requires a policy layer which is in sync with the Protegrity Protector. This section will describe the steps to update the policy agent to include updating Log Forwarder Lambda function.

Note

If the policy agent has not been installed, follow the steps in Policy Agent Installation. Set AWS_PROTECT_FN_NAME to include both protector and log forwarder lambda functions.

Navigate to the Policy Agent Function created in Policy Agent Installation
Select Configuration > Environment variables > Edit
Edit the value for environment variable AWS_PROTECT_FN_NAME to include the log forwarder function name/arn in the comma separated list of Lambda functions.
Save the changes and continue when update completes
Navigate to Test tab
Add an event {} and select Test to run the Policy Agent function

Verify Log forwarder function was updated to use the policy layer by inspecting the log output. Logs should include the following:


[INFO] 2024-07-09 18:58:04,793.793Z 622d374b-1f73-4123-9a38-abc61973adef iap_agent.policy_deployer:Updating lambda [Protegrity_LogForwarder_<stack ID>] to use layer version [arn:aws:lambda:<aws region>:<aws account number>:layer:Protegrity_Layer_<layer name>:<layer version>]

Test Full Log Forwarder Installation

Install and configure Protegrity Agent, Protector, and Log Forwarder components.

Send a protect operation to the protector using a data element or user which will result in audit log generation
Navigate to the CloudWatch log group for the Protect function
Select the log stream for the test operation and scroll to the latest logs

Expect to see a log similar to the below:


[2024-07-09T19:28:23.158] [INFO] [kinesis-external-sink.cpp:51] Sending 2 logs to Kinesis ...
[2024-07-09T19:28:23.218] [INFO] [aws-utils.cpp:206] Kinesis send time: 0.060s

Navigate to the CloudWatch log group for the Log Forwarder function
Expect to see a new log stream - it may take several minutes for the stream to start
Select the new stream and scroll to the most recent logs in the stream

Expect to see a log similar to the below:


[2024-07-09T19:32:31.648] [INFO] [kinesis-log-aggregation-format.cpp:77] Aggregated 1 records into 0 aggregated, 1 forwarded and 0 failed records

Troubleshooting

Error	Action
Log forwarder log contains severe level secrets permissions error: `[SEVERE] User: <arn> is not authorized to perform: secretsmanager: GetSecretValue on resource: <secret name> because no identity-based policy allows the secretsmanager:GetSecretValue action`	Verify the permission policy/role attached to the log forwarder function has secretsmanager:GetSecretValue permission for the insights esa user credentials secret. Consult sections Configure ESA Audit Store Credentials and Create Audit Log Forwarder IAM Execution Policy
When testing log forwarder as described in Test Log Forwarder Installation, response contains policy decryption error: `{ "error_msg": "Failed to decrypt the policy. Please verify that the function has access to the key service and the key.", "success": false }`	Verify the permission policy/role attached to the log forwarder function has kms:Decrypt permission for KMS key used to encrypt the Protegrity security policy. Consult section Create Audit Log Forwarder IAM Execution Policy
Cloudformation stack creation fails with error: `The provided execution role does not have permissions to call [CreateNetworkInterface\|DescribeNetworkInterfaces\|DeleteNetworkInterface] on EC2 (Service: Lambda, Status Code: 400, Request ID: <request id>)" (RequestToken: <request token>, HandlerErrorCode: InvalidRequest)`	Verify the permission policy/role attached to the log forwarder function has ec2:CreateNetworkInterface, ec2:DescribeNetworkInterfaces, ec2:DeleteNetworkInterface permissions Consult section Create Audit Log Forwarder IAM Execution Policy
Severe level kinesis permissions log message in protector function: `[SEVERE] Kinesis stream client returned 400 error with error message: User: <function arn> is not authorized to perform: kinesis:PutRecords on resource: <kinesis stream arn> because no identity-based policy allows the kinesis:PutRecords action`	Verify the permission policy/role attached to the protector function has kinesis:PutRecords permission Consult section Add Kinesis Put Record permission to the Protect Function IAM Role
TLS errors reported in log forwarder function logs: `[error] [tls] <error message>`	If ESA is using self-signed certificate, verify the correct ESA certificate has been given in the format described in Certificates on ESA

2.6 -

Prerequisites

Requirement	Detail
Protegrity distribution and installation scripts	These artifacts are provided by Protegrity
Protegrity ESA 10.0+	The Cloud VPC must be able to obtain network access to the ESA
AWS Account	Recommend creating a new sub-account for Protegrity Serverless
Snowflake cluster (Enterprise Edition)

2.7 -

Required Skills and Abilities

Role / Skillset	Description
AWS Account Administrator	To run CloudFormation (or perform steps manually), create/configure a VPC and IAM permissions.
Protegrity Administrator	The ESA credentials required to extract the policy for the Policy Agent
Network Administrator	To open firewall to access ESA and evaluate AWS network setup
Snowflake Administrator	Account Admin access required to setup access

2.8 -

AWS Services

The following table describes the AWS services that may be a part of your Protegrity installation.

Service	Description
Lambda	Provides serverless compute for Protegrity protection operations and the ESA integration to fetch policy updates or deliver audit logs.
API Gateway	Provides the endpoint and access control.
KMS	Provides secrets for envelope policy encryption/decryption for Protegrity.
Secrets Manager	Provides secrets management for the ESA credentials .
S3	Intermediate storage location for the encrypted ESA policy layer.
Kinesis	Required if Log Forwarder is to be deployed. Amazon Kinesis is used to batch audit logs sent from protector function to ESA.
VPC & NAT Gateway	Optional. Provides a private subnet to communicate with an on-prem ESA.
CloudWatch	Application and audit logs, performance monitoring, and alerts. Scheduling for the policy agent.

3 - Understanding Snowflake Objects

Key concepts in understanding the Protegrity Serverless with Snowflake.

3.1 - External Functions

Call out to a process external to Snowflake through a REST API.

External Functions

Snowflake provides an External Function capability used to call out to a process external to Snowflake through a REST request over TLS encryption. In the Protegrity Serverless for Snowflake solution, this external service is the Protegrity Endpoint for data re-identification operations.

Security Operation Parameters

The following table describes optional and required security operation parameters.

Parameter	Type	Example	Description
op_type	String	“op_type”:“UNPROTECT” “op_type”:“PROTECT”	Required operation name, can be either UNPROTECT or PROTECT
data_element	String	“data_element”:“TOK_ALPHA”	Required data element name defined in Protegrity Security Policy
external_iv	String	“external_iv”:“abc-123”	Optional external intialization vector, which allows for different tokenized results for the same input data and data element of the same security policy. Refer to the External Initialization Vector (IV) in the Protection Methods Reference for more details.
External Function Sample Definition with External IV:
`CREATE SECURE EXTERNAL FUNCTION PTY_PROTECT_ALPHA ( val varchar ) RETURNS varchar NULL IMMUTABLE COMMENT = 'Protects using an ALPHA data element using External IV' API_INTEGRATION = REPLACE_WITH_YOUR_API_INTEGRATION_ID HEADERS = ( 'X-Protegrity-HCoP-Rules'= '{"jsonpaths":[{"op_type":"PROTECT","data_element":"TOK_ALPHA","external_iv":"abc-123"}]}' ) CONTEXT_HEADERS = ( current_user, current_timestamp, current_account ) AS '<AWS API GATEWAY URL>/SF_CUSTOMER';`

3.2 - Snowflake Masking Policies

Optimize REST requests to the Protegrity endpoint.

Masking Policies in the Sample Application are used to optimize REST requests to the Protegrity endpoint and to prevent integration of External Functions into queries.

4 - Performance

Performance benchmarks and considerations.

4.1 - Performance Considerations

Performance benchmarks and considerations.

Performance Considerations

The following factors may cause variation in real performance versus benchmarks:

Cold startup: The Lambda spends additional time on the initial invocation to decrypt and load the policy into memory. This time can vary between 400 ms and 1200 ms depending on the policy size. Once the Lambda is initialized, subsequent “warm executions” should process quickly.
Size of policy: The size of the policy impacts cold start performance. Larger policies take more time to initialize.
Noisy neighbors: There are many multi-tenant components in the Cloud. The same request may differ by 50% between runs regardless of Protegrity. A single execution may not be the best predictor of average performance.
Lambda memory: AWS provides more virtual cores based on the memory configuration. The initial configuration of 1728 MB provides a good tradeoff between performance and cost with the benchmarked policy. Memory can be increased to optimize for your individual cases.
Cluster size: Cluster size may make a significant difference depending on the workload.
Number of operations Number of protect, unprotect and reprotect security operations.
Lambda concurrency and burst quotas: AWS limits the number of concurrent executions and how quickly lambda can scale to meet demand. This is discussed in an upcoming section of the document.
Size of data element: Operations on larger text consume time.

4.2 - Sample Benchmarks

Sample benchmarks for different cluster sizes.

Sample Benchmarks

The following benchmarks were performed against different cluster sizes. These are median times of approximately five runs each. The query unprotected six columns per row (first_name, last_name, email, postal_code, ssn, iban):

Rows x Cols	# Ops	Small	Medium	Large	XL	2XL
100K x 6 cols	600K	5.1	4	4.2	4.3	4.3
1M x 6 cols	6M	11	10	11	10	11
10M x 6 cols	60M	21.5	21.5	20.5	24.5	29
100M x 6 cols	600M	-	-	49.5	56.5	87

4.3 - Concurrency

Guidance on concurrency.

