Skip to main content

πŸ›‘οΈ AWS Inspector Lambda Code Scanning is not enabled🟒

  • Contextual name: πŸ›‘οΈ Inspector Lambda Code Scanning is not enabled🟒
  • ID: /ce/ca/aws/inspector/lambda-code-scanning
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS accounts where Amazon Inspector Lambda Code Scanning is not enabled.

Amazon Inspector provides two scanning modes for AWS Lambda functions: Standard Scanning, which analyzes function dependencies, and Code Scanning, which performs static analysis on custom application code. This policy ensures that the Lambda Code Scanning capability is enabled to detect vulnerabilities within function source code.

Rationale​

Enabling Amazon Inspector Lambda Code Scanning provides the following benefits:

  1. Static Application Security Testing (SAST): Automatically analyzes Python, Java, and Node.js function code to identify security vulnerabilities.
  2. Detection of Insecure Coding Patterns: Identifies common weaknesses such as improper input validation, cross-site scripting (XSS), and path injection.
  3. Hardcoded Secret Detection: Detects embedded sensitive information, including API keys, tokens, and database credentials.
  4. Shift-Left Security: Continuously evaluates deployed code, enabling early identification of newly introduced risks or vulnerabilities as scanning rules evolve.

... see more

Remediation​

Open File

Remediation​

Enable Amazon Inspector Lambda Code Scanning​

If you are the delegated administrator for an AWS Organization, you can centrally enable Amazon Inspector scan types across multiple accounts and Regions using the AWS CLI and automation scripts. For additional guidance, refer to the inspector2-enablement-with-cli repository on GitHub.

From Console​

To activate Amazon Inspector Lambda Code Scanning:

  1. Open the Amazon Inspector console: https://console.aws.amazon.com/inspector/v2/home

  2. Using the AWS Region selector in the upper-right corner, select the Region where your Lambda functions are deployed.

  3. In the navigation pane, choose Account management.

  4. Select the account(s) for which you want to enable a scan type.

  5. Choose Activate, then select AWS Lambda Standard scanning + AWS Lambda Code scanning.

  6. Repeat these steps in each AWS Region that hosts Lambda functions to ensure comprehensive coverage.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Inspector.3] Amazon Inspector Lambda code scanning should be enabled1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Threat Protection48no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking to newly discovered security vulnerabilities.2no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.1 Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.2 Buffer overflows.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.3 Insecure cryptographic storage.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.4 Insecure communications.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.5 Improper error handling.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.6 All β€œhigh risk” vulnerabilities identified in the vulnerability identification process.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.7 Cross-site scripting (XSS).5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.8 Improper access control.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.9 Cross-site request forgery (CSRF).5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.10 Broken authentication and session management.5no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 6.2.4 Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software.5no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 6.3.1 Security vulnerabilities are identified and managed.2no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 6.2.4 Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software.5no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 6.3.1 Security vulnerabilities are identified and managed.2no data