Scanning AWS Lambda functions with Amazon Inspector
Amazon Inspector Lambda code scanning is in preview release. Your use of the Lambda code scanning feature is subject to Section 2 of the
AWS Service Terms |
Amazon Inspector support for AWS Lambda functions provides continuous, automated security vulnerability assessments for Lambda functions and layers. Amazon Inspector offers two types of scanning for Lambda. These scan types look for different types of vulnerabilities.
- Amazon Inspector Lambda standard scanning
-
This is the default Lambda scan type. Lambda standard scanning scans application dependencies within a Lambda function and its layers for package vulnerabilities. For more information, see Lambda standard scanning.
- Amazon Inspector Lambda code scanning
-
This scan type scans the custom application code in your functions and layers for code vulnerabilities. You can either activate Lambda standard scanning or activate Lambda standard scanning together with Lambda code scanning. For more information, see Amazon Inspector Lambda code scanning.
When you activate Lambda scanning Amazon Inspector creates the following AWS CloudTrail service-linked channels in your account:
cloudtrail:CreateServiceLinkedChannel
cloudtrail:DeleteServiceLinkedChannel
Amazon Inspector manages these channels and uses them to monitor your CloudTrail events for scans. For more information about service-linked channels, see Viewing service-linked channels for CloudTrail by using the AWS CLI .
Note
The service-linked channels created by Amazon Inspector allow you to see CloudTrail events in your account as if you had a CloudTrail trail, however, we recommend that you create your own CloudTrail to manage events for your account.
You can review findings generated by scans on the Amazon Inspector console at
https://console.aws.amazon.com/inspector/
Scan behaviors for Lambda function scanning
Upon activation, Amazon Inspector scans all Lambda functions invoked or updated in the last 90 days in your account. Amazon Inspector initiates vulnerability scans of Lambda functions in the following situations:
-
As soon Amazon Inspector discovers an existing Lambda function.
-
When you deploy a new Lambda function to the Lambda service.
-
When you update the application code or dependencies of an existing Lambda function or its layers.
-
Whenever Amazon Inspector adds a new common vulnerabilities and exposures (CVE) item to its database, and that CVE is relevant to your function.
Amazon Inspector monitors each Lambda function throughout its lifetime until it's either deleted or excluded from scanning.
You can check when a Lambda function was last checked for vulnerabilities from the Lambda functions tab on the Account management page, or by using the ListCoverage API. Amazon Inspector updates the Last scanned at field in response to the following events:
-
When Amazon Inspector completes an initial scan of a Lambda function.
-
When a Lambda function is updated.
-
When Amazon Inspector re-scans a Lambda function because a new CVE item impacting that function was added to the Amazon Inspector database.
Supported runtimes and eligible functions
For a list of runtimes Amazon Inspector supports for Lambda scanning, see Supported programming languages: AWS Lambda function scanning.
In addition to having a supported runtime, a Lambda function needs to meet the following criteria to be eligible for Amazon Inspector scans:
-
The function has been invoked or updated in the last 90 days.
-
The function is marked
$LATEST
. -
The function isn't excluded from scans by tags.
Note
Lambda functions that haven't been invoked or modified in the last 90 days are automatically excluded from scans. Amazon Inspector will resume scanning an automatically excluded function if it is invoked again or if changes are made to the Lambda function code.
Amazon Inspector Lambda standard scanning
Amazon Inspector Lambda standard scanning identifies software vulnerabilities in the application package
dependencies used in your Lambda function code and layers. For example, if your Lambda function
uses a version of the python-jwt
package with a known vulnerability,
Lambda standard scanning will generate a finding for that function.
If Amazon Inspector detects a vulnerability in your Lambda function application package dependencies, Amazon Inspector produces a detailed Package Vulnerability type finding.
Activating Lambda standard scanning
When you activate Lambda standard scanning, Amazon Inspector scans all eligible functions in an account. For information about excluding functions, see Excluding functions from Lambda standard scanning.
To complete this procedure for a multi-account environment, follow these steps while signed in as the Amazon Inspector delegated administrator.
-
Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home
. -
Using the AWS Region selector in the upper-right corner of the page, select the Region where you want to activate Lambda standard scanning.
-
In the navigation pane, choose Settings, and then choose Account management.
-
In the Account management page, select the accounts for which you would like to activate Lambda standard scanning.
-
Choose Activate and select AWS Lambda standard scanning.
-
(Recommended) Repeat these steps in each AWS Region for which you want to activate Lambda standard scanning.
Excluding functions from Lambda standard scanning
You can tag certain functions to exclude them from Amazon Inspector Lambda standard scans. Excluding functions from scans can help prevent unactionable alerts.
To exclude a Lambda function from Lambda standard scanning, tag the function with the following key-value pair:
-
Key:
InspectorExclusion
-
Value:
LambdaStandardScanning
To exclude a function from Lambda standard scanning
-
Log in to the Lambda console at https://console.aws.amazon.com/lambda/
. -
Select Functions.
-
From the functions table, select the name of a function that you would like to exclude from Amazon Inspector Lambda standard scanning.