Concurrency

Snowflake provides guidance on the maximum concurrent requests to the Protegrity API. However, reaching this maximum request depends on additional factors, such as, cluster use and available resources. In addition, depending on the query plan, individual batches may be processed serially across different UDFs.

The formula for theoretical maximum Snowflake concurrency is N * C * M * E * P:

N - # of servers in the cluster (e.g. 2xl = 32, xl = 16)
C - # of CPUs. This is typically 8, but depends on the hardware.
M – parallelism multiplier (fixed to 8)
E - # of external functions invoked
P - # of queries in running in parallel

The following table shows this calculation for a single query.

Cluster size	Predicted concurrent per query *	1 UDF	2 UDF	5 UDF	10 UDF
Medium	4 servers x 8 CPU x 8 = 256	256	512	1,280	2,560
X-Large	16 servers x 8 CPU x 8 = 1,024	1,024	2,048	5,120	10,240
2X-Large	32 servers x 8 CPU x 8 = 2,048	2,048	4,096	10,240	20,480

Note

* theoretical maximum concurrent requests based on engineering guidance from Snowflake.

4.4 - Concurrency Tuning

Concurrency tuning considerations.

Lambda Tuning

AWS maintains quotas for Lambda concurrent execution. Two of these quotas impact concurrency and compete with other Lambdas in the same account and region:

The concurrent executions quota cap is the maximum number of Lambda instances that can serve requests for an account and region. The default AWS quota may be inadequate based on peak concurrency based on the table in the previous section. This quota can be increased with an AWS support ticket.

The Burst concurrency quota limits the rate at which Lambda will scale to accommodate demand. This quota is also per account and region. The burst quota cannot be adjusted. AWS will quickly scale until the burst limit is reached. After the burst limit is reached, functions will scale at a reduced rate per minute (e.g. 500). If no Lambda instances can serve a request, the request will fail with a 429 Too Many Requests response. Snowflake will generally retry until all requests succeed but may abort if a high percentage of failed responses occur.

The burst limit is a fixed value and varies significantly by AWS region. The highest burst (3,000) is currently available in the following regions: US West (Oregon), US East (N.Virginia), and Europe (Ireland). Other regions can burst between 500 and 1,000. It is recommended to select a Snowflake AWS region with the highest burst limits.

API Gateway Tuning

AWS maintains a Throttle quota for the API Gateway. By default, API Gateway limits concurrent requests to 10,000 requests per second and throttles subsequent traffic with a 429 Too Many Requests error response. This quota applies across all APIs in an account and region.

The API Gateway default quota may need to be increased based on the Concurrency table in Lambda Tuning. Keep in mind that hitting quota limits effectively throttles any other API services in the region.

The API Gateway also limits burst. Burst is the maximum number of concurrent requests that API Gateway can fulfill at any instant without returning 429 Too Many Requests error responses. This limit can be increased by AWS, but is not normally an adjustable.

Enable CloudWatch metrics within the API Gateway to monitor max concurrency and investigate throttling errors. See the Concurrency Troubleshooting section on interpreting CloudWatch metrics.

Quotas adjustments are applied for region and account. Throttling is also enabled by default in the API Gateway stage used by the Protegrity Lambda function. The stage configuration throttling must be adjusted if the quota is modified. Stage throttling is shown in the following image.

For example, a test query was executed against a 274 million record table on a 2X-Large Snowflake cluster using a query with 10 UDF columns. Using the reference table in the Concurrency table, the cluster would theoretically generate over 20,000 requests/sec to execute the given query. Using API Gateway’s default settings, the requests exceeding 10,000 requests/sec will be throttled. Therefore, this query may fail intermittently due to a high number of throttling errors.

After requesting a quota increase, AWS modified the account’s API Gateway throttling quota from 10,000 to 24,000, this same query succeeded without throttles. In addition, 8 concurrent queries also succeeded. Eight concurrent queries did not generate 8x the concurrent load due to the cluster’s own resource limitations. This indicates the cluster peaked.

Concurrency Troubleshooting

Hitting up against quota limits may indicate that quota adjustments are required. Exceeding quota limits may cause a Snowflake query to fail or reduce performance. In the worst case, significant throttling can impact the performance of all your API Gateway or Lambda services in the region.

Snowflake is tolerant of a certain ratio of failed requests and automatically retries. If a high percentage of requests fail, then the query may abort and the last error code will display in the console. For example, 429 Too Many Requests.

CloudWatch Metrics can be manually enabled on the API Gateway to reveal if quotas are being reached. Metrics aggregate errors into two buckets that are 4xx and 5xx. CloudWatch logs can be used to access the actual error code. The following table describes how to interpret the CloudWatch metrics.

Error type	Possible issue	Remedy
4xx errors	API Gateway burst or throttle quota exceeded	Request an increase to the API Gateway throttle quota.
5xx errors	Lambda concurrent requests or burst quota exceeded. Verify 4xx errors in Lambda Metrics.	Request an increase the Lambda concurrent request quota

Note

The API Gateway Lambda proxy maps 429 errors from the Lambda service to 500 errors.

The following screenshot shows an example of searching CloudWatch Logs using Log Insights:

Cold-Start Performance

Cold-start vs warm execution refers to the state of the Lambda when a request is received. A cold-start undergoes additional initialization, such as, loading the security policy. Warm execution applies to all subsequent requests served by the Lambda. The following table shows an example how these states impact latency and performance.

Execution state	Avg. Execution Duration	Avg. Total (w/ network latency)
Cold execution	438 ms	522 ms
Warm execution	< 2ms	84 ms

Note

Cold execution time will vary based on the physical size of the security policy. A large security policy will result in longer cold startup times.

4.5 - Log Forwarder Performance Tuning

Guidance on concurrency.

Log Forwarder Performance

Log forwarder architecture is optimized to minimize the amount of connections and reduce the overall network bandwidth required to send audit logs to ESA. This is achieved with batching and aggregation taking place on two levels. The first level is in protect function instances, where audit logs from consecutive requests to an instance are batched and aggregated. The second level of batching takes place in Amazon Kinesis Stream where log records from different protect function instances are additionally batched and sent to log forwarder function where they are aggregated. This section shows how to configure the deployment to accommodate different patterns of anticipated audit log stream. It also shows how to monitor deployment resources to detect problems before audit records are lost.

Protector Cloud Formation Parameters
- AuditLogFlushInterval: Determines the minimum amount of time required for the audit log to be sent to Amazon Kinesis. Changing flush interval may affect the level of aggregation, which in turn may result in different number of connections and different data rates to Amazon Kinesis. Default value is 30 seconds.
  Increasing the flush interval may result in higher aggregation of audit logs, in fewer connections to Amazon Kinesis, in higher latency of audit logs arriving to ESA and in higher data throughput.
  Lowering the flush interval may result in lower aggregation of audit logs, in more connections to Amazon Kinesis, in lower latency of audit logs arriving to ESA and in lower data throughput.
  It is not recommended to reduce the flush interval from default value in production environment as it may overload the Amazon Kinesis service. However, it may be beneficial to reduce flush interval during testing to make audit records appear on ESA faster.
Log Forwarder Cloud Formation Parameters
- Amazon KinesisLogStreamShardCount: The number of shards represents the level of parallel streams in the Amazon Kinesis and it is proportional to the throughput capacity of the stream. If the number of shards is too low and the volume of audit logs is too high, Amazon Kinesis service may be overloaded and some audit records sent from protect function may be lost.
  Default value is 10, however you are advised to test with a production-like load to determine whether this is sufficient or not.
- Amazon KinesisLogStreamRetentionPeriodHours: The time for the audit records to be retained in Amazon Kinesis log stream in cases where log forwarder function is unable to read records from the Kinesis stream or send records to ESA, for example due to a connectivity outage. Amazon Kinesis will retain failed audit records and retry periodically until connectivity with ESA is restored or retention period expires.
  Default value is 24 hours, however you are advised to review this value to align it with your Recovery Time Objective and Recovery Point Objective SLAs.
Monitoring Log Forwarder Resources
- Amazon Kinesis Stream Metrics: Any positive value in Amazon Kinesis PutRecords throttled records metric indicates that audit logs rate from protect function is too high. The recommended action is to increase the Amazon KinesisLogStreamShardCount or optionally increase the AuditLogFlushInterval.
- Log Forwarder Function CloudWatch Logs: If log forwarder function is unable to send logs to ESA, it will log the following message:
```
[SEVERE] Dropped records: x.
```
  Note
  When the error message above occurs, the dropped audit records will be preserved in the Amazon Kinesis data stream and retried again according to Amazon Kinesis retry schedule. Records will be retried until Amazon KinesisLogStreamRetentionPeriodHours expires.
- Protect Function CloudWatch Logs: If protect function is unable to send logs to Amazon Kinesis, it will log the following message:
```
[SEVERE] Amazon Kinesis error, retrying in x ms (retry: y/z) ..."
```
  Any dropped audit log records will be reported with the following log message:
```
[SEVERE] Failed to send x/y audit logs to Amazon Kinesis.
```

4.6 -

API Gateway Tuning

Enable CloudWatch metrics within the API Gateway to monitor max concurrency and investigate throttling errors. See the Concurrency Troubleshooting section on interpreting CloudWatch metrics.

