Skip to main content

πŸ›‘οΈ AWS Inspector Lambda Standard Scanning is not enabled🟒

  • Contextual name: πŸ›‘οΈ Inspector Lambda Standard Scanning is not enabled🟒
  • ID: /ce/ca/aws/inspector/lambda-standard-scanning
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS accounts where Amazon Inspector Lambda Standard Scanning is not enabled.

Amazon Inspector provides automated vulnerability management for AWS Lambda functions. The Standard Scanning capability focuses on detecting vulnerabilities in application dependencies, including third-party libraries and packages bundled within Lambda function code or referenced through attached Lambda layers.

Rationale​

Enabling Amazon Inspector Lambda Standard Scanning provides the following benefits:

  1. Dependency Analysis: Scans software packages (such as npm, pip, and Maven dependencies) for known Common Vulnerabilities and Exposures (CVEs).
  2. Lambda Layer Coverage: Evaluates AWS Lambda layers associated with functions to identify vulnerable components.
  3. Continuous Monitoring: Automatically re-scans functions when code changes occur or when new vulnerabilities are added to the Inspector vulnerability database.
  4. Contextual Risk Prioritization: Ranks findings based on environmental and configuration context within the serverless runtime.

... see more

Remediation​

Open File

Remediation​

Enable Amazon Inspector Lambda Standard Scanning​

If you are the delegated administrator for an AWS Organization, you can centrally enable Amazon Inspector scan types across multiple accounts and Regions using the AWS CLI and automation scripts. For additional guidance, refer to the inspector2-enablement-with-cli repository on GitHub.

From Console​

To activate Amazon Inspector Lambda Standard Scanning:

  1. Open the Amazon Inspector console: https://console.aws.amazon.com/inspector/v2/home

  2. Use the AWS Region selector in the upper-right corner to select the Region where your Lambda functions are deployed.

  3. In the navigation pane, choose Account management.

  4. Select the account(s) for which you want to enable a scan type.

  5. Choose Activate, then select Lambda Standard Scanning.

  6. Repeat these steps in each AWS Region that hosts Lambda functions to ensure full coverage across your environment.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Inspector.4] Amazon Inspector Lambda standard scanning should be enabled1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Threat Protection48no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking to newly discovered security vulnerabilities.2no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.1 Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.2 Buffer overflows.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.3 Insecure cryptographic storage.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.4 Insecure communications.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.5 Improper error handling.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.6 All β€œhigh risk” vulnerabilities identified in the vulnerability identification process.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.7 Cross-site scripting (XSS).5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.8 Improper access control.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.9 Cross-site request forgery (CSRF).5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.10 Broken authentication and session management.5no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 6.2.4 Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software.5no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 6.3.1 Security vulnerabilities are identified and managed.2no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 6.2.4 Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software.5no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 6.3.1 Security vulnerabilities are identified and managed.2no data