Protect Service Installation

Preparation

1. Ensure that all the steps in Pre-Configuration are performed.

2. Login to the AWS account console where - Snowflake Protector on AWS will be installed.

3. Ensure that the required CloudFormation templates provided by Protegrity are available on your local computer.

Create Protect Lambda IAM Execution Policy

This task defines a policy used by the Protegrity Lambda function to write CloudWatch logs and access the KMS encryption key to decrypt the policy.

Perform the following steps to create the Lambda execution role and required policies:

1. From the AWS IAM console, select Policies > Create Policy.

2. Select the JSON tab and copy the following sample policy.

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Sid": "CloudWatchWriteLogs",
         "Effect": "Allow",
         "Action": [
           "logs:CreateLogGroup",
           "logs:CreateLogStream",
           "logs:PutLogEvents"
         ],
         "Resource": "*"
       },
       {
         "Sid": "KmsDecrypt",
         "Effect": "Allow",
         "Action": [
           "kms:Decrypt"
         ],
         "Resource": [
           "arn:aws:kms:*:*:key/*"
         ]
       }
     ]
   }
   

3. For the KMS policy, replace the Resource with the ARN for the KMS key created in a previous step.

4. Select Next, type in a policy name, for example, ProtegrityProtectLambdaPolicy and Create Policy. Record the policy name:

   ProtectLambdaPolicyName:__________________

Create Protect Lambda IAM Role

The following steps create the role to utilize the policy defined in Create Protect Lambda IAM Execution Policy.

To create protect lambda IAM execution role:

1. From the AWS IAM console, select Roles > Create Role.

2. Select AWS Service > Lambda > Next.

3. In the list, search and select the policy created in Create Protect Lambda IAM Execution Policy.

4. Click Next

5. Type the role name, for example, ProtegrityProtectRole

6. Click Create role

7. Record the role ARN.

   Role ARN (LambdaExecutionRoleArn): ___________________

Installing through CloudFormation

The following steps describe the deployment of the Lambda function.

To install through CloudFormation:

1. Access CloudFormation and select the target AWS Region.

2. Click Create Stack and choose With new resources.

3. Specify the template.

4. Select Upload a template file.

5. Upload the Protegrity-provided CloudFormation template called pty_protect_cf.json and click Next.

6. Specify the stack details. Enter a stack name.

   Note

   The stack name will be appended to all the services created by the template.

7. Enter the required parameters. All the values were generated in Pre-Configuration.

   Parameter	Description
   DBRoleName	Name of the account role created in the pre-configuration step
   ArtifactS3Bucket	Name of S3 bucket created in the pre-configuration step
   LambdaExecutionRoleArn	The ARN of Lambda role created in the prior step
   MinLogLevel	Minimum log level for protect function. Allowed Values: off, severe, warning, info, config, all

8. The log forwarder parameters can be provided later after log forwarder is deployed. If you are not planning to deploy log forwarder you can skip this step.

   Parameter	Description
   KinesisLogStreamArn	The ARN of the AWS Kinesis stream where audit logs will be sent for aggregation
   AuditLogFlushInterval	Time interval in seconds used to accumulate audit logs before sending to Kinesis. Default value: 30. See Log Forwarder Performance section for more details.

9. Click Next with defaults to complete CloudFormation.

10. After CloudFormation is completed, select the Outputs tab in the stack.

11. Record the following values:

    • ApiGatewayId: ________________________________
    • ProtectFunctionName: __________________________
    • ProtectFunctionProductionAlias: __________________________
    • ProtectLayerName: _____________________________
    • SnowflakeApiAllowedPrefixes: ____________________
    • SnowflakeApiAwsRoleARN: _______________________

Snowflake Configuration

The following sections will configure Snowflake to access the API Gateway. The CloudFormation installation installed a sample policy that can be used to smoke test the installation.

Login to Snowflake as ACCOUNTADMIN

Ensure that the current user can assume the Account Administrator role. This role must be created.

Create the Snowflake API Integration Object

1. From the Snowflake console worksheet, select the role ACCOUNTADMIN.

2. Paste the following text and replace the two parameters <SnowflakeApiAwsRoleARN> and <SnowflakeApiAllowedPrefixes> with values recorded in the last installation step of Installing through CloudFormation, then run the following Data Definition Language (DDL) in the console to create API integration object:

   create or replace api integration protegrity_api 
   api_provider = aws_api_gateway api_aws_role_arn = '<SnowflakeApiAwsRoleARN>' 
   enabled = true 
   api_allowed_prefixes = ('<SnowflakeApiAllowedPrefixes>');
   

Describe the API Integration Object

We require values generated by the Snowflake integration object to complete configuring the API Gateway resource policy.

To describe API integration objects:

1. Run the following query in the console.

   DESCRIBE API INTEGRATION protegrity_api;
   

2. Record the following output values from the resulting query:

   • API_AWS_IAM_USER_ARN: ___________________
   • API_AWS_EXTERNAL_ID: ___________________

Update IAM Access Role Policy

This step allows the Snowflake IAM account to assume the role required to invoke the API Gateway resource.

To update API Integration Objects:

1. Return to theAWS Console > IAM > Roles and find the IAM role created earlier. For example, Snowflake.

2. Navigate to Trust Relationships > Edit trust policy.

3. Modify the Policy Document replacing the placeholder values indicated in the following snippet as API_AWS_IAM_USER_ARN and API_AWS_EXTERNAL_ID with the values recorded from the Snowflake integration object in Describe the API Integration Object.

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Principal": {
           "AWS": "<API_AWS_IAM_USER_ARN>"
         },
         "Action": "sts:AssumeRole",
         "Condition": {
           "StringEquals": {
             "sts:ExternalId": "<API_AWS_EXTERNAL_ID>"
           }
         }
       }
     ]
   }
   

Test Connectivity

Perform the following steps to verify if Snowflake is working correctly with the Protegrity product.

1. Access the Snowflake SQL console.

2. Copy and paste the following snippet into a worksheet.

   CREATE OR REPLACE SECURE EXTERNAL FUNCTION PTY_UNPROTECT_SAMPLE_POLICY(VAL VARCHAR)
       RETURNS VARCHAR(16777216)
       IMMUTABLE
       API_INTEGRATION = PROTEGRITY_API
       HEADERS = (
         'X-Protegrity-HCoP-Rules'=
         '{"jsonpaths":[{"op_type":"unprotect","data_element":"alpha"}]}'
       )
       CONTEXT_HEADERS = (CURRENT_USER,CURRENT_TIMESTAMP,CURRENT_ACCOUNT)
       COMMENT='Unprotects text using an alpha token type.'
       AS '<SnowflakeApiAllowedPrefixes>';
   

3. Replace the placeholder value indicated substituting your API Gateway URL captured in the stack outputs (SnowflakeApiAllowedPrefixes).

4. Run the following protect in the console:

   select pty_unprotect_sample_policy('UtfVk UHgcD!');
   

5. Verify that the string hello world! is returned.

Troubleshooting

If this step fails, then check the console for the meaningful error.

</td></tr></tbody>
</table>