4.7 -

Cold-Start Performance

Execution state	Avg. Execution Duration	Avg. Total (w/ network latency)
Cold execution	438 ms	522 ms
Warm execution	< 2ms	84 ms

Note

Cold execution time will vary based on the physical size of the security policy. A large security policy will result in longer cold startup times.

4.8 -

Concurrency Troubleshooting

Error type	Possible issue	Remedy
4xx errors	API Gateway burst or throttle quota exceeded	Request an increase to the API Gateway throttle quota.
5xx errors	Lambda concurrent requests or burst quota exceeded. Verify 4xx errors in Lambda Metrics.	Request an increase the Lambda concurrent request quota

Note

The API Gateway Lambda proxy maps 429 errors from the Lambda service to 500 errors.

The following screenshot shows an example of searching CloudWatch Logs using Log Insights:

4.9 -

Lambda Tuning

AWS maintains quotas for Lambda concurrent execution. Two of these quotas impact concurrency and compete with other Lambdas in the same account and region:

5 - Audit Logging

Audit log description/formatting

Audit Logging

Audit records and application logs stream to Amazon CloudWatch Logs or optionally be sent to ESA. Cloud Protect uses a JSON format for audit records that is described in the following sections.

You can analyze and alert on audit records using Protegrity ESA or Amazon CloudWatch. Third-party solutions may be used if they are supported by Amazon Cloudwatch or AWS Lambda logging extensions. For more information about forwarding your audit records to ESA, contact Protegrity. For more information about Amazon CloudWatch, refer to the Amazon CloudWatch User Guide.

For more information about audit records, refer to the Protegrity Analytics Guide.

Audit record fields

The audit record format has been altered in version 3.1 of the protector to provide more information.

Field	Description
additional_info.deployment_id	The deployment_id contains the name of the Protect Function. It is automatically set based on the cloud-specific environment variables assigned to the Protect Function. This allows identifying the Cloud Protect deployment responsible for generating audit log.
additional_info.cluster	(Optional) Redshift cluster ARN
additional_info.description	A human-readable message describing the operation
additional_info.query_id	(Optional) Identifies the query that triggered the operation
additional_info.request_id	(Optional) AWS Lambda request identifier
cnt	Number of operations, may be aggregated
correlationid	(Deprecated) Use additional_info instead
level	Log severity, one of: SUCCESS, WARNING, ERROR, EXCEPTION
logtype	Always “Protection”
origin.ip	The private IP address of the compute resource that operates the Protect Function and is responsible for generating the log entry. Note The IP address is private, meaning it is used for internal network communication and is not accessible directly from the public internet. When Log Forwarding is enabled the IP address may be aggregated into minimal CIDR blocks.
origin.hostname	Hostname of the system that generated the log entry
origin.time_utc	UTC timestamp when the log entry was generated
protection.audit_code	Audit code of the protect operation; see the log return codes table in the Protegrity Troubleshooting Guide
protection.dataelement	Data element used for the policy operation
protection.datastore	Name of the data store corresponding to the deployed policy
protection.mask_setting	(Optional) Mask setting from policy management
protection.operation	Operation type, one of: Protect, Unprotect, Reprotect
protection.policy_user	User that performed the operation
protector.core_version	Internal core component version
protector.family	Always “cp” for Cloud Protect
protector.lambda_version	Protector Lambda application version.
protector.pcc_version	Internal pcc component version
protector.vendor	Identifies the cloud vendor and the database vendor
protector.version	Protector version number
signature.checksum	Hash value of the signature key ID used to sign the log message when the log is generated
signature.key_id	Key used to sign the log message when the log is generated

Example Audit Records

The following are sample audit messages:

Protect Success:

{
      "additional_info": {
        "deployment_id": "Protegrity-Protect-function-deployment-id",
        "description": "Data protect operation was successful.",
        "query_id": "sf-query-id:01978dbc-0582-d7e4-0000-002a3603a20d",
        "request_id": "8476a536-e9f4-11e8-9739-2dfe598c3fcd"
      },
      "cnt": 4000,
      "correlationid": "sf-query-id:01978dbc-0582-d7e4-0000-002a3603a20d",
      "logtype": "Protection",
      "level": "SUCESS",
      "origin": {
        "hostname": "localhost",
        "ip": "127.0.0.1",
        "time_utc": 1635363966
      },
      "protection": {
        "dataelement": "deAddress",
        "operation": "Protect",
        "audit_code": 6,
        "datastore": "SAMPLE_POLICY",
        "policy_user": "test_user"
      },
      process":{
        "name":"protect",
        "id":"13",
        "module":"coreprovider",
        "thread_id":"573580544",
        "user":"sbx_user1051",
        "platform":"\"Linux_x64\"",
        "version":"UNKNOWN"
      },
      "client": {
        "ip":"169.254.62.117"
      },
      "protector": {
        "family": "cp",
        "version": "4.0.0.102",
        "vendor": "aws.snowflake",
        "datastore":"SAMPLE_POLICY",
        "pcc_version": "4.0.0.9",
        "core_version": "2.1.4+0.g93016.2.1",
        "lambda_version":"4.0.1"
      },
      "signature": {
        "key_id": "95f5a194-b0a4-4351-a",
        "checksum": "B324AF7C56944D91C47847A77C0367C594C0B948E7E75654B889571BD4F60A71"
      }
    }

User permission denied:

{
      "additional_info": {
        "deployment_id": "Protegrity-Protect-function-deployment-id",
        "description": "The user does not have the appropriate permissions to perform the requested operation.",
        "query_id": "sf-query-id:01978dbc-0582-d7e4-0000-002a3603a20d",
        "request_id": "8476a536-e9f4-11e8-9739-2dfe598c3fcd"
      },
      "cnt": 4000,
      "correlationid": "sf-query-id:01978dbc-0582-d7e4-0000-002a3603a20d",
      "logtype": "Protection",
      "level": "ERROR",
      "origin": {
        "hostname": "localhost",
        "ip": "127.0.0.1",
        "time_utc": 1635363966
      },
      "protection": {
        "dataelement": "deAddress",
        "operation": "Protect",
        "audit_code": 3,
        "datastore": "SAMPLE_POLICY",
        "policy_user": "test_user"
      },
      process":{
        "name":"protect",
        "id":"13",
        "module":"coreprovider",
        "thread_id":"573580544",
        "user":"sbx_user1051",
        "platform":"\"Linux_x64\"",
        "version":"UNKNOWN"
      },
      "client": {
        "ip":"169.254.62.117"
      },
      "protector": {
        "family": "cp",
        "version": "4.0.0.102",
        "vendor": "aws.snowflake",
        "datastore":"SAMPLE_POLICY",
        "pcc_version": "4.0.0.9",
        "core_version": "2.1.4+0.g93016.2.1",
        "lambda_version":"4.0.1"
      },
      "signature": {
        "key_id": "95f5a194-b0a4-4351-a",
        "checksum": "A216797C56944D91C47847A77C0367C594C0B948E7E75654B889571BD4F60A71"
      }
    }

Data element not found:

{
      "additional_info": {
        "deployment_id": "Protegrity-Protect-function-deployment-id",
        "description": "The data element could not be found in the policy.",
        "query_id": "sf-query-id:01978dbc-0582-d7e4-0000-002a3603a20d",
        "request_id": "8476a536-e9f4-11e8-9739-2dfe598c3fcd"
      },
      "cnt": 4000,
      "correlationid": "sf-query-id:01978dbc-0582-d7e4-0000-002a3603a20d",
      "logtype": "Protection",
      "level": "ERROR",
      "origin": {
        "hostname": "localhost",
        "ip": "127.0.0.1",
        "time_utc": 1635363966
      },
      "protection": {
        "dataelement": "deAddress",
        "operation": "Protect",
        "audit_code": 2,
        "datastore": "SAMPLE_POLICY",
        "policy_user": "test_user"
      },
      process":{
        "name":"protect",
        "id":"13",
        "module":"coreprovider",
        "thread_id":"573580544",
        "user":"sbx_user1051",
        "platform":"\"Linux_x64\"",
        "version":"UNKNOWN"
      },
      "client": {
        "ip":"169.254.62.117"
      },
      "protector": {
        "family": "cp",
        "version": "4.0.0.102",
        "vendor": "aws.snowflake",
        "datastore":"SAMPLE_POLICY",
        "pcc_version": "4.0.0.9",
        "core_version": "2.1.4+0.g93016.2.1",
        "lambda_version":"4.0.1"
      },
      "signature": {
        "key_id": "95f5a194-b0a4-4351-a",
        "checksum": "AF09217C56944D91C47847A77C0367C594C0B948E7E75654B889571BD4F60A71"
      }
    }

6 - No Access Behavior

Unauthorized unprotect requests behaviour.

No Access Behavior

The security policy maintains a No Access Operation, configured in an ESA, which determines the response for unauthorized unprotect requests.

The following table describes the result returned in the response for the various no access unprotect permissions.

No Access Operation	Data Returned
Null	null
Protected	(protected value)
Exception	Query will fail with an exception

Note

An unauthorized protect will throw an exception.

