This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Appendices

Additional references for the protector.

1: Sample Snowflake External Function
2: Installing the Policy Agent and Protector in Different AWS Accounts
3: Integrating Cloud Protect with PPC (Protegrity Provisioned Cluster)
4: Policy Agent - Custom VPC Endpoint Hostname Configuration
5: Protection Methods
6: Configuring Regular Expression to Extract Policy Username
7: Associating ESA Data Store With Cloud Protect Agent

1 - Sample Snowflake External Function

A collection of sample Snowflake functions.

Sample Snowflake External Function

Method: Tokenization
Type: ALPHA

Snowflake Data Types	Snowflake Max Size	Protegrity Max Size
VARCHAR	16M (16,777,216 bytes)	4K (4,096 bytes)
CHAR
STRING
TEXT

External Function Sample Definitions:
`CREATE SECURE EXTERNAL FUNCTION PTY_PROTECT_ALPHA ( val varchar ) RETURNS varchar NULL IMMUTABLE COMMENT = 'Protects using an ALPHA data element' API_INTEGRATION = REPLACE_WITH_YOUR_API_INTEGRATION_ID HEADERS =( 'X-Protegrity-HCoP-Rules'= '{"jsonpaths":[{"op_type":"PROTECT","data_element":"TOK_ALPHA"}]}' ) CONTEXT_HEADERS = ( current_user, current_timestamp, current_account ) AS '<AWS API GATEWAY URL>/SF_CUSTOMER';`
`CREATE SECURE EXTERNAL FUNCTION PTY_UNPROTECT_ALPHA ( val varchar ) RETURNS varchar NULL IMMUTABLE COMMENT = 'Unprotects using an ALPHA data element' API_INTEGRATION = REPLACE_WITH_YOUR_API_INTEGRATION_ID HEADERS =( 'X-Protegrity-HCoP-Rules'= '{"jsonpaths":[{"op_type":"UNPROTECT","data_element":"TOK_ALPHA"}]}' ) CONTEXT_HEADERS = ( current_user, current_timestamp, current_account ) AS '<AWS API GATEWAY URL>/SF_CUSTOMER';`

Sample EF Calls:
`SELECT PTY_PROTECT_ALPHA ('Hello World')`
`SELECT PTY_UNPROTECT_ALPHA('rfDtw sLMJK');`

Snowflake Masking Policy example:
`create or replace masking policy alpha_policy as (val string) returns string -> case when current_role() in ('ACCOUNTADMIN') then PTY_UNPROTECT_ALPHA(val) else val end;`
`alter table pii_data modify column field01 set masking policy alpha_policy; alter table pii_data modify column field01 unset masking policy;`

Method: Tokenization
Type: NUMERIC

Snowflake Data Types	Snowflake Max Size	Protegrity Max Size
NUMBER
DECIMAL
INTEGER
DOUBLE

External Function Sample Definitions:
`CREATE SECURE EXTERNAL FUNCTION PTY_PROTECT_NUMERIC ( val number ) RETURNS number NULL IMMUTABLE COMMENT = 'Protects using a NUMERIC data element' API_INTEGRATION = REPLACE_WITH_YOUR_API_INTEGRATION_ID HEADERS =( 'X-Protegrity-HCoP-Rules'= '{"jsonpaths":[{"op_type":"PROTECT","data_element":"TOK_NUMERIC"}]}' ) CONTEXT_HEADERS = ( current_user, current_timestamp, current_account ) AS '<AWS API GATEWAY URL>/SF_CUSTOMER';`
`CREATE SECURE EXTERNAL FUNCTION PTY_UNPROTECT_NUMERIC ( val number) RETURNS number NULL IMMUTABLE COMMENT = 'Unprotects using a NUMERIC data element' API_INTEGRATION = REPLACE_WITH_YOUR_API_INTEGRATION_ID HEADERS =( 'X-Protegrity-HCoP-Rules'= '{"jsonpaths":[{"op_type":"UNPROTECT","data_element":"TOK_NUMERIC"}]}' ) CONTEXT_HEADERS = ( current_user, current_timestamp, current_account ) AS '<AWS API GATEWAY URL>/SF_CUSTOMER';`

