- Platform Release 6.5
- Privacera Platform Release 6.5
- Enhancements and updates in Privacera Access Management 6.5 release
- Enhancements and updates in Privacera Discovery 6.5 release
- Enhancements and updates in Privacera Encryption 6.5 release
- Deprecation of older version of PolicySync
- Upgrade Prerequisites
- Supported versions of third-party systems
- Documentation changelog
- Known Issues 6.5
- Platform - Supported Versions of Third-Party Systems
- Platform Support Policy and End-of-Support Dates
- Privacera Platform Release 6.5
- Privacera Platform Installation
- About Privacera Manager (PM)
- Install overview
- Prerequisites
- Installation
- Default services configuration
- Component services configurations
- Access Management
- Data Server
- UserSync
- Privacera Plugin
- Databricks
- Spark standalone
- Spark on EKS
- Portal SSO with PingFederate
- Trino Open Source
- Dremio
- AWS EMR
- AWS EMR with Native Apache Ranger
- GCP Dataproc
- Starburst Enterprise
- Privacera services (Data Assets)
- Audit Fluentd
- Grafana
- Ranger Tagsync
- Discovery
- Encryption & Masking
- Privacera Encryption Gateway (PEG) and Cryptography with Ranger KMS
- AWS S3 bucket encryption
- Ranger KMS
- AuthZ / AuthN
- Security
- Access Management
- Reference - Custom Properties
- Validation
- Additional Privacera Manager configurations
- Upgrade Privacera Manager
- Troubleshooting
- How to validate installation
- Possible Errors and Solutions in Privacera Manager
- Unable to Connect to Docker
- Terminate Installation
- 6.5 Platform Installation fails with invalid apiVersion
- Ansible Kubernetes Module does not load
- Unable to connect to Kubernetes Cluster
- Common Errors/Warnings in YAML Config Files
- Delete old unused Privacera Docker images
- Unable to debug error for an Ansible task
- Unable to upgrade from 4.x to 5.x or 6.x due to Zookeeper snapshot issue
- Storage issue in Privacera UserSync & PolicySync
- Permission Denied Errors in PM Docker Installation
- Unable to initialize the Discovery Kubernetes pod
- Portal service
- Grafana service
- Audit server
- Audit Fluentd
- Privacera Plugin
- How-to
- Appendix
- AWS topics
- AWS CLI
- AWS IAM
- Configure S3 for real-time scanning
- Install Docker and Docker compose (AWS-Linux-RHEL)
- AWS S3 MinIO quick setup
- Cross account IAM role for Databricks
- Integrate Privacera services in separate VPC
- Securely access S3 buckets ssing IAM roles
- Multiple AWS account support in Dataserver using Databricks
- Multiple AWS S3 IAM role support in Dataserver
- Azure topics
- GCP topics
- Kubernetes
- Microsoft SQL topics
- Snowflake configuration for PolicySync
- Create Azure resources
- Databricks
- Spark Plug-in
- Azure key vault
- Add custom properties
- Migrate Ranger KMS master key
- IAM policy for AWS controller
- Customize topic and table names
- Configure SSL for Privacera
- Configure Real-time scan across projects in GCP
- Upload custom SSL certificates
- Deployment size
- Service-level system properties
- PrestoSQL standalone installation
- AWS topics
- Privacera Platform User Guide
- Introduction to Privacera Platform
- Settings
- Data inventory
- Token generator
- System configuration
- Diagnostics
- Notifications
- How-to
- Privacera Discovery User Guide
- What is Discovery?