7 - Upgrading To The Latest Version

Instructions for upgrading the protector.

Download the Latest Version

You can download the latest version of the deployment package from https://my.protegrity.com. Navigate to Data Protection > Cloud Protect to download the latest version.

After downloading the deployment package from the Protegrity Portal, unzip the package to extract the artifact files. In the AWS Console, navigate to the S3 bucket that was previously created to upload deployment artifacts (see: Create S3 bucket for Installing Artifacts).

Note

Only extract the deployment package and not the files in it.

Upload the following artifacts to the S3 bucket:

- -

protegrity-protect-<version>.zip
protegrity-agent-<version>.zip
protegrity-external-extension-<version>.zip
protegrity-sample-policy-<version>.zip

protegrity-protect-<version>.zip
protegrity-agent-<version>.zip
protegrity-external-extension-<version>.zip
protegrity-sample-policy-<version>.zip

protegrity-protect-<version>.zip
protegrity-agent-<version>.zip
protegrity-external-extension-<version>.zip
protegrity-sample-policy-<version>.zip

protegrity-athena-protect-udfs-<version>.jar
protegrity-external-extension-<version>.zip
protegrity-agent-<version>.zip
protegrity-sample-policy-<version>.zip

If the release version matches your existing deployment, you don’t need to upload it again. Save the following artifacts on your local system so that you have them available during the next steps:

- -

pty_protect_cf.json
pty_agent_cf.json

pty_protect_cf.json
pty_agent_cf.json

pty_protect_api_cf.json
pty_agent_cf.json
pty_log_forwarder_cf.json

pty_athena_protect_cf.json
pty_agent_cf.json

Perform the following steps to upgrade the Agent Lambda and Protect Lambda separately.

Important

If new versions are available for both Agent and Protect Lambdas, Agent Lambda must be upgraded first.

Disable Protegrity Agent Function CloudWatch Event Rule

Cloud Watch Event Rule is used to periodically run Protegrity Agent Function to synchronize policy from ESA. This functionality is optional when deploying Protegrity Serverless Solution. If the Event Rule is enabled, it must be disabled temporarily for the time of the upgrade process.

Follow the steps below to determine if your deployment uses Event Rule and disable it.

Go to AWS Cloud Formation and select existing Protegrity deployment stack.
Select Resources tab from the top portion of the screen.
Check if there is a resource with ScheduledRule LogicalID. If there is no such resource you can skip to Upgrading Policy Agent Lambda section. If the scheduled rule is there, continue with the next steps in this section.
Click on the Physical ID link in the ScheduledRule row. The link opens Policy Agent Event Rule configuration.
Select Disable from the top-right portion of the screen. This will disable the rule. You will re-enable it after the upgrade process is complete.

Upgrading Policy Agent Lambda

Note

If the release version of the artifact zip file has not changed since the previous installation, you can skip the Agent Lambda upgrade.

Go to AWS Lambda console and select existing Protegrity Agent Lambda.
Click Actions in top right portion of the screen. Select Publish new version. Click Publish. The version of Agent Lambda you just created will serve as restore point in the case you needed to rollback the upgrade.
Go to Lambda Configuration > Environment variables.
Record environment variables values. You will use them later to configure upgraded Lambda Function. You can use the aws cli command below to save the function variables into the local json file:
```
aws lambda get-function-configuration --function-name \
arn:aws:lambda:<aws_region>:<aws_account>:function:<function_name> \
--query Environment > <function_name>_env_config.json
```
Go to AWS Cloud Formation and select existing Protegrity Agent deployment stack.
Select Update. Check Replace current template > Upload a template file.
Upload pty_agent_cf.json file and select Next.
Click Next until Review window and then select Update stack.
Wait for the Cloud Formation to complete.
Navigate back to Agent Lambda Function.

Note

Make sure you are viewing the latest Lambda Function, not the published version.

Go to Configuration > Environment variables. Replace placeholder values with values recorded in previous step. Alternatively, you can run the following aws cli command to update function configuration using json file saved in the previous steps:
```
aws lambda update-function-configuration --function-name \
arn:aws:lambda:<aws_region>:<aws_account>:function:<function_name> \
--environment file://./<function_name>_env_config.json
```
Note
If your current agent installation version is lower than 3.0.12, make sure you set the following function configuration variables:
- PTY_ADDIPADDRESSHEADER
- PTY_ESA_CA_SERVER_CERT You can read more about these variables in section Policy Agent Lambda Configuration.
If you are upgrading from versions prior to v3.0, backup and remove existing policy from the bucket defined by AWS_POLICY_S3_BUCKET property, so that the policy can be re-downloaded and re-encrypted with new ‘key commitment’ feature.
If you are upgrading from version prior to 1.6.1 please follow the steps below, otherwise the upgrade process is completed.
From AWS Console, navigate to IAM > Policies
Search for the Agent Lambda IAM Policy created in Create Agent Lambda IAM policy
Click on the policy, then select Edit Policy. Select JSON tab.

Add the following statement to the list of policy statements.


{
  "Sid": "LambdaGetConfiguration",
  "Effect": "Allow",
  "Action": [
      "lambda:GetFunctionConfiguration"
  ],
  "Resource": [
      "arn:aws:lambda:*:*:function:*"
  ]
}

Click Review Policy, then Save Changes. Wait for the changes to save.

Upgrading Log Forwarder Lambda

Note

If you are upgrading protector to one of these versions: [3.2.2, 3.2.3], skip this section and follow instruction to install new Log Forwarder Audit Log Forwarder Installation.

Publish Log Forwarder Lambda Version
Publishing a version of the Log Forwarder Lambda allows to roll-back to pre-existing version if upgrade fails
1. Go to AWS Lambda console and select existing Protegrity Log Forwarder Lambda.
2. Click Actions in top right portion of the screen. Select Publish new version. Click Publish.
3. Record the Lambda version number. It will be displayed at the top of the screen. You can also retrieve it from the Lambda function view, under Versions tab.
  Log Forwarder Lambda version number for roll-backs: ___________________
Disable Kinesis Trigger
Disabling Kinesis trigger ensures there are no unprocessed or re-processed events while function is upgraded.
1. Go to AWS Lambda console and select existing Protegrity Log Forwarder Lambda.
2. Select Configuration tab > Triggers
3. Check Kinesis trigger and click Edit button
4. Uncheck Activate trigger and click Save
5. Wait for function to stop processing events by monitoring function in Monitor tab
Upgrade Forwarder Lambda Version
Upgrade Log Forwarder function with new code
1. Go to AWS Cloud Formation and select existing Protegrity Log Forwarder deployment stack.
2. Select Update Stack > Make a direct update.
3. Select Replace existing template > Upload a template file.
4. Upload pty_log_forwarder_cf file and select Next.
5. Click Next until Review window and then select Update stack.
6. Wait for the Cloud Formation to complete.
Enable Kinesis Trigger
1. Go to AWS Lambda console and select existing Protegrity Log Forwarder Lambda.
2. Select Configuration tab > Triggers
3. Check Kinesis trigger and click Edit button
4. Check Activate trigger and click Save Log Forwarder function will now start processing events from where it left off when Kinesis trigger was disabled.
Monitor and roll-back
Monitor Log Forwarder function for errors in its CloudWatch logs and in Montior tab. To roll back function to the previous version if any errors occur follow these steps:
1. Go to AWS Lambda console and select existing Protegrity Log Forwarder Lambda.
2. Select Configuration tab > Triggers
3. Expand Details section of Kinesis trigger and record UUID value
4. Execute the following AWS CLI command to move Kinesis trigger to previous version of Log Forwarder Lambda that was created earlier and recorded as Log Forwarder Lambda version number for roll-backs. Substitute kinesis-mapping-uuid, log-forwarder-function-name, version-for-roll-backs with your values:
```
aws lambda update-event-source-mapping --uuid <kinesis-mapping-uuid> --function-name <log-forwarder-function-name>:<version-for-roll-backs>
```
5. Find Kinesis trigger attached to previous version of Log Forwarder Lambda by navigating Versions tab > Version number link in the Versions column Kinesis trigger is now moved to previous version of Log Forwarder Lambda function.

Upgrading Protect Lambda

Note

If the release version of the artifact zip file has not changed since the previous installation, you can skip the Protect Lambda upgrade.

Diagram below illustrates upgrade steps.