Sample EF Calls:
`SELECT PTY_PROTECT_NUMERIC ('123456789');`
`SELECT PTY_UNPROTECT_NUMERIC ('752513497');`

Snowflake Masking Policy example:
`create or replace masking policy num_policy as (val number) returns number -> case when current_role() in ('ACCOUNTADMIN') then PTY_UNPROTECT_NUMERIC(val) else val end;`
`alter table pii_data modify column field02 set masking policy num_policy; alter table pii_data modify column field02 unset masking policy;`

Method: Tokenization
Type: DATE YYYY-MM-DD

Snowflake Data Types	Snowflake Max Size	Protegrity Max Size
DATE (any supported format)	10 bytes	10 bytes

External Function Sample Definitions:
`CREATE SECURE EXTERNAL FUNCTION PTY_PROTECT_DATEYYYYMMDD ( val date ) RETURNS date NULL IMMUTABLE COMMENT = 'Protects using a Date data element' API_INTEGRATION = REPLACE_WITH_YOUR_API_INTEGRATION_ID HEADERS =( 'X-Protegrity-HCoP-Rules'= '{"jsonpaths":[{"op_type":"PROTECT","data_element":"TOK_DATEYYYYMMDD"}]}' ) CONTEXT_HEADERS = ( current_user, current_timestamp, current_account ) AS '<AWS API GATEWAY URL>/SF_CUSTOMER';`
`CREATE SECURE EXTERNAL FUNCTION PTY_UNPROTECT_DATEYYYYMMDD ( val date ) RETURNS date NULL IMMUTABLE COMMENT = 'Unprotects using a Date data element' API_INTEGRATION = REPLACE_WITH_YOUR_API_INTEGRATION_ID HEADERS =( 'X-Protegrity-HCoP-Rules'= '{"jsonpaths":[{"op_type":"UNPROTECT","data_element":"TOK_DATEYYYYMMDD"}]}' ) CONTEXT_HEADERS = ( current_user, current_timestamp, current_account ) AS '<AWS API GATEWAY URL>/SF_CUSTOMER';`
Sample EF Calls:
`SELECT PTY_PROTECT_DATEYYYYMMDD ('2020-12-31');`
`SELECT PTY_UNPROTECT_DATEYYYYMMDD('0653-06-01');`
`SELECT PTY_PROTECT_DATEYYYYMMDD ('31-DEC-2020');*`
`SELECT PTY_UNPROTECT_DATEYYYYMMDD('01-JUN-0653');*`
`SELECT PTY_PROTECT_DATEYYYYMMDD('12/31/2020');*`
`SELECT PTY_UNPROTECT_DATEYYYYMMDD('06/01/0653');*`
`SELECT PTY_PROTECT_DATEYYYYMMDD (current_date);`

Snowflake Masking Policy example:
`create or replace masking policy date_policy as (val date) returns date -> case when current_role() in ('ACCOUNTADMIN') then PTY_UNPROTECT_DATEYYYYMMDD (val) else val end;`
`alter table pii_data modify column field11 set masking policy date_policy; alter table pii_data modify column field11 unset masking policy;`

**\***: Automatic cast to YYYY-MM-DD, no need to make any conversions. The output is always in the YYYY-MM-DD format

Cutover Dates of the Proleptic Gregorian Calendar: no issues (no conversions performed by Snowflake)

Method: Tokenization
Type: DATETIME

Snowflake Data Types	Snowflake Max Size	Protegrity Max Size
DATE	10 bytes	29 bytes
DATETIME	29 bytes
TIMESTAMPNTZ*
TIMESTAMP_NTZ*
TIMESTAMP WITHOUT TIME ZONE*

