Security Frequently Asked Questions
How many IAM user/role is required for multi-account and multi regions AWS accounts?
- We do not use IAM users for the Platform integration. We use IAM roles. We create only one role for each Plerion capability (CSPM, CWPP) per account. For example, we create one IAM role for CSPM and another for CWPP Instance Profile. Please refer to the platform’s Resource Center > Integrations > Inbound > for more details.
Does this IAM user need console access or does it just need programmatic access?
- Only programmatic access is required.
List of Data that is extracted from customer environments
Plerion offers various capabilities from across our Cloud Protection Platform:
- For CSPM and CIEM integrations, Plerion collects resource/asset-related configuration meta-data from the integrated accounts.
- For CWPP, (assuming Secret Scanning and Software Bill of Material (SBOM) are enabled for the Plerion appliance) Plerion collects vulnerability-related information as well as software package information to identify related CVE information and builds an SBOM. In addition, Plerion looks to identify the location of sensitive data (Secret Keys, Private Keys, Access Keys, Certificates) to notify customers of the associated findings and linked risks. Only the scan results (meta-data) from the Plerion workload scanning appliance are sent to Plerion for processing. Code security coverage from Plerion requires customers to send the scan artifact to Plerion for analysis. After analysis the artifact is deleted; there is no long-term storage of such artifacts.
- For CDR, Plerion ingests customers' Cloud Provider Audit logs (e.g. AWS CloudTrail). Plerion uses a unique customer encryption key to store audit logs, and the audit data is purged after 90 days.
Is there any AWS direct link integration in case we don't want our scan data to travel through the public Internet?
- For CWPP we require a VPC subnet with outbound internet access so our appliance can scan containers hosted on public registries (and other similar cases) if you have them. But we transmit your results back from your account to an S3 bucket we own. If you don’t want those results to traverse the internet you can configure our appliance to launch from a subnet in a VPC with an S3 Gateway Endpoint configured, all S3 access will consequently go through the VPC endpoint. Let us know if you want help configuring this.
Are we going to have shared resources on Plerion or dedicated?
- Customers' data is separated from each other using the customer's unique Organization ID and TenantID. Additionally where possible Plerion uses a unique encryption key for each customer to provide further isolation on top of any data store or directory isolation.
Will anyone from Plerion have access to our scan data?
- Access is granted on a per-request basis only for the purposes of providing and managing the contracted service. Access to the scan data follows our strict access management process and requires approval by the security team. All data access requests are logged for auditing and tracking purposes.
Data Sovereignty
Plerion hosts your collected data in your designated Plerion home region.
Your Plerion region is determined when you are onboarded. Data collected for the purposes of providing the services to our customers is stored in Plerion-designated regions:
- Authentication data: stored in AWS us-east-1 (North Virginia)
- Billing data: stored in AWS ap-southeast-2 (Sydney)
- Monitoring/metrics: stored in AWS ap-southeast-2 (Sydney)
Customer Data Retention
What is data retention period on Plerion Cloud?
- We retain the data for the length of your subscription or until you explicitly delete it from our platform.
Incident Management and Notification
Any monitoring details and incident communications in the event that the integration fails or is compromised on Plerion's end e.g. API key leakage
- Plerion is committed to providing clear and timely communications to customers in the event of any operational or security issues.