How Plerion-managed scanning works
-
Appliances run in Plerion’s accounts
The EC2 appliances that perform scans are launched, run, and terminated inside Plerion-owned AWS accounts. No compute runs in your account. -
You grant a single cross-account role
Your account exposes one IAM role that Plerion assumes to read the workloads you select. There is no VPC, subnet, or security group to configure. -
Appliances are ephemeral
Appliances start when there is work to scan and terminate when the scan completes. -
Snapshots and volumes are temporary
To scan a volume, Plerion creates a temporary snapshot in your account, re-encrypts it with a Plerion-owned KMS key, and grants the Plerion scanning account permission to create a volume from it. A temporary volume is then created in the Plerion account and scanned. Both the snapshot and the volume are deleted from their respective accounts once the scan completes or stops. -
Multi-region coverage
Plerion provisions and operates the scanning infrastructure across all supported CWPP regions. You enable the regions you want to scan during setup.
Supported workloads
Plerion-managed scanning supports the following AWS workload types:- Amazon EC2 instances
- Amazon Machine Images (AMI)
- AWS Lambda functions
- Amazon ECS
- Amazon ECR
Security model
-
Ephemeral by design
Each scan runs on an isolated EC2 instance created for that scan alone. Appliances are never shared between tenants. -
Short-lived credentials
Credentials for your AWS account are issued per scan and are never stored. -
Cryptographic tenant binding
Each credential issuance is tied to your specific account and integration through a signed token. Credentials cannot be redirected to another tenant, even within Plerion’s infrastructure. -
Automatic cleanup
No customer EBS snapshots, volumes, or other customer data are retained in Plerion-owned accounts after a scan completes or fails. Scan inputs are cleaned up as part of each scan.