Encryption at rest
By default, Amazon Inspector stores data at rest using AWS encryption solutions. Amazon Inspector encrypts data, such as the following:
-
Resource inventory collected with AWS Systems Manager.
-
Resource inventory parsed from Amazon Elastic Container Registry images
-
Generated security findings using AWS owned encryption keys from AWS Key Management Service
You cannot manage, use, or view AWS owned keys. However, you don't need to take action or change programs to protect keys that encrypt your data. For more information, see AWS owned keys.
If you disable Amazon Inspector, it permanently deletes all resources it stores or maintains for you, such as collected inventory and security findings.
Encryption at rest for code in your findings
For Amazon Inspector Lambda code scanning, Amazon Inspector partners with CodeGuru to scan your code for vulnerabilities. When a vulnerability is detected CodeGuru extracts a snippet of your code containing the vulnerability and stores that code until Amazon Inspector requests access. By default CodeGuru uses an AWS owned key to encrypt the extracted code, however, you can configure Amazon Inspector to use your own customer managed AWS KMS key for encryption.
The following work flow explains how Amazon Inspector uses the key you configure to encrypt your code:
You supply a AWS KMS key to Amazon Inspector using the Amazon Inspector UpdateEncryptionKey API.
Amazon Inspector forwards the information about your AWS KMS key to CodeGuru. CodeGuru stores the information for future use.
CodeGuru requests a grant from AWS KMS for the key you configured in Amazon Inspector.
CodeGuru creates an encrypted data key from your AWS KMS key and stores it. This data key is used to encrypt your code data stored by CodeGuru.
Whenever Amazon Inspector requests data from code scans CodeGuru uses the grant to decrypt the encrypted data key, then uses that key to decrypt the data so it can be retrieved.
When you disable Lambda code scanning CodeGuru retires the grant and deletes the associated data key.
Permissions for code encryption with a customer managed key
To use encryption you need to have a policy that allows access to AWS KMS actions, as well as a statement that grants Amazon Inspector and CodeGuru permissions to use those actions through condition keys.
If you are setting, updating, or resetting the encryption key for your account you will need to use an Amazon Inspector administrator policy, such as AWS managed policy: AmazonInspector2FullAccess. You will also need to grant the following permissions to read-only users who need to retrieve code snippets from findings or data about the key chosen for encryption.
For KMS, the policy must allow you to perform the following actions:
kms:CreateGrantkms:Decryptkms:DescribeKeykms:GenerateDataKeyWithoutPlainTextkms:Encryptkms:RetireGrant
Once you've verified that you have the correct AWS KMS permissions in your policy, you must attach a statement that allows Amazon Inspector and CodeGuru to use your key for encryption. Attach the following policy statement:
Note
Replace Region with the AWS Region you have Amazon Inspector Lambda code scanning enabled in.
{ "Sid": "allow CodeGuru Security to request a grant for a AWS KMS key", "Effect": "Allow", "Action": "kms:CreateGrant", "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "kms:GrantOperations": [ "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "Encrypt", "Decrypt", "RetireGrant", "DescribeKey" ] }, "StringEquals": { "kms:ViaService": [ "codeguru-security.Region.amazonaws.com" ] } } }, { "Sid": "allow Amazon Inspector and CodeGuru Security to use your AWS KMS key", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:RetireGrant", "kms:DescribeKey", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": [ "inspector2.Region.amazonaws.com", "codeguru-security.Region.amazonaws.com" ] } } }
Note
When you add the statement, ensure that the syntax is valid. Policies use JSON format. This means that you need to add a comma before or after the statement, depending on where you add the statement to the policy. If you add the statement as the last statement, add a comma after the closing brace for the preceding statement. If you add it as the first statement or between two existing statements, add a comma after the closing brace for the statement.
Configuring encryption with a customer managed key
To configure encryption for your account using a customer managed key you must be an Amazon Inspector administrator with the permissions outlined in Permissions for code encryption with a customer managed key. Additionally you will need a AWS KMS key in the same AWS Region as your findings, or a multi-region key. You can use an existing symmetric key in your account or create a symmetric customer managed key by using the AWS Management Console, or the AWS KMS APIs. For more information see Creating symmetric encryption AWS KMS keys in the AWS KMS user guide.
Using the Amazon Inspector API to configure encryption
To set a key for encryption the UpdateEncryptionKey operation of the Amazon Inspector API while signed in as an Amazon Inspector administrator. In the API request, use the kmsKeyId field to specify the ARN of the AWS KMS key you want to use. For scanType enter CODE and for resourceType enter AWS_LAMBDA_FUNCTION.
You can use UpdateEncryptionKey API to check view which AWS KMS key Amazon Inspector is using for encryption.
Note
If you attempt to use GetEncryptionKey when you haven't set a customer managed key the operation returns a ResourceNotFoundException error which means that an AWS owned key is being used for encryption.
If you delete or the key or change it's policy to deny access to Amazon Inspector or CodeGuru you will be unable to access your code vulnerability findings and Lambda code scanning will fail for your account.
You can use ResetEncryptionKey to resume using an AWS owned key to encrypt code extracted as part of your Amazon Inspector findings.
