Amazon Inspector introduces support for AWS Lambda Code Scans (June-2023)
With growing risks against vulnerabilities and security concerns AWS has now extended Amazon Inspector to perform code scans for AWS Lambda functions thereby providing additional layer of security by detecting/reporting injection flaws, data leaks, weak cryptography, or missing encryption etc. as per AWS security best practices.
Let’s understand more about each component involved here:
Amazon Inspector
It’s an vulnerability management service which continuously scans AWS workloads for software and code vulnerabilities along with unintended network exposure across AWS Organization.
Major workloads supported were EC2, Containers and now support for Lambda functions have been added starting June 2023.
AWS Lambda Functions
It’s a compute service which allows users to run code without worrying about provisioning and managing underlying infrastructure. Lambda functions run deployed code on high-availability environment along with taking care of all admin activities related to server/OS/capacity/scaling etc.
Amazon Inspector’s Workload Discovery
Once Amazon Inspector is enabled, “Discover” part of the service auto-discovers AWS workloads for which scanning is supported
Amazon Inspector's Lambda Code Scanning
Once AWS Workloads related to Lambda functions is discovered , they are continuously scanned against vulnerability database and near real-time results are generated.
Currently limited programming languages are supported which can be found at below page.
Amazon Inspector’s Lambda Scan are of 2 types
- Amazon Inspector Lambda standard scanning : Scanning is limited to application dependencies and layers for package vulnerabilities
- Amazon Inspector Lambda code scanning : Custom code and layers are scanned for code vulnerabilities
How to enable Lambda Scanning
Step 1:
Login to your AWS Administrator Account and select region in which you want to enable Lambda Scans
Step 2:
Navigate to Settings → Account Management
Step 3:
On Account Management page, select all accounts for which Lambda Scanning needs to be enabled and click on Activate
Step 4:
Select Lambda standard scanning OR Lambda standard scanning + Lambda code scanning
Step 5:
Repeat steps if Lambda Scans need to be enabled in any other region as well
Now you are all set, all eligible lambdas functions will be discovered and scanned for selected scan continuously.
Excluding Certain Lambda Functions for being Scanned
At time we have proprietary / confidential code which we don’t want to be scanned or legacy code for which we have decided to ignore issues until it’s re-written.
For all such Lambda functions there is a very simple step/configuration that can be followed to skip it from the scans, all you have to do is add a tag to Lambda with below values:
Key : InspectorCodeExclusion
Value : LambdaCodeScanning
Scan Results and Action on findings
For all the resources being scanned, results are aggregated in Amazon Inspector console and routed to Security Hub as well. All finding are tagged with contextualized risk scores based on CVE info along with environment factors like network reachability and exploitability of data.
Irrelevant, acceptable risks or false-positives can be suppressed using suppression rules.
Finding can be pushed through Amazon EventBridge to trigger automated workflows/remediation/disabling service like generating tickets, sending notifications etc.
Conclusion :
It is a very useful capability that has been extended to enhance vulnerability detection/mitigation for Lambda functions which will result is implementing highly secure and robust applications along with continuous upgradation against new risks/attacks.