Introduction
Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure. Previously it only supported Amazon EC2 and Amazon ECR (container) scanning. In the end of November 2022 AWS announced Amazon Inspector support for AWS Lambda functions. It's time to look into how it works.
Scanning AWS Lambda functions with Amazon Inspector
Amazon Inspector support for AWS Lambda functions provides unified, continuous, and automated security vulnerability assessments of application package dependencies used in your Lambda function code and layers. In the time of writing it supports 3 runtimes: Java, Python and Node.js. Other runtimes are also planned to be supported in the future.
Amazon Inspector initiates vulnerability scans of Lambda functions in the following situations:
- As soon Amazon Inspector discovers an existing Lambda function.
- When you deploy a new Lambda function to the Lambda service.
- When you update an existing Lambda function.
- When Amazon Inspector adds a new Common Vulnerabilities and Exposures (CVE) item to its database.
- Amazon Inspector monitors each Lambda function throughout its lifetime until it's either deleted or excluded from scanning by a resource tag with the key InspectorExclusion and the value LambdaStandardScanning.
- While Amazon Inspector discovers and scans most Lambda function within minutes, it can take up to an hour to discover and scan all functions. Amazon Inspector re-scans each Lambda function when it is updated and when new CVEs are released.
Activating AWS Lambda function scanning
In the navigation pane of AWS Inspector, expand Settings, and then choose Account management.
In the Account management page, select the accounts for which you would like to activate Lambda function scanning.
Choose Activate to activate Lambda function scanning on those accounts.
Dashboard with results
When working on the AWS Snap Start series I wrote a bunch of Lambda functions in Java, so now I let them scan by AWS Inspector.
This is how the summary looks like
In the "Critical findings" section we see that 9 criticals have been found and below in the "Risk based remediation" section we see the package names with the number of critical and all vulnerabilities.
In the "Environment coverage" section we see, that only 66% (14 of 21) Lambda functions have been scanned. By clicking on the percentage we'll see a more detailed overview of (not) scanning Lambda functions
The reasons for several functions not being scanned is that I used the currently not supported runtime (Custom Runtime with GraaVM native image). One Lambda function was additionally tagged with the tag InspectorExclusion=LambdaStandardScanning to be skipped during the scanning. Generally I found it not very comfortable to define tags on the Lambda function itself to avoid being scanned by AWS Inspector. Much more comfortable solution on my opinion would be to define scanning conditions within the AWS Inspector itself, like: all Lambdas, by CloudFormation stacks or by Tags.
In order to view the concrete detected vulnerabilities we can either go via menu "All findings" or via menu "By Lambda function" and then select the concrete Lambda function like this
We see the last scan time, the number of critical, high and medium vulnerabilities and the concrete title and type of the vulnerability. Let's dive deeper into one of it with the CVE-2021-29425 - commons-io:commons-io. By selecting it, we receive some additional information
The most important information is whether the fix and exploit are already available, the installed version of the package and the version which contains the fix (in case one is available).
If we scroll down, we see some additional information like this
containing remediation action (in this case upgrade the package), vulnerabilities details like the ID in the National Vulnerability Database, AWS Inspector own score (they also take the context into the account like network accessibility) and some other useful details.
After we have deployed the fix for some particular vulnerability, it usually takes between seconds and several minutes for AWS Inspector to update the results in the dashboard and menu.
Amazon Inspector pricing especially for AWS Lambda standard scans can be found here
Conclusions
In this article we looked at the functionality on the Amazon Inspector for AWS Lambda functions, how the scanning functions can be activated. After that we looked into scan results and what information it provides to us to remediate the detected vulnerabilities. Of course there are other tools available in this area like OWASP Dependency-Check or Snyk which are mostly designed to be integrated in CI/CD process. Ideally you need both : scan during the CI/CD and then scan the deployed solution. I won't provide any comparison of those, but would like to mention that I personally found it very comfortable in AWS Inspector to have all scanning results (EC2, ECR and Lambda) in one place and also the fact that AWS Inspector takes the context network accessibility into the account like.
Oldest comments (0)