- Discovery Dashboard
- Scan Techniques
- Processing order of scan techniques
- Add and scan resources in a data source
- Start or cancel a scan
- Tags
- Dictionaries
- Patterns
- Scan status
- Data zone movement
- Models
- Disallowed Tags policy
- Rules
- Types of rules
- Example rules and classifications
- Create a structured rule
- Create an unstructured rule
- Create a rule mapping
- Export rules and mappings
- Import rules and mappings
- Post-processing in real-time and offline scans
- Enable post-processing
- Example of post-processing rules on tags
- List of structured rules
- Supported scan file formats
- Data Source Scanning
- Data Inventory
- TagSync using Apache Ranger
- Compliance Workflow
- Data zones and workflow policies
- Workflow Policies
- Alerts Dashboard
- Data Zone Dashboard
- Data zone movement
- Workflow policy use case example
- Discovery Health Check
- Reports
- How-to
- Privacera Encryption Guide
- Overview of Privacera Encryption
- Install Privacera Encryption
- Encryption Key Management
- Schemes
- Encryption with PEG REST API
- Privacera Encryption REST API
- PEG API endpoint
- PEG REST API encryption endpoints
- PEG REST API authentication methods on Privacera Platform
- Common PEG REST API fields
- Construct the datalist for the /protect endpoint
- Deconstruct the response from the /unprotect endpoint
- Example data transformation with the /unprotect endpoint and presentation scheme
- Example PEG API endpoints
- /authenticate
- /protect with encryption scheme
- /protect with masking scheme
- /protect with both encryption and masking schemes
- /unprotect without presentation scheme
- /unprotect with presentation scheme
- /unprotect with masking scheme
- REST API response partial success on bulk operations
- Audit details for PEG REST API accesses
- Make encryption API calls on behalf of another user
- Troubleshoot REST API Issues on Privacera Platform
- Privacera Encryption REST API
- Encryption with Databricks, Hive, Streamsets, Trino
- Databricks UDFs for encryption and masking on PrivaceraPlatform
- Hive UDFs for encryption on Privacera Platform
- StreamSets Data Collector (SDC) and Privacera Encryption on Privacera Platform
- Trino UDFs for encryption and masking on Privacera Platform
- Privacera Access Management User Guide
- Privacera Access Management
- How Polices are evaluated
- Resource policies
- Policies overview
- Creating Resource Based Policies
- Configure Policy with Attribute-Based Access Control
- Configuring Policy with Conditional Masking
- Tag Policies
- Entitlement
- Service Explorer
- Users, groups, and roles
- Permissions
- Reports
- Audit
- Security Zone
- Access Control using APIs
- AWS User Guide
- Overview of Privacera on AWS
- Configure policies for AWS services
- Using Athena with data access server
- Using DynamoDB with data access server
- Databricks access manager policy
- Accessing Kinesis with data access server
- Accessing Firehose with Data Access Server
- EMR user guide
- AWS S3 bucket encryption
- Getting started with Minio
- Plugins
- How to Get Support
- Coordinated Vulnerability Disclosure (CVD) Program of Privacera
- Shared Security Model
- Privacera Platform documentation changelog
AWS IAM
When running in AWS, the Privacera Manager host virtual machine requires privileges in order to complete the deployment of Privacera Platform components. Additionally, once installed, Privacera Platform components will also require privileges to provide access to targeted data repositories and in order to execute. The specific access required will depend on the functions requested and the scope of data coverage requested.
AWS uses a 'policy/role/object' paradigm known as "AWS Identity and Access Management" (IAM) in order to assign and manage access and functionality rights. Roles and policies are both IAM objects, but are created and managed somewhat independently of each other. Access and rights are defined in one or more policies. Policies are then attached to Roles. A Role, may be attached to a user account or an instance. When attached to an instance the role is known as an instance profile.
Policies may be created using the AWS console, or aws command line. They can be represented, stored, imported, or exported in JSON format. This document contains a library of Policies. In this guide, to create a recommended policy, you will select a policy from the Privacera Manager policy library, import/copy it to the console, modify it to meet your specific enterprise requirements, and save it as a named policy.
In a subsequent step, you will attach one or more of these policies to a Role, and then to the Privacera Manager host.
AWS IAM role and attach policy(s)
In AWS Console. Open IAM Services.
Click Roles on the left side navigation and then click Create role
Create Role: Choose a use case. Select 'EC2' use case. (This "Allows EC2 instances to call AWS services on 'your' behalf").
Click Next: Permissions to transition to the next wizard page.
Create Role: Attach permissions policies. Using Filter policies, search for the previously created policy (e.g. 'privacera_s3_all'). Select it, (click in the checkbox).