Snowflake Function Upgrade Steps

Redshift Function Upgrade Steps

Cloud API Function Upgrade Steps

Athena Function Upgrade Steps

Publish Protect Lambda Version
Publishing a version of the Protect Lambda allows updating it without interruptions to the existing traffic.
1. Go to AWS Lambda console and select existing Protegrity Protect Lambda.
2. Go to Lambda Configuration > Environment variables.
3. Record environment variables values. You will use them later to configure upgraded Lambda Function. You can use the aws cli command below to save the function variables into the local json file:
```
aws lambda get-function-configuration --function-name \
arn:aws:lambda:<aws_region>:<aws_account>:function:<function_name> \
--query Environment > <function_name>_env_config.json
```
4. Click Actions in top right portion of the screen. Select Publish new version. Click Publish.
5. Record the Lambda version number. It will be displayed at the top of the screen. You can also retrieve it from the Lambda function view, under Versions tab.
  Protect Lambda version number: ___________________
6. If you are upgrading a Cloud Protect Redshift version 1.x to 2.x/3x, you must recreate your Redshift external function definitions with Protect Lambda Function version appended to the Lambda Function name. See example below.
```
CREATE OR REPLACE EXTERNAL FUNCTION PTY_PROTECT_TEST ( val varchar )
    RETURNS varchar
    VOLATILE lambda
    'Protegrity_Protect_test:<protect_lambda_version_number>' iam_role
    'arn:aws:iam::123456789212:role/example_role';
```
Run protect service upgrade
In this step, the Protect service including Lambda $LATEST version will be updated using Cloud Formation template. The Lambda version created in previous step will be used to serve existing traffic during the upgrade process.
1. Go to AWS Cloud Formation and select existing Protegrity deployment stack.
2. Select Update. Check Replace current template > Upload a template file.
3. Upload pty_protect_cf.json file and select Next.
4. Update ProtectFunctionProductionVersion parameter with Protect Lambda version number recorded in step 3.
5. Note
  If you are upgrading protector to one of these versions: [3.2.2, 3.2.3], set parameter KinesisLogStreamArn to the output value recorded in Install through CloudFormation for the newly deployed log forwarder.
6. Click Next until Review window and then select Update stack.
7. Wait for the Cloud Formation to complete.
8. Go back to Lambda console and select Protect Lambda.
9. Go to Configuration > Environment variables. Replace placeholder values with values recorded in previous step. Alternatively, you can run the following aws cli command to update function configuration using json file saved in the previous steps:
```
aws lambda update-function-configuration --function-name \
arn:aws:lambda:<aws_region>:<aws_account>:function:<function_name> \
--environment file://./<function_name>_env_config.json
```
  Note
  If your current protect installation version is lower than 3.0.14, you can optionally set the following variable:
  - LOG_REDSHIFT_CLUSTER_ARN You can read more about this configuration in section Protect Lambda Configuration.
10. Navigate to Aliases tab. Verify that Production alias points to the lambda version you specified in the cloud formation template.
11. The upgraded Protect Lambda is configured with a sample policy. Run Agent Lambda Function before continuing with next steps.
Finalize upgrade
In this step, the Protect Lambda will be configured to serve traffic using $LATEST version upgraded in the previous step.
1. Go back to Protegrity AWS Cloud Formation deployment stack.
2. Select Update. Check Use Current template.
3. Update ProtectFunctionProductionVersion parameter with the following value: $LATEST.
4. Click Next until Review window and then select Update stack.
5. Go back to Lambda console and select Protect Lambda.
6. From the Lambda console, verify that Latest alias points to $LATEST version.
7. Test your function to make sure it works as expected.
8. If you are upgrading a Cloud Protect Redshift version 1.x to 2.x/3x, you must recreate your Redshift external function definitions with Protect Lambda Function version appended to the Lambda Function name. See example below.
```
CREATE OR REPLACE EXTERNAL FUNCTION PTY_PROTECT_TEST ( val varchar )
    RETURNS varchar
    VOLATILE lambda
    'Protegrity_Protect_test:Production' iam_role
    'arn:aws:iam::123456789212:role/example_role';
```
9. If you need to rollback to older version of Protect Lambda, you can re-run the cloud formation with ProtectFunctionProductionVersion parameter set to the previous version of Protect Lambda.

Re-enable Protegrity Agent Function CloudWatch Event Rule

If the Event Rule was disabled at the beginning of the upgrade process, you must re-enabled it. Follow the steps below to re-enable Policy Agent Event rule.

Go to the Protegrity Agent Cloud Formation Stack.
Select Resources tab from the top portion of the screen.
Click on the Physical ID link in the ScheduledRule row. The link opens Policy Agent Event Rule configuration.
Select Enable from the top-right portion of the screen. This will enable the rule. You will re-enable it after the upgrade process is complete.

8 - Known Limitations

Known product limitations.

Known Limitations

Known product limitations:

FPE is supported only for ASCII values.
Only the protect and unprotect operations are supported. The reprotect operation is not currently supported.

9 - Appendices

Additional references for the protector.

9.1 - Sample Snowflake External Function

A collection of sample Snowflake functions.

Sample Snowflake External Function

Method: Tokenization
Type: ALPHA

Snowflake Data Types	Snowflake Max Size	Protegrity Max Size
VARCHAR	16M (16,777,216 bytes)	4K (4,096 bytes)
CHAR
STRING
TEXT

External Function Sample Definitions:
`CREATE SECURE EXTERNAL FUNCTION PTY_PROTECT_ALPHA ( val varchar ) RETURNS varchar NULL IMMUTABLE COMMENT = 'Protects using an ALPHA data element' API_INTEGRATION = REPLACE_WITH_YOUR_API_INTEGRATION_ID HEADERS =( 'X-Protegrity-HCoP-Rules'= '{"jsonpaths":[{"op_type":"PROTECT","data_element":"TOK_ALPHA"}]}' ) CONTEXT_HEADERS = ( current_user, current_timestamp, current_account ) AS '<AWS API GATEWAY URL>/SF_CUSTOMER';`
`CREATE SECURE EXTERNAL FUNCTION PTY_UNPROTECT_ALPHA ( val varchar ) RETURNS varchar NULL IMMUTABLE COMMENT = 'Unprotects using an ALPHA data element' API_INTEGRATION = REPLACE_WITH_YOUR_API_INTEGRATION_ID HEADERS =( 'X-Protegrity-HCoP-Rules'= '{"jsonpaths":[{"op_type":"UNPROTECT","data_element":"TOK_ALPHA"}]}' ) CONTEXT_HEADERS = ( current_user, current_timestamp, current_account ) AS '<AWS API GATEWAY URL>/SF_CUSTOMER';`

Sample EF Calls:
`SELECT PTY_PROTECT_ALPHA ('Hello World')`
`SELECT PTY_UNPROTECT_ALPHA('rfDtw sLMJK');`

Snowflake Masking Policy example:
`create or replace masking policy alpha_policy as (val string) returns string -> case when current_role() in ('ACCOUNTADMIN') then PTY_UNPROTECT_ALPHA(val) else val end;`
`alter table pii_data modify column field01 set masking policy alpha_policy; alter table pii_data modify column field01 unset masking policy;`

Method: Tokenization
Type: NUMERIC

Snowflake Data Types	Snowflake Max Size	Protegrity Max Size
NUMBER
DECIMAL
INTEGER
DOUBLE

External Function Sample Definitions:
`CREATE SECURE EXTERNAL FUNCTION PTY_PROTECT_NUMERIC ( val number ) RETURNS number NULL IMMUTABLE COMMENT = 'Protects using a NUMERIC data element' API_INTEGRATION = REPLACE_WITH_YOUR_API_INTEGRATION_ID HEADERS =( 'X-Protegrity-HCoP-Rules'= '{"jsonpaths":[{"op_type":"PROTECT","data_element":"TOK_NUMERIC"}]}' ) CONTEXT_HEADERS = ( current_user, current_timestamp, current_account ) AS '<AWS API GATEWAY URL>/SF_CUSTOMER';`
`CREATE SECURE EXTERNAL FUNCTION PTY_UNPROTECT_NUMERIC ( val number) RETURNS number NULL IMMUTABLE COMMENT = 'Unprotects using a NUMERIC data element' API_INTEGRATION = REPLACE_WITH_YOUR_API_INTEGRATION_ID HEADERS =( 'X-Protegrity-HCoP-Rules'= '{"jsonpaths":[{"op_type":"UNPROTECT","data_element":"TOK_NUMERIC"}]}' ) CONTEXT_HEADERS = ( current_user, current_timestamp, current_account ) AS '<AWS API GATEWAY URL>/SF_CUSTOMER';`

Sample EF Calls:
`SELECT PTY_PROTECT_NUMERIC ('123456789');`
`SELECT PTY_UNPROTECT_NUMERIC ('752513497');`

Snowflake Masking Policy example:
`create or replace masking policy num_policy as (val number) returns number -> case when current_role() in ('ACCOUNTADMIN') then PTY_UNPROTECT_NUMERIC(val) else val end;`
`alter table pii_data modify column field02 set masking policy num_policy; alter table pii_data modify column field02 unset masking policy;`

Method: Tokenization
Type: DATE YYYY-MM-DD

Snowflake Data Types	Snowflake Max Size	Protegrity Max Size
DATE (any supported format)	10 bytes	10 bytes

