Sample Snowflake External Function

Mon, 01 Jan 0001 00:00:00 +0000

Sample Snowflake External Function

Method: Tokenization

Type: ALPHA

Snowflake Data Types

Snowflake Max Size

Protegrity Max Size

VARCHAR

16M (16,777,216 bytes)

4K (4,096 bytes)

CHAR

STRING

TEXT

External Function Sample Definitions:

CREATE SECURE EXTERNAL FUNCTION PTY_PROTECT_ALPHA ( val varchar ) 
 RETURNS varchar 
 NULL 
 IMMUTABLE 
 COMMENT = 'Protects using an ALPHA data element' 
 API_INTEGRATION = REPLACE_WITH_YOUR_API_INTEGRATION_ID 
 HEADERS =( 
 'X-Protegrity-HCoP-Rules'=
 '{"jsonpaths":[{"op_type":"PROTECT","data_element":"TOK_ALPHA"}]}' 
 ) 
 CONTEXT_HEADERS = ( current_user, current_timestamp, current_account ) 
 AS '<AWS API GATEWAY URL>/SF_CUSTOMER';

CREATE SECURE EXTERNAL FUNCTION PTY_UNPROTECT_ALPHA ( val varchar ) 
 RETURNS varchar 
 NULL 
 IMMUTABLE 
 COMMENT = 'Unprotects using an ALPHA data element' 
 API_INTEGRATION = REPLACE_WITH_YOUR_API_INTEGRATION_ID
 HEADERS =( 
 'X-Protegrity-HCoP-Rules'=
 '{"jsonpaths":[{"op_type":"UNPROTECT","data_element":"TOK_ALPHA"}]}'
 ) 
 CONTEXT_HEADERS = ( current_user, current_timestamp, current_account ) 
 AS '<AWS API GATEWAY URL>/SF_CUSTOMER';

Installing the Policy Agent and Protector in Different AWS Accounts

Mon, 01 Jan 0001 00:00:00 +0000

The Policy Agent Lambda function and Protect Lambda functions can be installed in separate AWS accounts. However, additional configuration is required to authorize the Policy Agent to provision the security policy to a remote Protect Lambda function.

Integrating Cloud Protect with PPC (Protegrity Provisioned Cluster)

Mon, 01 Jan 0001 00:00:00 +0000

This guide describes how to configure the Protegrity Policy Agent and Log Forwarder to connect to a Protegrity Provisioned Cluster (PPC), highlighting the differences from connecting to ESA.

Key Differences: PPC vs ESA

Feature	ESA 10.2	PPC (this guide)
Datastore Key Fingerprint	Optional/Recommended	Required
CA Certificate on Agent	Optional/Recommended	Optional/Recommended
CA Certificate on Log Forwarder	Optional/Recommended	Not supported
Client Certificate Authentication from Log Forwarder	Optional/Recommended	Not supported
IP Address	ESA IP address	PPC address

Prerequisites

Access to PPC and required credentials.
Tools: curl, kubectl installed.

Policy Agent Setup with PPC

Important

When connecting to PPC, the Policy Agent requires the PTY_DATASTORE_KEY fingerprint. For ESA 10.2, the fingerprint is optional but recommended. See Policy Agent Installation for general setup steps.

Follow these instructions as a guide for understanding specific inputs for Policy Agent integrating with PPC:

Policy Agent - Custom VPC Endpoint Hostname Configuration

Mon, 01 Jan 0001 00:00:00 +0000

The Policy Agent uses default endpoint hostnames to communicate with other AWS services (for example, secretsmanager.amazonaws.com). This configuration will only work in VPCs where Amazon-provided DNS is available (default VPC configuration with private DNS option enabled for the endpoint). If your VPC uses custom DNS, follow the instructions below to configure the Policy Agent Lambda to use custom endpoint hostnames.

Note

This configuration is only available with the Cloud Protect version 1.5.0 or higher. For more information about the upgrade instructions, refer to Upgrading to the Latest Version.

Identify DNS Hostnames

To identify DNS hostnames:

Protection Methods

Mon, 01 Jan 0001 00:00:00 +0000

Protection Methods

For more information about the protection methods supported by Protegrity, refer to the Protection Methods Reference.

Tokenization Type

Supported Input Data Types

Notes

Numeric

Credit Card

Alpha

Upper-case Alpha

Alpha-Numeric

Upper Alpha-Numeric

Lower ASCII

Printable

Decimal

Unicode

Unicode Base64

Unicode Gen2

STRING

NULL

Integer

NUMBER

NULL

Date

Datetime

STRING

NULL

For information about supported formats, refer to the Protection Methods Reference.

Configuring Regular Expression to Extract Policy Username

Mon, 01 Jan 0001 00:00:00 +0000

Configuring Regular Expression to Extract Policy Username

Cloud Protect Lambda Function exposes USERNAME_REGEX configuration to allow extraction of policy username from user in the request.

USERNAME_REGEX Lambda Environment configuration

The USERNAME_REGEX configuration can be used to extract policy username from user in the request. The following are allowed values for USERNAME_REGEX:
- 1 - Default build-in regular expression is used:
```
^arn:aws:(?:iam|sts)::[0-9]{12}:(?:role|user|group|assumed\-role|federated\-user)\/([\w\/+=,.\-]{1,1024}|[\w\/+=,.\-@]{1,1024})(?:@[a-zA-Z0-9\-]{1,320}(?:\.\w+)+)?$
```
- ^User regex$ - Custom regex with one capturing group. This group is used to extract the username. Examples below show different regular expression values and the resulting policy user.

Associating ESA Data Store With Cloud Protect Agent

Mon, 01 Jan 0001 00:00:00 +0000

Associating ESA Data Store With Cloud Protect Agent

ESA controls which policy is deployed to protector using concept of data store. A data store may contain a list of IP addresses identifying servers allowed to pull the policy associated with that specific data store. Data store may also be defined as default data store, which allows any server to pull the policy, provided it does not belong to any other data stores. Node registration occurs when the policy server (in this case the policy agent) makes a policy request to ESA, where the agent’s IP address is identified by ESA.

Appendices on

Sample Snowflake External Function