Click Next: Tags.
Create Role: Add tags. Optionally add a tag based on your enterprise resource tag standards. Click Next: Review.
Create Role: Review. Enter a Role name such as 'privacera_s3_role'. Click Create role.
Confirm the Role has been created by searching for it in the Role list.
AWS IAM create and attach policy
In AWS Console. Open IAM Services.
Click Policies on the left side navigation and then click Create Policy.
Click on the JSON tab.
Select a Policy from the list below, copy and paste it into the JSON edit box in the AWS Create policy dialog. Click Review policy (at the bottom of the page).
Full S3 Access - All Buckets
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DataServerS3FullAccess", "Effect": "Allow", "Action": "s3:*", "Resource": "*" } ] }Limited S3 Access - Limited Buckets
Note
(That in this example policy accessible buckets are represented as "<PLEASE_ASSIGN_BUCKET_NAME_x>". Assign or adjust this sample policy for your enterprise and selected controlled S3 buckets.)
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DataServerS3Limited", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObjectAcl", "s3:GetObject", "s3:ListBucket", "s3:DeleteObject", "s3:DeleteBucket", "s3:ListBucketMultipartUploads", "s3:GetBucketAcl", "s3:GetBucketPolicy", "s3:ListMultipartUploadParts", "s3:AbortMultipartUpload", "s3:GetBucketLocation", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::<PLEASE_ASSIGN_BUCKET_NAME_1>/*", "arn:aws:s3:::<PLEASE_ASSIGN_BUCKET_NAME_2>", "arn:aws:s3:::<PLEASE_ASSIGN_BUCKET_NAME_3>/*", "arn:aws:s3:::<PLEASE_ASSIGN_BUCKET_NAME_4>" ] }, { "Sid": "DataServerS3ListAndCreateBucketAccess", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:HeadBucket", "s3:CreateBucket" ], "Resource": "*" } ] }DynamoDB Access
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DataserverDynamoDBAccess", "Effect": "Allow", "Action": [ "dynamodb:Query", "dynamodb:PutItem", "dynamodb:DeleteItem", "dynamodb:Scan", "dynamodb:UpdateItem", "dynamodb:CreateTable", "dynamodb:DescribeTable", "dynamodb:DeleteTable", "dynamodb:UpdateTable", "dynamodb:GetItem", "dynamodb:CreateBackup", "dynamodb:BatchGetItem", "dynamodb:BatchWriteItem", "dynamodb:TagResource", "dynamodb:UntagResource" ], "Resource": [ "*" ] }, { "Sid": "DataserverDynamoDBAccessListing", "Effect": "Allow", "Action": [ "dynamodb:ListTables", "dynamodb:ListBackups" ], "Resource": "*" } ] }Kinesis Access
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ManageStreams", "Effect": "Allow", "Action": [ "kinesis:PutRecord", "kinesis:DeleteStream", "kinesis:DescribeStreamSummary", "kinesis:CreateStream", "kinesis:GetShardIterator", "kinesis:GetRecords", "kinesis:DescribeStream", "kinesis:PutRecords", "kinesis:AddTagsToStream", "kinesis:DecreaseStreamRetentionPeriod", "kinesis:IncreaseStreamRetentionPeriod", "kinesis:ListTagsForStream", "kinesis:RemoveTagsFromStream", "kinesis:RegisterStreamConsumer", "kinesis:DeregisterStreamConsumer", "kinesis:DescribeStreamConsumer", "kinesis:ListStreamConsumers", "kinesis:DisableEnhancedMonitoring", "kinesis:EnableEnhancedMonitoring", "kinesis:UpdateShardCount", "kinesis:MergeShards", "kinesis:SplitShard", "kinesis:StartStreamEncryption", "kinesis:StopStreamEncryption", "kinesis:ListShards" ], "Resource": "*" }, { "Sid": "KinesisListing", "Effect": "Allow", "Action": [ "kinesis:ListStreams", "kinesis:DescribeLimits" ], "Resource": "*" } ] }Firehose Access (Requires IAM Policy and Trust Relationship
