Scan behaviors for Lambda function scanning Supported runtimes and functions Lambda standard scanning Lambda code scanning

Scanning AWS Lambda functions with Amazon Inspector

Amazon Inspector support for AWS Lambda functions provides continuous, automated security vulnerability assessments for Lambda functions and layers. Amazon Inspector offers two types of scanning for Lambda. These scan types look for different types of vulnerabilities.

Amazon Inspector Lambda standard scanning: This is the default Lambda scan type. Lambda standard scanning scans application dependencies within a Lambda function and its layers for package vulnerabilities. For more information, see Lambda standard scanning.
Amazon Inspector Lambda code scanning: This scan type scans the custom application code in your functions and layers for code vulnerabilities. You can either activate Lambda standard scanning or activate Lambda standard scanning together with Lambda code scanning. For more information, see Amazon Inspector Lambda code scanning.

When you activate Lambda scanning Amazon Inspector creates the following AWS CloudTrail service-linked channels in your account:

cloudtrail:CreateServiceLinkedChannel
cloudtrail:DeleteServiceLinkedChannel

Amazon Inspector manages these channels and uses them to monitor your CloudTrail events for scans. For more information about service-linked channels, see Viewing service-linked channels for CloudTrail by using the AWS CLI .

Note

The service-linked channels created by Amazon Inspector allow you to see CloudTrail events in your account as if you had a CloudTrail trail, however, we recommend that you create your own CloudTrail to manage events for your account.

For instructions on activating Lambda function scans see Activating a scan type.

Scan behaviors for Lambda function scanning

Upon activation, Amazon Inspector scans all Lambda functions invoked or updated in the last 90 days in your account. Amazon Inspector initiates vulnerability scans of Lambda functions in the following situations:

As soon as Amazon Inspector discovers an existing Lambda function.
When you deploy a new Lambda function to the Lambda service.
When you deploy an update to the application code or dependencies of an existing Lambda function or its layers.
Whenever Amazon Inspector adds a new common vulnerabilities and exposures (CVE) item to its database, and that CVE is relevant to your function.

Amazon Inspector monitors each Lambda function throughout its lifetime until it's either deleted or excluded from scanning.

You can check when a Lambda function was last checked for vulnerabilities from the Lambda functions tab on the Account management page, or by using the ListCoverage API. Amazon Inspector updates the Last scanned at field for a Lambda function in response to the following events:

When Amazon Inspector completes an initial scan of a Lambda function.
When a Lambda function is updated.
When Amazon Inspector re-scans a Lambda function because a new CVE item impacting that function was added to the Amazon Inspector database.

Supported runtimes and eligible functions

Amazon Inspector supports different runtimes for Lambda standard scanning and Lambda code scanning. For a list of supported runtimes for each scan type, see Supported runtimes: Amazon Inspector Lambda standard scanning and Supported runtimes: Amazon Inspector Lambda code scanning.

In addition to having a supported runtime, a Lambda function needs to meet the following criteria to be eligible for Amazon Inspector scans:

The function has been invoked or updated in the last 90 days.
The function is marked $LATEST.
The function isn't excluded from scans by tags.

Note

Lambda functions that haven't been invoked or modified in the last 90 days are automatically excluded from scans. Amazon Inspector will resume scanning an automatically excluded function if it is invoked again or if changes are made to the Lambda function code.

Amazon Inspector Lambda standard scanning

Amazon Inspector Lambda standard scanning identifies software vulnerabilities in the application package dependencies you add to your Lambda function code and layers. For example, if your Lambda function uses a version of the python-jwt package with a known vulnerability, Lambda standard scanning will generate a finding for that function.

If Amazon Inspector detects a vulnerability in your Lambda function application package dependencies, Amazon Inspector produces a detailed Package Vulnerability type finding.

For instructions on activating a scan type see Activating a scan type.

Note

Lambda standard scanning doesn't scan the AWS SDK dependency installed by default in the Lambda runtime environment. Amazon Inspector only scans dependencies uploaded with the function code or inherited from a layer.

