AWS S3 support for Prisma Cloud tenants in the
USA and EMEA regions.
experience that offers 300GB per tenant,
before you are charged for using the Data Security module. When
your data exceeds the freemium threshold you use credits from the
Prisma Cloud Enterprise Edition license.
Ability to scan all or selected S3 buckets when you onboard
your AWS account(s) on Prisma Cloud. You can choose to enable a
forward or backward scan when you add the cloud account.
default scan quota for each tenant is 10TB; this quota allows you
to control how much data is scanned so that you can align your organizational
DLP budget with the amount of data that is scanned. This 10 TB limit
is adjustable and you can open a support ticket with Prisma Cloud
Customer Success to increase it and balance your costs, while also
ensuring that you're using Prisma Cloud Data Security to scan the
file types that you want to secure.
Prisma Cloud Data
Security needs to read objects stored on your AWS S3 buckets for
scanning them. The encryption types supported are—Amazon S3 created
and managed keys (SSE-S3), and AMS KMS keys that are AWS Managed
or Customer Managed. If you use the AWS Key
Management Service with Customer Managed Keys (CMK), when you assign
the correct permissions to the Prisma Cloud IAM role, Prisma Cloud
can scan files in S3 buckets that are encrypted using customer managed
Visibility, exposure, and classification of S3 buckets &
objects on the new Data Dashboard, Data Inventory, and Object Explorer.
S3 objects in standard storage class only are ingested for
File sizes and scanning:
For data classification
and malware scanning, the uncompressed file size must be less than
20MB. For example, if the file size is 25MB, but was compressed
to under 20MB the file will not be successfully scanned.
Malware detection of objects (only Windows executables &
For ML-based classification scanning, the file size must
be less than 1MB.
For backward scan, each tenant has a daily limit of 300GB.
scan each tenant has 10GB per hour. When this threshold is met,
the scanning is slower for the files in queue until the hour is
Prisma Cloud Data Security
uses Palo Alto Networks’ Enterprise DLP and WildFire services to
process and scan S3 objects for sensitive data and malware. When
S3 objects are sent to Enterprise DLP for analysis, these objects are
stored temporarily in Prisma Cloud’s S3 buckets for less than 24
hours, and then deleted. Enterprise DLP does not retain any data
after it provides a data classification verdict on your files. Files
processed by WildFire follow the standard retention policy for Wildfire.
Default Data policies to detect public exposure of sensitive
information. The data policies generate alerts on Prisma Cloud and
you can set up notification to external integration channels supported
on Prisma Cloud. In addition, you can create custom data profiles
and patterns and use them in policies to scan content for your security
Integration with Config RQL to show all objects in an S3
bucket, including exposure, Data Profile & malware detection
in the Resource Explorer.