Plerion Workload Scanner FAQ

How does Plerion Workload Scanner work?

Our CWPP (Cloud Workload Protection Platform) scanning mechanism works by launching Plerion appliances into your accounts. The appliances (themselves EC2 instances) operate within your account to scan EC2 instances, Lambda functions and ECS Task Definitions. We run the appliances in your account so that your data can be scanned in place and never has to leave the account. Once the scanning is completed, the appliances terminate until the next scan when a fresh set of appliances is created. We scan continuously in this fashion to make sure you are notified about any new vulnerabilities that are discovered in your environment. We create appliances on a ratio of:

• 1 appliance for every 5 EC2 instances that needs to be scanned
• 1 appliance for every 5 ECS Task Definitions
• 1 appliance for every 5 ASGs that needs to be scanned
• 1 appliance for every 100 Lambda functions We create multiple appliances to parallelize the scanning process and complete it ASAP. On average it's about an hour for all appliances to complete, but it can be shorter or longer depending on the size of your workloads.

How does the Plerion appliances work ?

The appliances do the following:

For EC2:

• Provide a list of EC2 instances to scan
• Snapshot each instance
• Make a new block device for the snapshot
• Attach the block device to the appliance
• Scan the filesystem of the block device using our scanner technology
• Detach/delete the block device and snapshot
• Transmit results
• Loop to the next instance

For Lambda:

• Provide a list of Lambdas to scan
• Download the Lambda bundle into RAM
• Scan the Lambda using our scanner using our scanner technology
• Delete the bundle
• Transmit results
• Loop to the next function

For ECS Task Definitions:

• Provide a list of Task Definitions to scan
• Download each container defined within the Container Definitions in the Task Definition from ECR or public repositories into RAM
• Scan the container using our scanner technology
• Delete the bundle
• Transmit results
• Loop to the next definition

For Auto Scaling Groups (ASGs):

• Provide a list of ASGs to scan
• For each ASG:
  • list all running instances under the ASG and group them by AMI ID
  • From each AMI ID group, pick a random EC2 instance and perform EC2 scan per above step
  • Combine the scans for each AMI group
  • Send the results to Plerion
• Proceed to the next ASG

Which AWS regions are supported?

Plerion CWPP currently supports all default (commercial) AWS regions. These regions are enabled for all AWS accounts by default.

What about Opt-in regions?

Due to the varying nature of Opt-in regions, we are enabling Opt-in regions on a request basis. This allows us to validate service and infrastructure availability for each Opt-in region to ensure our services will function as expected in each Opt-in region.

Opt-in regions supported

• Asia Pacific (Hyderabad)
• Asia Pacific (Jakarta)
• Asia Pacific (Melbourne)
• Asia Pacific (Malaysia)
• Middle East (UAE)

If you have a specific Opt-in region you'd like to see supported, please reach out to your Account Manager to get the process started.

Which instance types are used for appliances?

The choice of instance types for appliances is contingent on the enabled scan capabilities.

If sensitive data scanning is enabled, the preferred order for utilization is: [c7i.xlarge, 'c6i.xlarge', 'c6a.xlarge', 'c5.xlarge', 'c5a.xlarge', 't3a.large', 't3.large', 't2.large'], prioritized accordingly. This is due to the resources required to scan for sensitive data.

In cases where sensitive data is not selected, the preferred order becomes [t3a.medium, t3.medium, t2.medium], following the specified order.

The selection process considers the availability of these instance types in the specified region and availability zone.

Which filesystems are supported for VM workloads?

Plerion CWPP scanner supports the following filesystems for VM workloads:

• ext2
• ext3
• ext4
• xfs
• ntfs

Does Plerion scan workloads launched from AWS Marketplace images?

Yes, Plerion can scan workloads launched from AWS Marketplace images. However, since we use EBS Direct APIs to access Marketplace snapshots, additional data transfer costs may apply. In service accounts, to minimize these costs, we recommend setting the CreateVPCEndpoint stack parameter to true when deploying the Plerion regional infrastructure. This will create a VPC endpoint for the EBS service, allowing snapshot access over the AWS network and avoiding potentially high data transfer charges (opens in a new tab).