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DataserverKinesisFirehoseAccess", "Effect": "Allow", "Action": [ "firehose:DescribeDeliveryStream", "firehose:DeleteDeliveryStream", "firehose:PutRecord", "firehose:CreateDeliveryStream", "firehose:UpdateDestination" ], "Resource": "*" }, { "Sid": "DataserverKinesisFirehoseListingAccess", "Effect": "Allow", "Action": "firehose:ListDeliveryStreams", "Resource": "*" }, { "Sid": "DataserverKinesisFirehosePassRoleAccess", "Effect": "Allow", "Action": [ "iam:GetRole", "iam:PassRole" ], "Resource": "*" }, { "Sid": "DataserverKinesisFirehoseKinesisAccess", "Effect": "Allow", "Action": [ "kinesis:GetShardIterator", "kinesis:DescribeStream", "kinesis:GetRecords" ], "Resource": "*" }, { "Sid": "DataserverKinesisS3Access", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:CreateBucket", "s3:ListBucket" ], "Resource": "*" }] }Add a Trust Relationship for Role "privacera-access-role':
{ "Sid": "DataserverKinesisAssumeRole", "Effect":"Allow", "Principal":{ "Service":"firehose.amazonaws.com" }, "Action":"sts:AssumeRole" }Lamda Access
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DataserverLambdaManagementAccess", "Effect": "Allow", "Action": [ "lambda:CreateFunction", "lambda:InvokeFunction", "lambda:GetEventSourceMapping", "lambda:GetFunction", "lambda:DeleteFunction", "lambda:DeleteEventSourceMapping" ], "Resource": [ "*" ] }, { "Sid": "DataserverLambdaManagementListing", "Effect": "Allow", "Action": [ "lambda:ListFunctions", "lambda:ListEventSourceMappings", "lambda:CreateEventSourceMapping" ], "Resource": "*" }, { "Sid": "DataserverLambdaKinesisStreamRead", "Effect": "Allow", "Action": [ "kinesis:SubscribeToShard", "kinesis:DescribeStreamSummary", "kinesis:GetShardIterator", "kinesis:GetRecords", "kinesis:DescribeStream" ], "Resource": "*" }, { "Sid": "DataserverLambdaKinesisListing", "Effect": "Allow", "Action": [ "kinesis:ListStreams", "kinesis:ListShards" ], "Resource": "*" }, { "Sid": "DataserverLambdaS3BucketsListing", "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*" } ] }Add a Trust Relationship for AWS IAM role 'privacera-access-role'
{ "Sid": "DataserverLambdaAssumeRole", "Effect":"Allow", "Principal":{ "Service":"lambda.amazonaws.com" }, "Action":"sts:AssumeRole" }Athena Access
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DataServerAthenaAccess", "Effect": "Allow", "Action": [ "athena:TagResource", "athena:UntagResource", "athena:StartQueryExecution", "athena:GetQueryResultsStream", "athena:DeleteWorkGroup", "athena:GetQueryResults", "athena:DeleteNamedQuery", "athena:UpdateWorkGroup", "athena:GetNamedQuery", "athena:CreateWorkGroup", "athena:ListTagsForResource", "athena:ListQueryExecutions", "athena:ListNamedQueries", "athena:GetWorkGroup", "athena:CreateNamedQuery", "athena:GetQueryExecution", "athena:StopQueryExecution", "athena:BatchGetNamedQuery", "athena:BatchGetQueryExecution" ], "Resource": [ "arn:aws:athena:*:*:workgroup/primary" ] }, { "Sid": "DataServerAthenaGlue", "Effect": "Allow", "Action": [ "glue:CreateDatabase", "glue:DeleteDatabase", "glue:GetDatabase", "glue:GetDatabases", "glue:UpdateDatabase", "glue:CreateTable", "glue:DeleteTable", "glue:BatchDeleteTable", "glue:UpdateTable", "glue:GetTable", "glue:GetTables", "glue:BatchCreatePartition", "glue:CreatePartition", "glue:DeletePartition", "glue:BatchDeletePartition", "glue:UpdatePartition", "glue:GetPartition", "glue:GetPartitions", "glue:BatchGetPartition", "glue:GetCatalogImportStatus" ], "Resource": [ "*" ] } ] }Glue Access
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "glue:CreateDatabase", "glue:DeleteDatabase", "glue:GetDatabase", "glue:GetDatabases", "glue:UpdateDatabase", "glue:CreateTable", "glue:DeleteTable", "glue:BatchDeleteTable", "glue:UpdateTable", "glue:GetTable", "glue:GetTables", "glue:BatchCreatePartition", "glue:CreatePartition", "glue:DeletePartition", "glue:BatchDeletePartition", "glue:UpdatePartition", "glue:GetPartition", "glue:GetPartitions", "glue:BatchGetPartition", "glue:GetCatalogImportStatus" ], "Resource": [ "*" ] } ] }In Create policy: Review Policy, give each policy a descriptive name, such as 'privacera_s3_all_policy', or 'privacera_s3_limited_policy'. Suggested practice is to use 'privacera_' as a prefix for each policy created for Privacera Manager or Privacera Platform.