External Function Sample Definitions:
`CREATE SECURE EXTERNAL FUNCTION PTY_PROTECT_DATETIME ( val timestamp ) RETURNS timestamp NULL IMMUTABLE COMMENT = 'Protects using a TIMESTAMP data element' API_INTEGRATION = REPLACE_WITH_YOUR_API_INTEGRATION_ID HEADERS =( 'X-Protegrity-HCoP-Rules'= '{"jsonpaths":[{"op_type":"PROTECT","data_element":"TOK_DATETIME"}]}' ) CONTEXT_HEADERS = ( current_user, current_timestamp, current_account ) AS '<AWS API GATEWAY URL>/SF_CUSTOMER';`
`CREATE SECURE EXTERNAL FUNCTION PTY_UNPROTECT_DATETIME ( val timestamp ) RETURNS timestamp NOT NULL IMMUTABLE COMMENT = 'Unprotects using a TIMESTAMP data element' API_INTEGRATION = REPLACE_WITH_YOUR_API_INTEGRATION_ID HEADERS =( 'X-Protegrity-HCoP-Rules'= '{"jsonpaths":[{"op_type":"UNPROTECT","data_element":"TOK_DATETIME"}]}' ) CONTEXT_HEADERS = ( current_user, current_timestamp, current_account ) AS '<AWS API GATEWAY URL>/SF_CUSTOMER';`
Sample EF Calls:
`SELECT PTY_PROTECT_DATETIME('2010-10-25');`
`SELECT PTY_UNPROTECT_DATETIME('0845-04-04');`
`SELECT PTY_PROTECT_DATETIME('2010-10-25 10:45:33');`
`SELECT PTY_UNPROTECT_DATETIME('0845-04-04 10:45:33');`
`SELECT PTY_PROTECT_DATETIME('2010-10-25 10:45:33.123');`
`SELECT PTY_UNPROTECT_DATETIME('0845-04-04 10:45:33.123');`
`SELECT PTY_PROTECT_DATETIME(current_date);`
`SELECT PTY_PROTECT_DATETIME(cast(current_timestamp as TIMESTAMPNTZ));`

Snowflake Masking Policy example:
`create or replace masking policy datetime_policy as (val timestampntz) returns timestampntz -> case when current_role() in ('ACCOUNTADMIN') then PTY_UNPROTECT_DATETIME (val) else val end;`
`alter table pii_data modify column field12 set masking policy datetime_policy; alter table pii_data modify column field12 unset masking policy;`

**\***: Default TIMESTAMP in Snowflake includes Time Zone – not supported by Protegrity’s DATETIME data element

Method: Tokenization
Type: DECIMAL

Snowflake Data Types	Snowflake Max Size	Protegrity Max Size
NUMBER(N,M)	38 digits	36 digits
NUMERIC(N,M)*
DECIMAL(N,M)*

External Function Sample Definitions:
`CREATE SECURE EXTERNAL FUNCTION PTY_PROTECT_DECIMAL ( val NUMBER(38,6) ) RETURNS NUMBER(38,6) NULL IMMUTABLE COMMENT = 'Protects using a DECIMAL data element' API_INTEGRATION = REPLACE_WITH_YOUR_API_INTEGRATION_ID HEADERS =( 'X-Protegrity-HCoP-Rules'= '{"jsonpaths":[{"op_type":"PROTECT","data_element":"TOK_DECIMAL"}]}' ) CONTEXT_HEADERS = ( current_user, current_timestamp, current_account ) AS '<AWS API GATEWAY URL>/SF_CUSTOMER';`
`CREATE SECURE EXTERNAL FUNCTION PTY_UNPROTECT_DECIMAL ( val NUMBER(38,6) ) RETURNS NUMBER(38,6) NULL IMMUTABLE COMMENT = 'Unprotects using a DECIMAL data element' API_INTEGRATION = REPLACE_WITH_YOUR_API_INTEGRATION_ID HEADERS =( 'X-Protegrity-HCoP-Rules'= '{"jsonpaths":[{"op_type":"UNPROTECT","data_element":"TOK_DECIMAL"}]}' ) CONTEXT_HEADERS = ( current_user, current_timestamp, current_account ) AS '<AWS API GATEWAY URL>/SF_CUSTOMER';`
Sample EF Calls:
`SELECT PTY_PROTECT_DECIMAL (12345678.99);`
`SELECT PTY_UNPROTECT_DECIMAL (21872469.760000);`