Which data is collected from snapshots?

Plerion Workload Scanner only collects security-related metadata from workloads. The scan results -- combined with telemetry from our CSPM and CIEM capabilities -- deliver context-rich cloud security to help customers focus on what really matters.

Plerion Workload Scanner does not collect raw data, PII/PHI, or sensitive business data.

How are Workload snapshots secured?

To ensure snapshots are private and secure during the scanning process, some of the measures taken are:

• Data is encrypted at rest and in transit.

• Snapshots remain within the customer's account.

• Snapshots are immediately deleted as soon as the necessary security-related metadata is acquired.

• Only security-related metadata containing scan results is sent to Plerion Security Lake.

• All operations are audited.

What workloads does Plerion Workload Scanner support?

Plerion Workload Scanner supports the following workload types:

• Virtual Machines

  • AWS EC2 Instances
  • Azure Virtual Machines

• Serverless Functions

  • AWS Lambda
  • Azure Functions

• Container Images

  • AWS Elastic Container Service (ECS)
  • AWS Elastic Container Registry (ECR)
    • Note: For ECR container images, the last 2 pulled and the most recently pushed images are scanned.

• Kubernetes clusters and components

  • AWS EKS,
  • Azure AKS
  • Google Cloud GKE

We continue to support more workload types across AWS, Azure, and Kubernetes. Please let us know what workloads you would like to see.

What does Plerion Workload Scanner report on?

• Known vulnerabilities (e.g. CVE-2021-44228, also referred to as the "Log4shell" zero-day vulnerability)

  • Vulnerability data includes installed and fixed/patched (if available) package versions, and is enriched with data from the following sources:
    • Exploit-DB (opens in a new tab)
    • MITRE CWE (opens in a new tab)
    • CISA Known Exploited Vulnerability Catalog (opens in a new tab)
    • NIST NVD (opens in a new tab)
    • Microsoft Security Response Center (opens in a new tab)

• OS packages and software dependencies in use (Software Bill of Materials). SBOM reports also include software license data and are generated in the CycloneDX (opens in a new tab) JSON format.

• Sensitive data and secrets (e.g. AWS access key, GitHub personal access token, Slack access token, Private Key, etc.)

Does Plerion Workload Scanner require an agent to be deployed?

No. Using our agentless approach, customers get frictionless, comprehensive and instant visibility without agents.

How does scanning affect the running workload?

Since the scanning process is an out-of-band analysis of snapshots, it doesn't impact the actual workload.

What is the scan frequency?

By default, each workload is scanned every 24 hours. Customers have the option to receive near real-time scans if they use our Cloud Detection and Response or run on-demand scans.

Which permissions are used by Plerion Workload Scanner?

Plerion Workload Scanner uses a least-privilege access model to perform agentless scanning. For example, on AWS/EC2 workload types, the role includes permissions to create and clean up snapshots - all scoped by tag:

• ec2:DescribeInstance

• ec2:DescribeInstanceStatus

• ec2:DescribeSnapshots

• ec2:CreateSnapshots

• ec2:CreateTags

• ec2:ModifySnapshotAttribute

• ec2:DeleteSnapshot

• ec2:DeleteTags

Please visit Plerion Protection Platform to obtain a list of permissions required for other workload types for AWS, Azure, and GCP.

Does Plerion CWPP support the creation of appliances within shared subnets?

Yes. When utilizing a shared subnet, it's essential to include the tag PlerionAccess: Granted on the subnet. This tag facilitates our access to create the appliance within that subnet. It's important to note that this tag must be added within the target account, as we won't have access to the tags assigned to the subnet in the subnet owner account.

What is a service account?

A service account in Plerion refers to an exclusive AWS account designed for deploying Plerion infrastructure and overseeing the various capabilities it offers. Its primary purpose is to streamline the administration of complex scenarios, such as Cloud Workload Protection Platform (CWPP), by enabling centralized management from a single AWS account. This eliminates the need to deploy appliances into multiple AWS accounts.

How does service account deployment differ from same service (in-account) workload deployment?