Click Create policy at the bottom of the dialog.
Attach Policy to Privacera Host IAM Role
In your initial creation of the Privacera Host VM, you created a role, with the suggested name: "Privacera_PM_Role". Note that as this role is already attached to the Privacera Host virtual machine, it will convey any attached policy rights to the Privacera Host.
If you are not already in the AWS console at IAM: Policies, open it now:
In AWS Console. Open IAM Services.
Click Policies on the left side navigation and then click Create Policy.
Locate the Policy(s) to be attached by searching for each by name in the Create Policy dialog. (Use a substring such as "privacera" to find all with this name prefix.)
Select a Policy to attach by clicking on the 'radio' button to the left of the policy name.
Click the Policy actions menu at the top of this dialog. Select Attach. This will open the Attach policy dialog.
Select the Privacera_PM_Role, and Attach Policy (at the bottom of the dialog). This will attach the policy to the Privacera_PM_Role, and those rights will be conveyed to the Privacera Manager Host virtual machine.
AWS IAM role and policy for Databricks
Add S3 IAM role to Databricks
Login to Databricks and click on top-right menu.
Click the Admin Console.
Click the IAM Roles tab.
Click the +Add IAM Role.
Enter the Instance Profile ARN which you have created in step 1 Create IAM Role and Policy to Access S3 Bucket
[
]Databricks validates that this Instance Profile ARN is both syntactically and semantically correct. To validate semantic correctness, Databricks does a dry run by launching a cluster with this IAM role. Any failure in this dry run produces a validation error in the UI.
Click Add.
You can specify the users who can launch clusters with the IAM role. (Optional)
[
]
Launch Cluster with S3 IAM Role
Login to Databricks and click the Clusters from left menu.
Select or create a cluster.
Expand the Advanced Options section, under Instances tab, select the IAM role from the IAM Role drop-down list. This drop-down includes all of the IAM roles that are available for the cluster.
[
]
PostgreSQL PolicySync
Lambda Setup for PostgreSQL Audits
This AWS Lambda function will send the audits from AWS CloudWatch to SQS queue.
Create an Audit policy
Create a policy to be attached while creating an AWS Lambda function (discussed below) to send audit information to the SQS Queue.
Login to AWS Console and go to the Policies section from IAM Service.
Click on Create Policy and go to the JSON tab.
Copy the policy below and enter it in the JSON textbox.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"logs:CreateLogGroup", "Resource":"arn:aws:logs:${REGION}:${ACCOUNT_ID}:*" }, { "Effect":"Allow", "Action":[ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource":[ "arn:aws:logs:${REGION}:${ACCOUNT_ID}:log-group:/aws/lambda/${LAMBDA_FUNCTION_NAME}:*" ] }, { "Effect":"Allow", "Action":"sqs:SendMessage", "Resource":"arn:aws:sqs:${REGION}:${ACCOUNT_ID}:${SQS_QUEUE_NAME}" } ] }Click Review Policy.
Enter a name for the policy. For example, privacera-postgres-audits-lambda-execution-policy.