Snowflake Masking Policy example:
`create or replace masking policy decimal_policy as (val NUMBER(38,6)) returns NUMBER(38,6)-> case when current_role() in ('ACCOUNTADMIN') then PTY_UNPROTECT_DECIMAL (val) else val end;`
`alter table pii_data modify column field13 set masking policy decimal_policy; alter table pii_data modify column field13 unset masking policy;`

**\***: Synonymous with NUMBER

Method: Tokenization
Type: INTEGER

Snowflake Data Types	Snowflake Max Size	Protegrity Max Size
NUMBER	38 digits	2 bytes 4 bytes 8 bytes
NUMERIC*
INT*
INTEGER*
BIGINT*
SMALLINT*
TINYINT*
BYTEINT*

External Function Sample Definitions:
`CREATE SECURE EXTERNAL FUNCTION PTY_PROTECT_INTEGER ( val NUMBER ) RETURNS NUMBER NULL IMMUTABLE COMMENT = 'Protects using an INTEGER data element' API_INTEGRATION = REPLACE_WITH_YOUR_API_INTEGRATION_ID HEADERS =( 'X-Protegrity-HCoP-Rules'= '{"jsonpaths":[{"op_type":"PROTECT","data_element":"TOK_INTEGER"}]}' ) CONTEXT_HEADERS = ( current_user, current_timestamp, current_account ) AS '<AWS API GATEWAY URL>/SF_CUSTOMER';`
`CREATE SECURE EXTERNAL FUNCTION PTY_UNPROTECT_INTEGER ( val NUMBER ) RETURNS NUMBER NOT NULL IMMUTABLE COMMENT = 'Unprotects using an INTEGER data element' API_INTEGRATION = REPLACE_WITH_YOUR_API_INTEGRATION_ID HEADERS =( 'X-Protegrity-HCoP-Rules'= '{"jsonpaths":[{"op_type":"UNPROTECT","data_element":"TOK_INTEGER"}]}' ) CONTEXT_HEADERS = ( current_user, current_timestamp, current_account ) AS '<AWS API GATEWAY URL>/SF_CUSTOMER';`
Sample EF Calls:
`SELECT PTY_PROTECT_INTEGER (123456789);`
`SELECT PTY_UNPROTECT_INTEGER (1104108887);`

Snowflake Masking Policy example:
`create or replace masking policy int_policy as (val NUMBER ) returns NUMBER -> case when current_role() in ('ACCOUNTADMIN') then PTY_UNPROTECT_INTEGER (val) else val end;`
`alter table pii_data modify column field14 set masking policy int_policy; alter table pii_data modify column field14 unset masking policy;`

**\***: Synonymous with NUMBER, except that precision and scale cannot be specified $i.e. always defaults to NUMBER\(38, 0$\)

**Recommended approach for protecting whole numbers fields in Snowflake

When values are	…then use the following Data Element:
Between -32768 and 32767	INTEGER (2 bytes)
Between -2147483648 and 2147483647	INTEGER (4 bytes)
Between -9223372036854775808 and 9223372036854775807	INTEGER (8 bytes)
< -9223372036854775808 or > 9223372036854775807	DECIMAL

When in doubt, use DECIMAL for any numeric range.

2 - Installing the Policy Agent and Protector in Different AWS Accounts

Example steps to install Agent in a different AWS account than the Protector

The Policy Agent Lambda function and Protect Lambda functions can be installed in separate AWS accounts. However, additional configuration is required to authorize the Policy Agent to provision the security policy to a remote Protect Lambda function.

Note

The Policy Agent will deploy an encrypted security policy file to an S3 bucket in the Protect function’s AWS Account.

Create Agent Lambda IAM policy

Login to the AWS account that hosts the Protect Lambda function.
From the AWS IAM console, select Policies > Create Policy.

