Pre-Configuration

Configuration steps prior product installation.

    Determine AWS Region

    Query the AWS region where the Snowflake cluster is running. This is the region in which Protegrity Serverless must be installed.

    To determine AWS region:

    1. Login to Snowflake

    2. In the SQL console, run the following query.

      select current_region();

    3. Record the AWS region (e.g. us-east-1).

      AWS Region: ___________________

    Provide AWS sub-account

    Identify or create an AWS account where the Protegrity solution will be installed. It is recommended that a new AWS sub-account be created. This can provide greater security controls and help avoid conflicts with other applications that might impact regional account limits. An individual with the Cloud Administrator role will be required for some subsequent installation steps.

    AWS Account ID: ___________________

    AWS Region (AwsRegion): ___________________

    Create S3 bucket for Installing Artifacts

    This S3 bucket will be used for the artifacts required by the CloudFormation installation steps. This S3 bucket must be created in the region that is defined in Provide AWS sub-account

    1. Sign in to the AWS Management Console and open the Amazon S3 console.

    2. Change region to the one determined in Provide AWS sub-account

    3. Click Create Bucket.

    4. Enter a unique bucket name:

      For example, protegrity-install.us-west-2.example.com

    5. Upload the installation artifacts to this bucket. Protegrity will provide the following three artifacts:

      • protegrity-protect-<version>.zip
      • protegrity-agent-<version>.zip
      • protegrity-external-extension-<version>.zip
      • protegrity-sample-policy-<version>.zip

      S3 Bucket name (ArtifactS3Bucket): ___________________

    Create KMS Key

    The Amazon Key Management Service (KMS) provides the ability for the Protegrity Serverless solution to encrypt and decrypt the Protegrity Security Policy.

    To create KMS key:

    1. In the AWS sub-account where the KMS key will reside, select the region.

    2. Navigate to Key Management Service > Create Key.

    3. Configure the key settings:

      • Key type: Asymmetric
      • Key usage: Encrypt and decrypt
      • Key spec: RSA_4096
      • Click Next

    4. Create alias and optional description, such as, Protegrity-Serverless and click Next.

    5. Define key administrative permissions, the IAM user who will administrate the key.

    6. Click Next.

    7. Define the key usage permissions.

    8. In Other AWS accounts, enter the AWS account id used for the Protegrity Serverless installation.

    9. Continue on to create the key. If there is a concern this permission is overly broad, then you can return later to restrict access to the role of two Protegrity Serverless Lambda as principals. Click to open the key in the list and record the ARN.

      KMS Key ARN (AWS_KMS_KEY_ID): ___________________

    10. Download the public key from the KMS key. Navigate to the key in KMS console, select the Public key tab, and click Download. Save the PEM file. This public key will be added to the ESA data store as an export key. Refer to Exporting Keys to Datastore for instructions on adding the public key to the data store.

      KMS Public Key PEM file: ___________________

    Create IAM Account Role

    An IAM role is used to authorize Snowflake to access the future Protect Lambda resource.

    To create IAM account role:

    1. From the AWS console, login to the AWS sub-account where Protegrity will be hosted.

    2. Access IAM, select roles and then Create Role.

    3. Select AWS account from the list of trusted entities types.

    4. Select your AWS Account Id as a placeholder value. You will update this field later when configuring Snowflake access.

    5. Select Require external ID and enter the following placeholder value.

      REPLACE_ME_WITH_EXTERNAL_ID

    6. Click Next.

    7. Continue and click Next

    8. Enter a Role name, for example, Snowflake.

    9. After the role is created, click on the role. Record the following information:

      • Role Name (DBRoleName): ____________________
      • Role ARN: ____________________


    Last modified : December 03, 2025