External Function Sample Definitions:
`CREATE SECURE EXTERNAL FUNCTION PTY_PROTECT_DATEYYYYMMDD ( val date ) RETURNS date NULL IMMUTABLE COMMENT = 'Protects using a Date data element' API_INTEGRATION = REPLACE_WITH_YOUR_API_INTEGRATION_ID HEADERS =( 'X-Protegrity-HCoP-Rules'= '{"jsonpaths":[{"op_type":"PROTECT","data_element":"TOK_DATEYYYYMMDD"}]}' ) CONTEXT_HEADERS = ( current_user, current_timestamp, current_account ) AS '<AWS API GATEWAY URL>/SF_CUSTOMER';`
`CREATE SECURE EXTERNAL FUNCTION PTY_UNPROTECT_DATEYYYYMMDD ( val date ) RETURNS date NULL IMMUTABLE COMMENT = 'Unprotects using a Date data element' API_INTEGRATION = REPLACE_WITH_YOUR_API_INTEGRATION_ID HEADERS =( 'X-Protegrity-HCoP-Rules'= '{"jsonpaths":[{"op_type":"UNPROTECT","data_element":"TOK_DATEYYYYMMDD"}]}' ) CONTEXT_HEADERS = ( current_user, current_timestamp, current_account ) AS '<AWS API GATEWAY URL>/SF_CUSTOMER';`
Sample EF Calls:
`SELECT PTY_PROTECT_DATEYYYYMMDD ('2020-12-31');`
`SELECT PTY_UNPROTECT_DATEYYYYMMDD('0653-06-01');`
`SELECT PTY_PROTECT_DATEYYYYMMDD ('31-DEC-2020');*`
`SELECT PTY_UNPROTECT_DATEYYYYMMDD('01-JUN-0653');*`
`SELECT PTY_PROTECT_DATEYYYYMMDD('12/31/2020');*`
`SELECT PTY_UNPROTECT_DATEYYYYMMDD('06/01/0653');*`
`SELECT PTY_PROTECT_DATEYYYYMMDD (current_date);`

Snowflake Masking Policy example:
`create or replace masking policy date_policy as (val date) returns date -> case when current_role() in ('ACCOUNTADMIN') then PTY_UNPROTECT_DATEYYYYMMDD (val) else val end;`
`alter table pii_data modify column field11 set masking policy date_policy; alter table pii_data modify column field11 unset masking policy;`

**\***: Automatic cast to YYYY-MM-DD, no need to make any conversions. The output is always in the YYYY-MM-DD format

Cutover Dates of the Proleptic Gregorian Calendar: no issues (no conversions performed by Snowflake)

Method: Tokenization
Type: DATETIME

Snowflake Data Types	Snowflake Max Size	Protegrity Max Size
DATE	10 bytes	29 bytes
DATETIME	29 bytes
TIMESTAMPNTZ*
TIMESTAMP_NTZ*
TIMESTAMP WITHOUT TIME ZONE*

External Function Sample Definitions:
`CREATE SECURE EXTERNAL FUNCTION PTY_PROTECT_DATETIME ( val timestamp ) RETURNS timestamp NULL IMMUTABLE COMMENT = 'Protects using a TIMESTAMP data element' API_INTEGRATION = REPLACE_WITH_YOUR_API_INTEGRATION_ID HEADERS =( 'X-Protegrity-HCoP-Rules'= '{"jsonpaths":[{"op_type":"PROTECT","data_element":"TOK_DATETIME"}]}' ) CONTEXT_HEADERS = ( current_user, current_timestamp, current_account ) AS '<AWS API GATEWAY URL>/SF_CUSTOMER';`
`CREATE SECURE EXTERNAL FUNCTION PTY_UNPROTECT_DATETIME ( val timestamp ) RETURNS timestamp NOT NULL IMMUTABLE COMMENT = 'Unprotects using a TIMESTAMP data element' API_INTEGRATION = REPLACE_WITH_YOUR_API_INTEGRATION_ID HEADERS =( 'X-Protegrity-HCoP-Rules'= '{"jsonpaths":[{"op_type":"UNPROTECT","data_element":"TOK_DATETIME"}]}' ) CONTEXT_HEADERS = ( current_user, current_timestamp, current_account ) AS '<AWS API GATEWAY URL>/SF_CUSTOMER';`
Sample EF Calls:
`SELECT PTY_PROTECT_DATETIME('2010-10-25');`
`SELECT PTY_UNPROTECT_DATETIME('0845-04-04');`
`SELECT PTY_PROTECT_DATETIME('2010-10-25 10:45:33');`
`SELECT PTY_UNPROTECT_DATETIME('0845-04-04 10:45:33');`
`SELECT PTY_PROTECT_DATETIME('2010-10-25 10:45:33.123');`
`SELECT PTY_UNPROTECT_DATETIME('0845-04-04 10:45:33.123');`
`SELECT PTY_PROTECT_DATETIME(current_date);`
`SELECT PTY_PROTECT_DATETIME(cast(current_timestamp as TIMESTAMPNTZ));`

Snowflake Masking Policy example:
`create or replace masking policy datetime_policy as (val timestampntz) returns timestampntz -> case when current_role() in ('ACCOUNTADMIN') then PTY_UNPROTECT_DATETIME (val) else val end;`
`alter table pii_data modify column field12 set masking policy datetime_policy; alter table pii_data modify column field12 unset masking policy;`

**\***: Default TIMESTAMP in Snowflake includes Time Zone – not supported by Protegrity’s DATETIME data element

Method: Tokenization
Type: DECIMAL

Snowflake Data Types	Snowflake Max Size	Protegrity Max Size
NUMBER(N,M)	38 digits	36 digits
NUMERIC(N,M)*
DECIMAL(N,M)*

External Function Sample Definitions:
`CREATE SECURE EXTERNAL FUNCTION PTY_PROTECT_DECIMAL ( val NUMBER(38,6) ) RETURNS NUMBER(38,6) NULL IMMUTABLE COMMENT = 'Protects using a DECIMAL data element' API_INTEGRATION = REPLACE_WITH_YOUR_API_INTEGRATION_ID HEADERS =( 'X-Protegrity-HCoP-Rules'= '{"jsonpaths":[{"op_type":"PROTECT","data_element":"TOK_DECIMAL"}]}' ) CONTEXT_HEADERS = ( current_user, current_timestamp, current_account ) AS '<AWS API GATEWAY URL>/SF_CUSTOMER';`
`CREATE SECURE EXTERNAL FUNCTION PTY_UNPROTECT_DECIMAL ( val NUMBER(38,6) ) RETURNS NUMBER(38,6) NULL IMMUTABLE COMMENT = 'Unprotects using a DECIMAL data element' API_INTEGRATION = REPLACE_WITH_YOUR_API_INTEGRATION_ID HEADERS =( 'X-Protegrity-HCoP-Rules'= '{"jsonpaths":[{"op_type":"UNPROTECT","data_element":"TOK_DECIMAL"}]}' ) CONTEXT_HEADERS = ( current_user, current_timestamp, current_account ) AS '<AWS API GATEWAY URL>/SF_CUSTOMER';`
Sample EF Calls:
`SELECT PTY_PROTECT_DECIMAL (12345678.99);`
`SELECT PTY_UNPROTECT_DECIMAL (21872469.760000);`

Snowflake Masking Policy example:
`create or replace masking policy decimal_policy as (val NUMBER(38,6)) returns NUMBER(38,6)-> case when current_role() in ('ACCOUNTADMIN') then PTY_UNPROTECT_DECIMAL (val) else val end;`
`alter table pii_data modify column field13 set masking policy decimal_policy; alter table pii_data modify column field13 unset masking policy;`

**\***: Synonymous with NUMBER

Method: Tokenization
Type: INTEGER

Snowflake Data Types	Snowflake Max Size	Protegrity Max Size
NUMBER	38 digits	2 bytes 4 bytes 8 bytes
NUMERIC*
INT*
INTEGER*
BIGINT*
SMALLINT*
TINYINT*
BYTEINT*

External Function Sample Definitions:
`CREATE SECURE EXTERNAL FUNCTION PTY_PROTECT_INTEGER ( val NUMBER ) RETURNS NUMBER NULL IMMUTABLE COMMENT = 'Protects using an INTEGER data element' API_INTEGRATION = REPLACE_WITH_YOUR_API_INTEGRATION_ID HEADERS =( 'X-Protegrity-HCoP-Rules'= '{"jsonpaths":[{"op_type":"PROTECT","data_element":"TOK_INTEGER"}]}' ) CONTEXT_HEADERS = ( current_user, current_timestamp, current_account ) AS '<AWS API GATEWAY URL>/SF_CUSTOMER';`
`CREATE SECURE EXTERNAL FUNCTION PTY_UNPROTECT_INTEGER ( val NUMBER ) RETURNS NUMBER NOT NULL IMMUTABLE COMMENT = 'Unprotects using an INTEGER data element' API_INTEGRATION = REPLACE_WITH_YOUR_API_INTEGRATION_ID HEADERS =( 'X-Protegrity-HCoP-Rules'= '{"jsonpaths":[{"op_type":"UNPROTECT","data_element":"TOK_INTEGER"}]}' ) CONTEXT_HEADERS = ( current_user, current_timestamp, current_account ) AS '<AWS API GATEWAY URL>/SF_CUSTOMER';`
Sample EF Calls:
`SELECT PTY_PROTECT_INTEGER (123456789);`
`SELECT PTY_UNPROTECT_INTEGER (1104108887);`

Snowflake Masking Policy example:
`create or replace masking policy int_policy as (val NUMBER ) returns NUMBER -> case when current_role() in ('ACCOUNTADMIN') then PTY_UNPROTECT_INTEGER (val) else val end;`
`alter table pii_data modify column field14 set masking policy int_policy; alter table pii_data modify column field14 unset masking policy;`

**\***: Synonymous with NUMBER, except that precision and scale cannot be specified $i.e. always defaults to NUMBER\(38, 0$\)

**Recommended approach for protecting whole numbers fields in Snowflake

When values are	…then use the following Data Element:
Between -32768 and 32767	INTEGER (2 bytes)
Between -2147483648 and 2147483647	INTEGER (4 bytes)
Between -9223372036854775808 and 9223372036854775807	INTEGER (8 bytes)
< -9223372036854775808 or > 9223372036854775807	DECIMAL

When in doubt, use DECIMAL for any numeric range.