Select the JSON tab and copy the following snippet.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "LambdaUpdateFunction",
      "Effect": "Allow",
      "Action": [
        "lambda:UpdateFunctionConfiguration"
      ],
      "Resource": [
        "arn:aws:lambda:*:*:function:*"
      ]
    },
    {
      "Sid": "LambdaReadLayerVersion",
      "Effect": "Allow",
      "Action": [
        "lambda:GetLayerVersion",
        "lambda:ListLayerVersions"
      ],
      "Resource": "*"
    },
    {
      "Sid": "LambdaDeleteLayerVersion",
      "Effect": "Allow",
      "Action": "lambda:DeleteLayerVersion",
      "Resource": "arn:aws:lambda:*:*:layer:*:*"
    },
    {
      "Sid": "LambdaPublishLayerVersion",
      "Effect": "Allow",
      "Action": "lambda:PublishLayerVersion",
      "Resource": "arn:aws:lambda:*:*:layer:*"
    },
    {
      "Sid": "S3GetObject",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::*/*"
    },
    {
      "Sid": "S3PutObject",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::*/*"
    },
    {
      "Sid": "LambdaGetConfiguration",
      "Effect": "Allow",
      "Action": [
          "lambda:GetFunctionConfiguration"
      ],
      "Resource": [
          "arn:aws:lambda:*:*:function:*"
      ]
    }
  ]
}

Replace the wildcards (*) with the region, account, and resource name information where required.
Select Review policy, type in the policy name, and confirm. Record policy name:
Agent Lambda Cross Account Policy Name: ___________________

Create Policy Agent cross-account IAM Role

Login to the AWS account that hosts the Protect Lambda function.
From the AWS IAM console, select Roles > Create Role
Select AWS Service > Lambda . Proceed to Permissions.
Select Policy created in the step above. Proceed to Tags.
Specify Tag, proceed to the final screen. Type in policy name and confirm. Record the name.
Policy Agent Cross Account IAM Role Name: ___________________

Allow the Policy Agent Cross-Account Role to be Assumed by the Policy Agent IAM Role

Login to the AWS account that hosts the Protect Lambda function.
Navigate to the previously created IAM Role (Agent Lambda Cross-Account IAM Role Name).
Navigate to Trust Relationships > Edit Trust Relationships.

Modify the Policy Document, replacing the placeholder value indicated in the following snippet as <Agent Lambda IAM Execution Role ARN> with ARN of Agent Lambda IAM Role that was created in Agent Installation.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",

   "Principal": {

            "AWS": "<Agent Lambda IAM Execution Role Name>"

      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Click Update Trust Policy.

Add Assume Role to the Policy Agent Execution IAM Role

Navigate to the Agent Lambda IAM Execution Role that was created in Agent Installation.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",

   "Principal": {

            "AWS": "<Agent Lambda IAM Execution Role Name>"

      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Add Inline Policy.

Modify the Policy Document, replacing the placeholder value indicated in the following snippet as <Agent Lambda Cross-Account IAM ARN> with the value recorded in Create Policy Agent cross-account IAM Role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sts:AssumeRole"
      ],
      "Resource": "<Agent Lambda Cross-Account IAM  ARN>."
    }
  ]
}

When you are finished, choose Review Policy.
On the Review policy page, type a Name, then choose Create Policy.

Update the Policy Agent Lambda Configuration

From the AWS console, navigate to Lambda, and select the Policy Agent Lambda function.
Select Configuration tab | Environment variables.
Select Edit and add the following environment variables with the value from Agent Lambda Cross-Account IAM ARN:
Parameter Value
AWS_ASSUME_ROLE Agent Lambda Cross-Account IAM ARN
Ensure the values in the Parameters AWS_POLICY_S3_BUCKET, AWS_PROTECT_FN_NAME and AWS_POLICY_LAYER_NAME are all in the Protect Lambda Function AWS Account.
In case custom VPC hostname configuration is used, you will need to set the ENDPOINT_URL. Refer to Policy Agent - Custom VPC Endpoint Hostname Configuration.
AWS_VPC_ENDPOINT_URL
<AWS_VPC_ENDPOINT>
Click Save and Run the Lambda. The Lambda will now assume the Role in Protect Lambda Function AWS Account and update the policy cross accounts.

