Guidelines for Optimizing Data
Security Cost on Prisma Cloud
Cost Implications and Control
Prisma Cloud leverages the
by CloudTrail to keep track of any changes. These are exported as
compressed log files to your S3 bucket. To ensure these log files
are not contributing to unnecessary storage cost Prisma Cloud recommends
setting a Bucket Lifecycle policy of
1 month TTL
live) on the bucket. This will ensure that the files don’t contribute
to the per month pricing model.
The CloudTrail should be enabled for Write Data events instead
of Read-and-Write. The Read events volume in general is orders of
magnitude more than Write events and AWS provides the flexibility
to enable one only or both. Prisma Cloud Data Securitfeatures currently
do not leverage read events.
Prisma Cloud automatically skips active CloudTrail buckets
and inactive CloudTrail logs, ELB access logs, VPC flow logs, and S3
access logs on a best-effort basis based on documentation from AWS
on how to distinguish these logs from other objects. Prisma Cloud
is skipping all these because they usually don’t contain sensitive
information and therfore do not expose you to data security risks.
Howver, there is no guarantee that Prisma Cloud can catch all possible
logs because AWS may change their log format.
API Throttling and Egress Implications
The solution is cloud service provider (CSP)
API driven and undergoes the same throttling as any other CSP API.
The solution performs client side API throttling to ensure
we don't overuse/abuse the API rate limits enforced by the CSP.
The client side rate limiting feature also ensures the full
quota of API limit is not consumed by default to ensure this does interrupt
your process or application API usage.
The data that is downloaded from your storage systems are
not persisted anywhere on the Prisma Cloud infrastructure and is
only held for the duration of processing of the content for Data
Profile analysis or limited by a maximum time out limit (24 hrs) whichever
is hit earlier.
There will be egress cost implications for you as Prisma
Cloud Data Security evaluates all content in your S3 buckets. The customer
can choose to optimize on cost by only selecting those buckets requiring
scans and filtering out any known good files that would not require
any Data Profile analysis or malware analysis, such as Database