Click Create Policy.
Create an IAM Role
In the AWS Console, go to Roles.
Click Create Role.
Select Lamda as the use case, and click Next Permissions.
In Attach permi ssion policies, search for the policy created above, and select it.
Click Next: Tags.
Click Next: Review.
Give a name for the role. For example, privacera-postgres-audits-lambda-execution-role.
Click Create Role.
Create Lambda Function
In the AWS Console, go to the Lambda service.
Click Create Function.
Configure the following in Basic Information:
Name: privacera-postgres-${RDS_CLUSTER_NAME}-audits
Runtime: Node.js 12.x
In Choose or create an execution role, select Use existing role.
Search and select for the IAM role created above.
Click Create Function.
In the Designer view, click Add Trigger.
Select CloudWatch Logs.
In the Log group, enter ${YOUR_RDS_LOG_GROUP}.
In the Filter name, add auditTrigger.
Click Add.
Access the Lambda Code Editor, and add the following code.
// CloudWatch logs encoding var encoding = process.env.ENCODING || 'utf-8'; // default is utf-8 var awsRegion = process.env.REGION || 'us-east-1'; var sqsQueueURL = process.env.SQS_QUEUE_URL; var ignoreDatabase = process.env.IGNORE_DATABASE; var ignoreUsers = process.env.IGNORE_USERS; var ignoreDatabaseArray = ignoreDatabase.split(','); var ignoreUsersArray = ignoreUsers.split(','); // Import the AWS SDK const AWS = require('aws-sdk'); // Configure the region AWS.config.update({region: awsRegion}); exports.handler = function (event, context, callback) { var zippedInput = Buffer.from(event.awslogs.data, 'base64'); zlib.gunzip(zippedInput, function (e, buffer) { if (e) { callback(e); } var awslogsData = JSON.parse(buffer.toString(encoding)); // Create an SQS service object const sqs = new AWS.SQS({apiVersion: '2012-11-05'}); console.log(awslogsData); if (awslogsData.messageType === 'DATA_MESSAGE') { // Chunk log events before posting awslogsData.logEvents.forEach(function (log) { //// Remove any trailing \n console.log(log.message) // Checking if message falls under ignore users/database var sendToSQS = true; if(sendToSQS) { for(var i = 0; i < ignoreDatabaseArray.length; i++) { if(log.message.toLowerCase().indexOf("@" + ignoreDatabaseArray[i]) !== -1) { sendToSQS = false; break; } } } if(sendToSQS) { for(var i = 0; i < ignoreUsersArray.length; i++) { if(log.message.toLowerCase().indexOf(ignoreUsersArray[i] + "@") !== -1) { sendToSQS = false; break; } } } if(sendToSQS) { let sqsOrderData = { MessageBody: JSON.stringify(log), MessageDeduplicationId: log.id, MessageGroupId: "Audits", QueueUrl: sqsQueueURL }; // Send the order data to the SQS queue let sendSqsMessage = sqs.sendMessage(sqsOrderData).promise(); sendSqsMessage.then((data) => { console.log("Sent to SQS"); }).catch((err) => { console.log("Error in Sending to SQS = " + err); }); } }); } }); };In the Code Editor of the Lambda code, go to Environment Variables > Manage Environment Variables > Add environment variables and set the following variables.
REGION: ${REGION}
SQS_QUEUE_URL: ${SQS_QUEUE_URL}
IGNORE_DATABASE: ${POSTGRESQL_DB}
IGNORE_USERS: ${POSTGRES_ADMIN_USER}
Click Save. It saves the environment variables.
In Designer view, click Save.
IAM Role for EC2
Create the following IAM Policy and associate it with the IAM role attached to the EC2 instance where PolicySync is installed.
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"sqs:DeleteMessage",
"sqs:GetQueueUrl",
"sqs:ListDeadLetterSourceQueues",
"sqs:ReceiveMessage",
"sqs:GetQueueAttributes"
],
"Resource":"${SQS_QUEUE_ARN}"
},
{
"Effect":"Allow",
"Action":"sqs:ListQueues",
"Resource":"*"
}
]
}