Parameter	Value
AWS_ASSUME_ROLE	Agent Lambda Cross-Account IAM ARN

3 - Integrating Cloud Protect with PPC (Protegrity Provisioned Cluster)

Concepts for integrating with PPC (Protegrity Provisioned Cluster)

This guide describes how to configure the Protegrity Policy Agent and Log Forwarder to connect to a Protegrity Provisioned Cluster (PPC), highlighting the differences from connecting to ESA.

Key Differences: PPC vs ESA

Feature	ESA 10.2	PPC (this guide)
Datastore Key Fingerprint	Optional/Recommended	Required
CA Certificate on Agent	Optional/Recommended	Optional/Recommended
CA Certificate on Log Forwarder	Optional/Recommended	Not supported
Client Certificate Authentication from Log Forwarder	Optional/Recommended	Not supported
IP Address	ESA IP address	PPC address

Prerequisites

Access to PPC and required credentials.
Tools: curl, kubectl installed.

Policy Agent Setup with PPC

Important

When connecting to PPC, the Policy Agent requires the PTY_DATASTORE_KEY fingerprint. For ESA 10.2, the fingerprint is optional but recommended. See Policy Agent Installation for general setup steps.

Follow these instructions as a guide for understanding specific inputs for Policy Agent integrating with PPC:

Obtain the Datastore Key Fingerprint

To retrieve the fingerprint for your Policy Agent:

curl -k -H "Authorization: Bearer ${TOKEN}" -X POST https://${HOST}/pty/v2/pim/datastores/1/export/keys  -H "Content-Type: application/json" --data '{
  "algorithm": "RSA-OAEP-256",
  "description": "example-key-from-kms",
  "pem": "-----BEGIN PUBLIC KEY-----\nABC123... ...890XYZ\n-----END PUBLIC KEY-----"
}'

Sample Output:

{"uid":"1","algorithm":"RSA-OAEP-256","fingerprint":"4c:46:d8:05:35:2e:eb:39:4d:39:8e:6f:28:c3:ab:d3:bc:9e:7a:cb:95:cb:b1:8e:b5:90:21:0f:d3:2c:0b:27","description":"example-key-from-kms"}

Record the fingerprint value and configure it as the PTY_DATASTORE_KEY for the Policy Agent.

Retrieve the PPC CA Certificate
To obtain the CA certificate from PPC:
```
kubectl -n api-gateway get secret ingress-certificate-secret -o jsonpath='{.data.ca\.crt}' | base64 -d > CA.pem
```
Use the CA.pem that was returned as described in Policy Agent Installation.
Configure the PPC Address
Use the PPC address in place of the ESA IP address wherever required in your configuration.

Log Forwarder Setup with PPC

Note

When using PPC, certificate authentication and CA validation are not supported for the Log Forwarder. Configuration steps related to certificates in Log Forwarder Installation do not apply to PPC. If you attempt to use certificates provided by PPC, the Log Forwarder will not function correctly.

The Log Forwarder will proceed without certificates and will print a warning if PtyEsaCaServerCert and PtyEsaClientCertificatesSecretId are not provided.
No additional certificate or CA configuration is needed for PPC.

Troubleshooting

Protector Lambda fails with “AWS KMS Decrypt failed”

Symptom:

After a successful Policy Agent run and layer update, the Protector Lambda returns:

{
  "body": "{\"error_msg\":\"Failed to open decoder: rpdecode decrypt failure: dek callback failed: AWS KMS Decrypt failed: \",\"success\":false}",
  "isBase64Encoded": false,
  "statusCode": 400
}

The Protector Lambda logs show:

[SEVERE] [utils.cpp:185] AWS KMS Decrypt failed:

Cause:

The public key configured in the PPC/ESA datastore does not match the KMS key pair used by the Policy Agent. The policy package is encrypted with the public key stored in the datastore. If that key does not correspond to the KMS key pair whose private key is used for decryption, the Protector Lambda will fail to decrypt the policy.

Resolution:

Identify the KMS key pair used by the Policy Agent (the key ARN configured during pre-configuration).
Export the public key from that KMS key pair.
In PPC/ESA, ensure the datastore’s export key is configured with the public key from that same KMS key pair. See Obtain the Datastore Key Fingerprint above.
Re-run the Policy Agent to generate a new policy package encrypted with the correct key.
Test the Protector Lambda again.

