Amazon Inspector for Lambda standard and code scanning

arijita

Arijita Mitra

Posted on November 21, 2023

Amazon Inspector for Lambda standard and code scanning

Amazon Inspector, as the name suggests, is a vulnerability management service which scans AWS workloads continuously for software vulnerabilities and unwanted network exposures.

Image description

It is equipped to automatically discover and scan the running EC2 instances, container images in Amazon ECR and AWS Lambda functions.

It creates a finding when it encounters a vulnerability or network configuration issue.

What is a finding?

  • Describes a vulnerability
  • Identifies the affected resources
  • Provides a rating for the vulnerability
  • Provides guidance for remediation

Key Features of Amazon Inspector

  • Centrally manages multiple Amazon Inspector accounts
  • Regional service
  • Continuously scans software vulnerability and network exposures
  • Assesses the risk accurately and provide a risk score
  • The findings can be customized and downloaded as JSON or CSV format
  • When Amazon Inspector is activated for the first time in any region, it creates a service-linked role globally for the account — AWSServiceRoleforAmazonInspector2. This role will include the trust policies and permissions required for the scanning.
  • Amazon Inspector can be accessed from -

AWS management console, AWS CLI, AWS SDKs & Amazon Inspector REST API

This is the page we will see when we first go to Amazon Inspector activation:

Image description

After we activate the Inspector in any region, we see the following dashboard:

Image description

Scanning AWS Lambda functions with Amazon inspector

Amazon Inspector for Lambda scanning was released for use by AWS in November 2022. It is a fairly new service, and has proved to be a useful one too!

When Lambda scanning is activated, Amazon Inspector creates AWS CloudTrail service-linked channels in the account -

cloudtrail:CreateServiceLinkedChannel, cloudtrail:DeleteServiceLinkedChannel

Amazon Inspector itself manages these channels and uses them for monitoring the CloudTrail events for scans.

The Lambda functions need to meet few criteria to be eligible for scans -

  • Must have been created or updated in the last 90 days
  • Are not excluded from scans by tags
  • Are marked $LATEST
  • Have a supported runtime

Image description

It offers two types of scanning for Lambda -

  1. Amazon Inspector Lambda Standard Scanning
  2. Amazon Inspector Lambda Code Scanning

From the Account Management page, we need to activate the type of scanning we require -

Image description

Image description

So, let’s chalk down the key differences between Standard scanning and Code scanning:

Image description

Currently Lambda code scanning is available for these regions as it is in preview stage -

Image description

Once activated for Lambda scanning, the Inspector will be actively scanning the Lambdas for vulnerabilities in the packages, and in the code(for code scanning).

Image description

For the Lambdas which do not support the scans, the reasons will be displayed like this-

Image description

To exclude a lambda function from standard scanning, we have to tag the function with the following key -

Key : InspectorExclusion

Value : LambdaStandardScanning

To exclude a lambda function from code scanning, we have to tag the function with the following key -

Key : InspectorCodeExclusion

Value : LambdaCodeScanning

Understanding findings in Amazon Inspector

Amazon Inspector stores the findings and it is displayed in the Findings dashboard.

Image description

Findings are one of the following types:

Active

The finding is identified by Amazon Inspector and has not been remediated. Active findings are subject to suppression rules.

Suppressed

The finding meets one or more criteria of one or more suppression rules. Suppressed findings are hidden from most views, except for the Suppressed findings list.

Closed

After a vulnerability is remediated, Amazon Inspector automatically detects it and changes the state of the finding to closed. Closed findings are deleted after 30 days if there are no other changes.

For each finding, the file includes details such as -

Amazon Resource Name (ARN) of the affected resource, the date and time when the finding was created, the associated Common Vulnerabilities and Exposures (CVE) ID, and the finding’s severity, status, and Amazon Inspector and CVSS scores.

Here, one of my Lambda functions has been scanned and the scanning shows that it is in critical state due to hardcoded credentials in the code. Amazon Inspector will locate the part of the code where the issue lies and also provide a remediation for it.

Image description

Image description

_

Disclaimer: Code scanning captures code snippets from the lambda functions to highlight the detected vulnerabilities. These may show hardcoded credentials or other sensitive information in plain text.
_

Exporting the findings to S3 Bucket

We can export the findings into an S3 bucket and also download in JSON or CSV format. The steps to be followed are described below:

Image description

Create a bucket, and edit the bucket policy. Add this policy:

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Sid": "allow-inspector",
 "Effect": "Allow",
 "Principal": {
 "Service": "inspector2.amazonaws.com"
 },
 "Action": [
 "s3:PutObject",
 "s3:PutObjectAcl",
 "s3:AbortMultipartUpload"
 ],
 "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
 "Condition": {
 "StringEquals": {
 "aws:SourceAccount": "111122223333"
 },
 "ArnLike": {
 "aws:SourceArn": "arn:aws:inspector2:Region:111122223333:report/*"
 }
 }
 }
 ]
}
Enter fullscreen mode Exit fullscreen mode

Create a key with symmetric encryption and then update the key policy. Add this policy :

{
 "Sid": "Allow Amazon Inspector to use the key",
 "Effect": "Allow",
 "Principal": {
 "Service": "inspector2.amazonaws.com"
 },
 "Action": [
 "kms:Decrypt",
 "kms:GenerateDataKey*"
 ],
 "Resource": "*",
 "Condition": {
 "StringEquals": {
 "aws:SourceAccount": "111122223333"
 },
 "ArnLike": {
 "aws:SourceArn": "arn:aws:inspector2:Region:111122223333:report/*"
 }
 }
}
Enter fullscreen mode Exit fullscreen mode

Then, go to All Findings, and filter out the desired finding that you would like to export. Fill in the required fields and then click on Export.

Image description

Image description

Thus, we can see that the object Inspector-findings now has the json report of the finding from Amazon Inspector.

Pricing

When we activate an Amazon Inspector scan type, we are automatically enrolled for a 15 day free trial for that scan type. After that, the price is calculated by the total Amazon Inspector coverage hours for the scanned functions within a month. The number of hours means the duration from when the function was discovered by Amazon Inspector until the function was deleted or excluded from scanning.

With Amazon Inspector, we pay only for what we use, with no minimum fees and no upfront commitments!

Thus, we can see that using AWS Inspector helps us to have a secure cloud architecture and this service serves the purpose very efficiently indeed.

Happy learning!

💖 💪 🙅 🚩
arijita
Arijita Mitra

Posted on November 21, 2023

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related