-
Select Configuration and choose Tags from the menu.
-
Select Manage tags, and then Add new tag.
-
In the Key field, enter
InspectorExclusion
, then, in the Value field, enterLambdaStandardScanning
. -
Select Save to add the tag and exclude your function from Amazon Inspector Lambda standard scanning.
For more information about adding tags in Lambda, see Using tags on Lambda functions.
Deactivating Lambda standard scanning
You can deactivate Lambda standard scanning at any time. Deactivating all scan types for an account deactivates Amazon Inspector for that account in that AWS Region. For more information, see Deactivating Amazon Inspector.
Note
Deactivating Amazon Inspector Lambda standard scanning will also deactivate Amazon Inspector Lambda code scanning.
To deactivate Lambda standard scanning
To complete this procedure for a multi-account environment, follow these steps while signed in as the Amazon Inspector delegated administrator. Member accounts can't deactivate scans.
-
Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home
. -
Using the AWS Region selector in the upper-right corner of the page, select the Region where you want to deactivate scans.
-
In the navigation pane, choose Settings, and then choose Account management.
-
Choose the Accounts tab to show the scanning status of an account.
-
Select the check box of each account for which you want to deactivate scans.
-
Choose Actions, and, from the Deactivate options, select AWS Lambda standard scanning.
Amazon Inspector Lambda code scanning
Important
Code scanning captures code snippets from Lambda functions to highlight detected vulnerabilities. These snippets may show hardcoded credentials or other sensitive materials in plaintext.
Amazon Inspector Lambda code scanning scans the custom application code within a Lambda function for code vulnerabilities based on AWS security best practices. Lambda code scanning can detect injection flaws, data leaks, weak cryptography, or missing encryption in your code. For information about the available Regions, see Region-specific feature availability.
Lambda standard scanning is a feature that evaluates the application package dependencies used in a function for common vulnerabilities and exposures (CVE). You can activate Lambda code scanning together with Lambda standard scanning.
Amazon Inspector evaluates your Lambda function application code using automated reasoning and machine learning that analyzes your application code for an overall security compliance. It identifies policy violations and vulnerabilities based on internal detectors developed in collaboration with Amazon CodeGuru. For a list of possible detections, see the CodeGuru Detector Library.
If Amazon Inspector detects a vulnerability in your Lambda function application code, Amazon Inspector produces a detailed Code Vulnerability type finding. This finding type includes the issue's exact location in the code, a code snippet showing the issue, and an actionable recommendation to remediate the vulnerability.
Activating Lambda code scanning
When you activate Lambda code scanning, Amazon Inspector scans all eligible functions in an account. For information about excluding functions, see Excluding functions from Lambda code scanning.
To complete this procedure for a multi-account environment, follow these steps while signed in as the Amazon Inspector delegated administrator.
-
Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home
. -
Using the AWS Region selector in the upper-right corner of the page, select the Region where you want to activate Lambda code scanning.
-
In the navigation pane, choose Settings, and then choose Account management.
-
In the Account management page, select the accounts for which you would like to activate Lambda code scanning.
-
Choose Activate and select Lambda standard scanning + Lambda code scanning.
-
(Recommended) Repeat these steps in each AWS Region for which you want to activate Lambda code scanning.
Excluding functions from Lambda code scanning
You can tag certain functions to exclude them from Amazon Inspector Lambda code scans. Excluding functions from scans can help prevent unactionable alerts.
To exclude a Lambda function from Amazon Inspector, Lambda code scans tag the function with the following key-value pair:
-
Key:
InspectorCodeExclusion
-
Value:
LambdaCodeScanning
To exclude a function from Lambda code scanning
-
Log in to the Lambda console at https://console.aws.amazon.com/lambda/
. -
Select Functions.
-
From the functions table, select the name of a function that you would like to exclude from Amazon Inspector Lambda code scanning.
-
Select Configuration and choose Tags from the menu.
-
Select Manage tags, and then Add new tag.
-
In the Key field, enter
InspectorCodeExclusion
, then, in the Value field, enterLambdaCodeScanning
. -
Select Save to add the tag and exclude your function from Amazon Inspector Lambda code scanning.
For more information about adding tags in Lambda, see Using tags on Lambda functions.
Deactivating Lambda code scanning
You can deactivate Lambda code scanning at any time. Deactivating all scan types for an account deactivates Amazon Inspector for that account in that AWS Region. For more information, see Deactivating Amazon Inspector.
To deactivate Lambda code scanning
To complete this procedure for a multi-account environment, follow these steps while signed in as the Amazon Inspector delegated administrator. Member accounts can't deactivate scans.
-
Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home
. -
Using the AWS Region selector in the upper-right corner of the page, select the Region where you want to deactivate scans.
-
In the navigation pane, choose Settings, and then choose Account management.
-
Choose the Accounts tab to show the scanning status of an account.
-
Select the check box of each account for which you want to deactivate scans.
-
Choose Actions, and, from the Deactivate options, select Amazon Inspector Lambda code scanning.