Important

Always verify that the public key registered in the PPC/ESA datastore belongs to the same KMS key pair referenced by the Policy Agent. A mismatch between these keys is a common cause of AWS KMS Decrypt failed errors.

The KMS key must be an asymmetric key with the Encrypt and decrypt key usage type. Symmetric keys or asymmetric keys configured for signing will not work.

Additional Notes

For troubleshooting, consult the Protegrity Documentation.

4 - Policy Agent - Custom VPC Endpoint Hostname Configuration

Custom vpc endpoint hostname configuration

The Policy Agent uses default endpoint hostnames to communicate with other AWS services (for example, secretsmanager.amazonaws.com). This configuration will only work in VPCs where Amazon-provided DNS is available (default VPC configuration with private DNS option enabled for the endpoint). If your VPC uses custom DNS, follow the instructions below to configure the Policy Agent Lambda to use custom endpoint hostnames.

Note

This configuration is only available with the Cloud Protect version 1.5.0 or higher. For more information about the upgrade instructions, refer to Upgrading to the Latest Version.

Identify DNS Hostnames

To identify DNS hostnames:

From AWS console, select VPC > Endpoints.
Select Secrets Manager endpoint from the list of endpoints.
Under Details > DNS Names, note the private endpoint DNS names adding https:// at the beginning of the endpoint name.
For example, https://vpce-1234-4pzomrye.kms.us-west-1.vpce.amazonaws.com
Note down DNS names for the KMS and Lambda endpoints:
AWS_SECRETSMANAGER_ENDPOINT: https://_________________
AWS_KMS_ENDPOINT: https://_________________
AWS_LAMBDA_ENDPOINT: https://_________________

Update the Policy Agent Lambda configuration

To update policy agent lambda configuration:

From the AWS console, navigate to Lambda, and select the Policy Agent Lambda function.
Select the Configuration section and choose Environment variables.
Select Edit and add the following environment variables with the corresponding endpoint URLs recorded in steps 3-4:
Parameters Value
AWS_SECRETSMANAGER_ENDPOINT_URL <AWS_SECRETS_ENDPOINT>
AWS_KMS_ENDPOINT_URL <AWS KMS ENDPOINT>
AWS_LAMBDA_ENDPOINT_URL <AWS LAMBDA ENDPOINT>
Click Save and Run the Lambda. The Lambda will now use endpoints you have just configured.

Parameters	Value
AWS_SECRETSMANAGER_ENDPOINT_URL	<AWS_SECRETS_ENDPOINT>
AWS_KMS_ENDPOINT_URL	<AWS KMS ENDPOINT>
AWS_LAMBDA_ENDPOINT_URL	<AWS LAMBDA ENDPOINT>

5 - Protection Methods

Cloud API supported protection methods

Protection Methods

For more information about the protection methods supported by Protegrity, refer to the Protection Methods Reference.

Tokenization Type	Supported Input Data Types	Notes
Numeric Credit Card Alpha Upper-case Alpha Alpha-Numeric Upper Alpha-Numeric Lower ASCII Printable Decimal Unicode Unicode Base64 Unicode Gen2 Email	STRING NULL
Integer	NUMBER NULL
Date Datetime	STRING NULL	For information about supported formats, refer to the Protection Methods Reference.
Binary	STRING NULL	Must be `hex` encoded unless a different `encoding` is specified. Another supported encoding is `base64`.

Protection Method	Supported Input Data Types	Notes
No Encryption	STRING NUMBER NULL

Protection Method

Supported Input Data Types

Notes

No Encryption

STRING

NUMBER

NULL

Encryption Algorithm	Supported Input Data Types	Notes
3DES AES-128 AES-256 CUSP 3DES CUSP AES-128 CUSP AES-256	STRING	Must be `hex` encoded unless a different `encoding` is specified. Another supported encoding is `base64`.

Encryption Algorithm

Supported Input Data Types

Notes

3DES

AES-128

AES-256

CUSP 3DES

CUSP AES-128

CUSP AES-256

STRING

Must be hex encoded unless a different encoding is specified. Another supported encoding is base64.