9.2 - Installing the Policy Agent and Protector in Different AWS Accounts

Example steps to install Agent in a different AWS account than the Protector

The Policy Agent Lambda function and Protect Lambda functions can be installed in separate AWS accounts. However, additional configuration is required to authorize the Policy Agent to provision the security policy to a remote Protect Lambda function.

Note

The Policy Agent will deploy an encrypted security policy file to an S3 bucket in the Protect function’s AWS Account.

Create Agent Lambda IAM policy

Login to the AWS account that hosts the Protect Lambda function.
From the AWS IAM console, select Policies > Create Policy.

Select the JSON tab and copy the following snippet.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "LambdaUpdateFunction",
      "Effect": "Allow",
      "Action": [
        "lambda:UpdateFunctionConfiguration"
      ],
      "Resource": [
        "arn:aws:lambda:*:*:function:*"
      ]
    },
    {
      "Sid": "LambdaReadLayerVersion",
      "Effect": "Allow",
      "Action": [
        "lambda:GetLayerVersion",
        "lambda:ListLayerVersions"
      ],
      "Resource": "*"
    },
    {
      "Sid": "LambdaDeleteLayerVersion",
      "Effect": "Allow",
      "Action": "lambda:DeleteLayerVersion",
      "Resource": "arn:aws:lambda:*:*:layer:*:*"
    },
    {
      "Sid": "LambdaPublishLayerVersion",
      "Effect": "Allow",
      "Action": "lambda:PublishLayerVersion",
      "Resource": "arn:aws:lambda:*:*:layer:*"
    },
    {
      "Sid": "S3GetObject",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::*/*"
    },
    {
      "Sid": "S3PutObject",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::*/*"
    },
    {
      "Sid": "LambdaGetConfiguration",
      "Effect": "Allow",
      "Action": [
          "lambda:GetFunctionConfiguration"
      ],
      "Resource": [
          "arn:aws:lambda:*:*:function:*"
      ]
    }
  ]
}

Replace the wildcards (*) with the region, account, and resource name information where required.
Select Review policy, type in the policy name, and confirm. Record policy name:
Agent Lambda Cross Account Policy Name: ___________________

Create Policy Agent cross-account IAM Role

Login to the AWS account that hosts the Protect Lambda function.
From the AWS IAM console, select Roles > Create Role
Select AWS Service > Lambda . Proceed to Permissions.
Select Policy created in the step above. Proceed to Tags.
Specify Tag, proceed to the final screen. Type in policy name and confirm. Record the name.
Policy Agent Cross Account IAM Role Name: ___________________

Allow the Policy Agent Cross-Account Role to be Assumed by the Policy Agent IAM Role

Login to the AWS account that hosts the Protect Lambda function.
Navigate to the previously created IAM Role (Agent Lambda Cross-Account IAM Role Name).
Navigate to Trust Relationships > Edit Trust Relationships.

Modify the Policy Document, replacing the placeholder value indicated in the following snippet as <Agent Lambda IAM Execution Role ARN> with ARN of Agent Lambda IAM Role that was created in Agent Installation.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",

   "Principal": {

            "AWS": "<Agent Lambda IAM Execution Role Name>"

      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Click Update Trust Policy.

Add Assume Role to the Policy Agent Execution IAM Role

Navigate to the Agent Lambda IAM Execution Role that was created in Agent Installation.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",

   "Principal": {

            "AWS": "<Agent Lambda IAM Execution Role Name>"

      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Add Inline Policy.

Modify the Policy Document, replacing the placeholder value indicated in the following snippet as <Agent Lambda Cross-Account IAM ARN> with the value recorded in Create Policy Agent cross-account IAM Role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sts:AssumeRole"
      ],
      "Resource": "<Agent Lambda Cross-Account IAM  ARN>."
    }
  ]
}

When you are finished, choose Review Policy.
On the Review policy page, type a Name, then choose Create Policy.

Update the Policy Agent Lambda Configuration

From the AWS console, navigate to Lambda, and select the Policy Agent Lambda function.
Select Configuration tab | Environment variables.
Select Edit and add the following environment variables with the value from Agent Lambda Cross-Account IAM ARN:
Parameter Value
AWS_ASSUME_ROLE Agent Lambda Cross-Account IAM ARN
Ensure the values in the Parameters AWS_POLICY_S3_BUCKET, AWS_PROTECT_FN_NAME and AWS_POLICY_LAYER_NAME are all in the Protect Lambda Function AWS Account.
In case custom VPC hostname configuration is used, you will need to set the ENDPOINT_URL. Refer to Policy Agent - Custom VPC Endpoint Hostname Configuration.
AWS_VPC_ENDPOINT_URL
<AWS_VPC_ENDPOINT>
Click Save and Run the Lambda. The Lambda will now assume the Role in Protect Lambda Function AWS Account and update the policy cross accounts.

9.3 - Integrating Cloud Protect with PPC (Protegrity Provisioned Cluster)

Concepts for integrating with PPC (Protegrity Provisioned Cluster)

This guide describes how to configure the Protegrity Policy Agent and Log Forwarder to connect to a Protegrity Provisioned Cluster (PPC), highlighting the differences from connecting to ESA.

Key Differences: PPC vs ESA

Feature	ESA 10.2	PPC (this guide)
Datastore Key Fingerprint	Optional/Recommended	Required
CA Certificate on Agent	Optional/Recommended	Optional/Recommended
CA Certificate on Log Forwarder	Optional/Recommended	Not supported
Client Certificate Authentication from Log Forwarder	Optional/Recommended	Not supported
IP Address	ESA IP address	PPC address

Prerequisites

Access to PPC and required credentials.
Tools: curl, kubectl installed.

Policy Agent Setup with PPC

Important

When connecting to PPC, the Policy Agent requires the PTY_DATASTORE_KEY fingerprint. For ESA 10.2, the fingerprint is optional but recommended. See Policy Agent Installation for general setup steps.

Follow these instructions as a guide for understanding specific inputs for Policy Agent integrating with PPC:

Obtain the Datastore Key Fingerprint

To retrieve the fingerprint for your Policy Agent:

curl -k -H "Authorization: Bearer ${TOKEN}" -X POST https://${HOST}/pty/v2/pim/datastores/1/export/keys  -H "Content-Type: application/json" --data '{
  "algorithm": "RSA-OAEP-256",
  "description": "example-key-from-kms",
  "pem": "-----BEGIN PUBLIC KEY-----\nABC123... ...890XYZ\n-----END PUBLIC KEY-----"
}'

Sample Output:

{"uid":"1","algorithm":"RSA-OAEP-256","fingerprint":"4c:46:d8:05:35:2e:eb:39:4d:39:8e:6f:28:c3:ab:d3:bc:9e:7a:cb:95:cb:b1:8e:b5:90:21:0f:d3:2c:0b:27","description":"example-key-from-kms"}

Record the fingerprint value and configure it as the PTY_DATASTORE_KEY for the Policy Agent.

Retrieve the PPC CA Certificate
To obtain the CA certificate from PPC:
```
kubectl -n api-gateway get secret ingress-certificate-secret -o jsonpath='{.data.ca\.crt}' | base64 -d > CA.pem
```
Use the CA.pem that was returned as described in Policy Agent Installation.
Configure the PPC Address
Use the PPC address in place of the ESA IP address wherever required in your configuration.

Log Forwarder Setup with PPC

Note

When using PPC, certificate authentication and CA validation are not supported for the Log Forwarder. Configuration steps related to certificates in Log Forwarder Installation do not apply to PPC. If you attempt to use certificates provided by PPC, the Log Forwarder will not function correctly.

The Log Forwarder will proceed without certificates and will print a warning if PtyEsaCaServerCert and PtyEsaClientCertificatesSecretId are not provided.
No additional certificate or CA configuration is needed for PPC.

Troubleshooting

Protector Lambda fails with “AWS KMS Decrypt failed”

Symptom:

After a successful Policy Agent run and layer update, the Protector Lambda returns:

{
  "body": "{\"error_msg\":\"Failed to open decoder: rpdecode decrypt failure: dek callback failed: AWS KMS Decrypt failed: \",\"success\":false}",
  "isBase64Encoded": false,
  "statusCode": 400
}

The Protector Lambda logs show:

[SEVERE] [utils.cpp:185] AWS KMS Decrypt failed:

Cause:

The public key configured in the PPC/ESA datastore does not match the KMS key pair used by the Policy Agent. The policy package is encrypted with the public key stored in the datastore. If that key does not correspond to the KMS key pair whose private key is used for decryption, the Protector Lambda will fail to decrypt the policy.

Resolution:

Identify the KMS key pair used by the Policy Agent (the key ARN configured during pre-configuration).
Export the public key from that KMS key pair.
In PPC/ESA, ensure the datastore’s export key is configured with the public key from that same KMS key pair. See Obtain the Datastore Key Fingerprint above.
Re-run the Policy Agent to generate a new policy package encrypted with the correct key.
Test the Protector Lambda again.