Service account deployment involves deploying the Plerion infrastructure, including the Plerion appliances, into a dedicated AWS account known as the service account. This account is separate from the AWS accounts that host the actual workloads to be scanned. By using a service account, you establish a centralized management point from which you can deploy and manage the Plerion infrastructure across multiple AWS accounts.

On the other hand, in-account workload deployment refers to deploying the Plerion appliances directly into the same AWS accounts where the workloads reside. In this approach, each AWS account hosts its own set of appliances to scan the workloads within that account. Customers are responsible for managing the network infrastructure and security groups to enable communication between the appliances, the workloads, and the Plerion Control Plane.

The choice between service account deployment and in-account workload deployment depends on the specific requirements and preferences of an organization. Service account deployment offers centralized management and control, simplifying the deployment and administration of Plerion appliances and workload scanning across multiple AWS accounts. This approach is particularly beneficial when managing a large number of AWS accounts.

On the other hand, in-account workload deployment provides a more distributed approach where the appliances are directly deployed into each AWS account containing the workloads. This maintains a closer association between the appliances and the workloads they scan. However, it can become cumbersome to manage when dealing with a large number of AWS accounts.

Does Plerion CWPP support OS vulnerabilities?

Yes. We support:

• Linux kernel and kernel package vulnerabilities. We report vulnerabilities related to Linux kernel and Linux kernel packages. The kernel and kernel package versions are based on the current installed kernel versions. The kernel version and kernel packages are dependent on the specific Linux distribution.

• Windows OS Vulnerabilities. We report Windows vulnerabilities related to out-of-date Windows version or missing security updates and patches. Windows vulnerabilities will contain the windows version and build version detected and will provide access to the Windows update guide for the specific vulnerability.

Why are the vulnerabilities of all installed kernels not shown?

Even though it's possible to have multiple kernel packages installed, only one kernel is active and running at any given time in your workload. Hence, we make our best attempt to refrain from reporting vulnerabilities related to inactive kernel packages. We currently do not report vulnerabilities related to inactive kernels for the following Linux distributions:

• Amazon Linux (opens in a new tab)
• Amazon Linux 2 (opens in a new tab)
• Amazon Linux 2023 (opens in a new tab)
• Ubuntu (opens in a new tab)

What are limitations of ASG Scans?

When scanning Auto Scaling Groups (ASGs), be aware of the following constraints:

• ASG scanning will not consider your launch templates/configuration.
• If an AMI is not being used by any running instances at the time of a scan, it will be skipped. This is likely to happen at events like ASG scale-in.
• ASG will not be scanned if no running instances under ASG were found. In such case, the most recent scan results will remain unchanged.
• Plerion may not provide accurate scan reports when patching individual instances of Autoscaling group. We recommend you to patch the relevant AMI instead.

Does Plerion support detecting operating systems (OS) that are past end-of-life?

Yes, Plerion supports the detection of operating systems that are past end-of-life for AWS EC2 Instances and Azure Virtual Machines. Currently we only support Linux and the following distributions:

• Amazon Linux
• CentOS
• CentOS Stream
• Debian
• Red Hat Enterprise Linux
• Ubuntu

We generate findings for supported resources with one of the following statuses:

• Passed: The OS Version in use has not reached the end-of-life stage.
• Failed: The OS Version in use has reached the end-of-life stage.
• Unknown: Plerion is unable to determine the OS version.

Which resources are scanned for sensitive data?

For AWS EC2 instances and Azure VMs:

• Root volume
• UserData

For AWS Lambda and Azure Functions:

• Deployment packages
• Environment variables

For AWS ECS Task Definitions:

• Task definition container images
• Environment variables
  (Note: Environment variables stored in S3 are not scanned.)

For AWS ECR:

• Container images
  (Note: For ECR container images, the last 2 pulled and the most recently pushed images are scanned.)

Does CWPP support scanning EC2 instances created from Bottlerocket AMIs?

CWPP supports scanning Bottlerocket OS and its configurations. However, to scan workloads deployed on these instances AWS ECS or Kubernetes integrations are required. For more information about Kubernetes workload scanning, please click here