Note

Deactivating Amazon Inspector Lambda standard scanning will also deactivate Amazon Inspector Lambda code scanning.

Excluding functions from Lambda standard scanning

You can tag certain functions to exclude them from Amazon Inspector Lambda standard scans. Excluding functions from scans can help prevent unactionable alerts.

To exclude a Lambda function from Lambda standard scanning, tag the function with the following key-value pair:

Key:InspectorExclusion
Value:LambdaStandardScanning

To exclude a function from Lambda standard scanning

Sign in using your credentials, and then open the Lambda console at https://console.aws.amazon.com/lambda/.
Select Functions.
From the functions table, select the name of a function that you would like to exclude from Amazon Inspector Lambda standard scanning.
Select Configuration and choose Tags from the menu.
Select Manage tags, and then Add new tag.
In the Key field, enter InspectorExclusion, then, in the Value field, enter LambdaStandardScanning.
Select Save to add the tag and exclude your function from Amazon Inspector Lambda standard scanning.

For more information about adding tags in Lambda, see Using tags on Lambda functions.

Amazon Inspector Lambda code scanning

Important

This feature also captures snippets of Lambda functions to highlight detected vulnerabilities, and these snippets might show hardcoded credentials or other sensitive materials in plaintext.

Lambda code scanning scans custom application code in a Lambda function for code vulnerabilities that are based on AWS security best practices and can detect the following:.

Injection flaws
Data leaks
Weak cryptography
Missing encryption in your code

For information about available Regions, see Region-specific feature availability.

Note

You can activate Lambda code scanning together with Lambda standard scanning.

Amazon Inspector uses automated reasoning and machine learning to evaluate your Lambda function application code and internal detectors that are developed in collaboration with Amazon CodeGuru to identify policy violations and vulnerabilities. For a list of possible detections, see the CodeGuru Detector Library.

If Amazon Inspector detects a vulnerability in your Lambda function application code, it produces a Code Vulnerability finding type. This finding type includes a code snippet showing the issue, specifies where this issue is located in the code, and suggests how to remediate the issue. The remediation suggestion includes plug-and-play code blocks that you can use to replace vulnerable lines of code. The suggested code fixes are provided in addition to general code remediation guidance for this finding type.

Code remediation suggestions are powered by automated reasoning and generative artificial intelligence services, and, might not work as intended. However, you are responsible for the code remediation suggestions that you adopt. Always review code remediation suggestions before adopting them, as you might need to make edits to ensure that your code performs as intended. For more information, see the Responsible AI Policy.

Encrypting your code in code vulnerability findings

CodeGuru stores code snippets that are detected to be in connection with a code vulnerability finding using Lambda code scanning.

By default, CodeGuru controls the AWS owned key that's used to encrypt your code. However, you can use your own customer managed key for encryption through the Amazon Inspector API. For more information see Encryption at rest for code in your findings

Lambda code scanning can be activated with Lambda standard scanning. For instructions on activating a scan type see Activating a scan type.

Excluding functions from Lambda code scanning

To stop receiving alerts that aren't actionable, you can tag Lambda functions that you want to exclude from Lambda code scanning.

When you tag a Lambda function that you want to exclude from Lambda code scanning, use the following key-value pair:

Key – InspectorCodeExclusion
Value – LambdaCodeScanning

The following procedure describes how to do this in greater detail.

To exclude a function from Lambda code scanning

Sign in using your credentials, and then open the Lambda console at https://console.aws.amazon.com/lambda/.
Select Functions.
From the functions table, select the name of a function that you want to exclude from Amazon Inspector Lambda code scanning.
Choose Configuration, and then choose Tags.
Choose Manage tags, and then choose Add new tag.
In the Key field, enter InspectorCodeExclusion. In the Value field, enter LambdaCodeScanning.
Choose Save to add the tag that excludes your function from Lambda code scanning.

For more information about adding tags in Lambda, see Using tags on Lambda functions in the AWS Lambda Developer Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Scanning Amazon ECR container images

Deactivating a scan type