Important

Always verify that the public key registered in the PPC/ESA datastore belongs to the same KMS key pair referenced by the Policy Agent. A mismatch between these keys is a common cause of AWS KMS Decrypt failed errors.

The KMS key must be an asymmetric key with the Encrypt and decrypt key usage type. Symmetric keys or asymmetric keys configured for signing will not work.

Additional Notes

For troubleshooting, consult the Protegrity Documentation.

9.4 - Policy Agent - Custom VPC Endpoint Hostname Configuration

Custom vpc endpoint hostname configuration

The Policy Agent uses default endpoint hostnames to communicate with other AWS services (for example, secretsmanager.amazonaws.com). This configuration will only work in VPCs where Amazon-provided DNS is available (default VPC configuration with private DNS option enabled for the endpoint). If your VPC uses custom DNS, follow the instructions below to configure the Policy Agent Lambda to use custom endpoint hostnames.

Note

This configuration is only available with the Cloud Protect version 1.5.0 or higher. For more information about the upgrade instructions, refer to Upgrading to the Latest Version.

Identify DNS Hostnames

To identify DNS hostnames:

From AWS console, select VPC > Endpoints.
Select Secrets Manager endpoint from the list of endpoints.
Under Details > DNS Names, note the private endpoint DNS names adding https:// at the beginning of the endpoint name.
For example, https://vpce-1234-4pzomrye.kms.us-west-1.vpce.amazonaws.com
Note down DNS names for the KMS and Lambda endpoints:
AWS_SECRETSMANAGER_ENDPOINT: https://_________________
AWS_KMS_ENDPOINT: https://_________________
AWS_LAMBDA_ENDPOINT: https://_________________

Update the Policy Agent Lambda configuration

To update policy agent lambda configuration:

From the AWS console, navigate to Lambda, and select the Policy Agent Lambda function.
Select the Configuration section and choose Environment variables.
Select Edit and add the following environment variables with the corresponding endpoint URLs recorded in steps 3-4:
Parameters Value
AWS_SECRETSMANAGER_ENDPOINT_URL <AWS_SECRETS_ENDPOINT>
AWS_KMS_ENDPOINT_URL <AWS KMS ENDPOINT>
AWS_LAMBDA_ENDPOINT_URL <AWS LAMBDA ENDPOINT>
Click Save and Run the Lambda. The Lambda will now use endpoints you have just configured.

9.5 - Protection Methods

Cloud API supported protection methods

Protection Methods

For more information about the protection methods supported by Protegrity, refer to the Protection Methods Reference.

Tokenization Type	Supported Input Data Types	Notes
Numeric Credit Card Alpha Upper-case Alpha Alpha-Numeric Upper Alpha-Numeric Lower ASCII Printable Decimal Unicode Unicode Base64 Unicode Gen2 Email	STRING NULL
Integer	NUMBER NULL
Date Datetime	STRING NULL	For information about supported formats, refer to the Protection Methods Reference.
Binary	STRING NULL	Must be `hex` encoded unless a different `encoding` is specified. Another supported encoding is `base64`.

Protection Method

Supported Input Data Types

Notes

No Encryption

STRING

NUMBER

NULL

Encryption Algorithm

Supported Input Data Types

Notes

3DES

AES-128

AES-256

CUSP 3DES

CUSP AES-128

CUSP AES-256

STRING

Must be hex encoded unless a different encoding is specified. Another supported encoding is base64.

9.6 - Configuring Regular Expression to Extract Policy Username

Extract the policy username from the AWS identity.

Configuring Regular Expression to Extract Policy Username

Cloud Protect Lambda Function exposes USERNAME_REGEX configuration to allow extraction of policy username from user in the request.

USERNAME_REGEX Lambda Environment configuration
The USERNAME_REGEX configuration can be used to extract policy username from user in the request. The following are allowed values for USERNAME_REGEX:
- 1 - Default build-in regular expression is used:
```
^arn:aws:(?:iam|sts)::[0-9]{12}:(?:role|user|group|assumed\-role|federated\-user)\/([\w\/+=,.\-]{1,1024}|[\w\/+=,.\-@]{1,1024})(?:@[a-zA-Z0-9\-]{1,320}(?:\.\w+)+)?$
```
- ^User regex$ - Custom regex with one capturing group. This group is used to extract the username. Examples below show different regular expression values and the resulting policy user.

USERNAME_REGEX	User in the request	Effective Policy User
Not Set	arn:aws:iam::123456789012:user/juliet.snow	arn:aws:iam::123456789012:user/juliet.snow
Not Set	arn:aws:sts::123456789012:assumed-role/TestSaml	arn:aws:sts::123456789012:assumed-role/TestSaml
1	arn:aws:iam::123456789012:user/juliet.snow	juliet.snow
1	arn:aws:sts::123456789012:assumed-role/TestSaml	TestSaml
`^arn:aws:(?:iam\|sts)::[0-9]{12}:((?:role\|user\|group\|assumed-role\|federated-user).*)$`	arn:aws:iam::123456789012:user/juliet.snow	user/juliet.snow
	arn:aws:sts::123456789012:assumed-role/TestSaml	assumed-role/TestSaml

9.7 - Associating ESA Data Store With Cloud Protect Agent

Configure ESA data store for Policy Agent.

Associating ESA Data Store With Cloud Protect Agent

ESA controls which policy is deployed to protector using concept of data store. A data store may contain a list of IP addresses identifying servers allowed to pull the policy associated with that specific data store. Data store may also be defined as default data store, which allows any server to pull the policy, provided it does not belong to any other data stores. Node registration occurs when the policy server (in this case the policy agent) makes a policy request to ESA, where the agent’s IP address is identified by ESA.

Note

For more information about ESA data store refer to Policy Management Guide which is part of Protegrity ESA documentation.

Policy agent lambda source IP address used for node registration on ESA depends on ESA hubcontroller configuration ASSIGN_DATASTORE_USING_NODE_IP and the PTY_ADDIPADDRESSHEADER configuration exposed by the agent lambda.

The Lambda service uses multiple network interfaces, internal network interface with ephemeral IP range of 169.254.x.x and external network interface with IP range of the VPC subnet the Lambda is associated with. By default, when agent lambda is contacting ESA to register node for policy download, ESA uses agent Lambda VPC IP address. This default behavior is caused by the default ESA hubcontroller configuration ASSIGN_DATASTORE_USING_NODE_IP=false and agent default configuration PTY_ADDIPADDRESSHEADER=yes.

In some cases, when there is a proxy server between the ESA and agent lambda, the desirable ESA configuration is ASSIGN_DATASTORE_USING_NODE_IP=true. and PTY_ADDIPADDRESSHEADER=no which will cause the ESA to use proxy server IP address.

The table below shows how the hubcontroller and agent settings will affect node IP registration on ESA.

Agent source IP	Agent VPC subnet IP	Proxy IP	ESA config - ASSIGN_DATASTORE_USING_NODE_IP	Agent lambda config - PTY_ADDIPADDRESSHEADER	Agent node registration IP
169.254.144.81	10.1.2.173	No Proxy	true	yes	169.254.144.81
			true	no	10.1.2.173
			false	yes
			false	no
169.254.144.81	10.1.2.173	34.230.42.110	true	yes	169.254.144.81
			true	no	34.230.42.110
			false	yes
			false	no

Snowflake

1 - Overview

Solution Overview

Analytics on Protected Data

Features

Deployment Architecture

Log Forwarding Architecture

Snowflake Connectivity

Snowflake’s API Integration Object

2 - Installation

2.1 - Pre-Configuration

Determine AWS Region

Provide AWS sub-account

Create S3 bucket for Installing Artifacts

Important

Create KMS Key

Note

Note

Note

Create IAM Account Role

2.2 - Prerequisites

AWS Services

ESA Version Requirements

Note

Prerequisites

Required Skills and Abilities

2.3 - Protect Service Installation

Preparation

Create Protect Lambda IAM Execution Policy

Create Protect Lambda IAM Role

Installing through CloudFormation

Note

Snowflake Configuration

Login to Snowflake as ACCOUNTADMIN

Create the Snowflake API Integration Object

Note

Describe the API Integration Object

Update IAM Access Role Policy

Test Connectivity

Troubleshooting

2.4 - Policy Agent Installation

Important

ESA Server

Certificates on ESA

Note

Identify or Create a new VPC

VPC Subnet Configuration

NAT Gateway For ESA Hosted Outside AWS Network

VPC Endpoints Configuration

Identify or Create Security Groups

Creating ESA Credentials

Note

Option 1: Secrets Manager

Option 2: KMS Encrypted Password

Option 3: Custom AWS Lambda function

Warning

Create Agent Lambda IAM Policy

Create Agent Lambda IAM Role

Corporate Firewall Configuration

CloudFormation Installation

Policy Agent Lambda Configuration

Note

Note

Note

Note

Test Installation

Troubleshooting

Note

Additional Configuration

Policy Agent Schedule

2.5 - Audit Log Forwarder Installation

Note

ESA Audit Store Configuration

Certificates on ESA

Note

Note

AWS VPC Configuration

Note

VPC Subnet Configuration

NAT Gateway For ESA Hosted Outside AWS Network