6 - Configuring Regular Expression to Extract Policy Username

Extract the policy username from the AWS identity.

Configuring Regular Expression to Extract Policy Username

Cloud Protect Lambda Function exposes USERNAME_REGEX configuration to allow extraction of policy username from user in the request.

USERNAME_REGEX Lambda Environment configuration
The USERNAME_REGEX configuration can be used to extract policy username from user in the request. The following are allowed values for USERNAME_REGEX:
- 1 - Default build-in regular expression is used:
```
^arn:aws:(?:iam|sts)::[0-9]{12}:(?:role|user|group|assumed\-role|federated\-user)\/([\w\/+=,.\-]{1,1024}|[\w\/+=,.\-@]{1,1024})(?:@[a-zA-Z0-9\-]{1,320}(?:\.\w+)+)?$
```
- ^User regex$ - Custom regex with one capturing group. This group is used to extract the username. Examples below show different regular expression values and the resulting policy user.

USERNAME_REGEX	User in the request	Effective Policy User
Not Set	arn:aws:iam::123456789012:user/juliet.snow	arn:aws:iam::123456789012:user/juliet.snow
Not Set	arn:aws:sts::123456789012:assumed-role/TestSaml	arn:aws:sts::123456789012:assumed-role/TestSaml
1	arn:aws:iam::123456789012:user/juliet.snow	juliet.snow
1	arn:aws:sts::123456789012:assumed-role/TestSaml	TestSaml
`^arn:aws:(?:iam\|sts)::[0-9]{12}:((?:role\|user\|group\|assumed-role\|federated-user).*)$`	arn:aws:iam::123456789012:user/juliet.snow	user/juliet.snow
	arn:aws:sts::123456789012:assumed-role/TestSaml	assumed-role/TestSaml

7 - Associating ESA Data Store With Cloud Protect Agent

Configure ESA data store for Policy Agent.

Associating ESA Data Store With Cloud Protect Agent

ESA controls which policy is deployed to protector using concept of data store. A data store may contain a list of IP addresses identifying servers allowed to pull the policy associated with that specific data store. Data store may also be defined as default data store, which allows any server to pull the policy, provided it does not belong to any other data stores. Node registration occurs when the policy server (in this case the policy agent) makes a policy request to ESA, where the agent’s IP address is identified by ESA.

Note

For more information about ESA data store refer to Policy Management Guide which is part of Protegrity ESA documentation.

Policy agent lambda source IP address used for node registration on ESA depends on ESA hubcontroller configuration ASSIGN_DATASTORE_USING_NODE_IP and the PTY_ADDIPADDRESSHEADER configuration exposed by the agent lambda.

The Lambda service uses multiple network interfaces, internal network interface with ephemeral IP range of 169.254.x.x and external network interface with IP range of the VPC subnet the Lambda is associated with. By default, when agent lambda is contacting ESA to register node for policy download, ESA uses agent Lambda VPC IP address. This default behavior is caused by the default ESA hubcontroller configuration ASSIGN_DATASTORE_USING_NODE_IP=false and agent default configuration PTY_ADDIPADDRESSHEADER=yes.

In some cases, when there is a proxy server between the ESA and agent lambda, the desirable ESA configuration is ASSIGN_DATASTORE_USING_NODE_IP=true. and PTY_ADDIPADDRESSHEADER=no which will cause the ESA to use proxy server IP address.

The table below shows how the hubcontroller and agent settings will affect node IP registration on ESA.

Agent source IP	Agent VPC subnet IP	Proxy IP	ESA config - ASSIGN_DATASTORE_USING_NODE_IP	Agent lambda config - PTY_ADDIPADDRESSHEADER	Agent node registration IP
169.254.144.81	10.1.2.173	No Proxy	true	yes	169.254.144.81
			true	no	10.1.2.173
			false	yes
			false	no
169.254.144.81	10.1.2.173	34.230.42.110	true	yes	169.254.144.81
			true	no	34.230.42.110
			false	yes
			false	no