Amazon Inspector, a service focused on automated vulnerability scanner that continuously scans AWS workloads for vulnerabilities is now supporting scanning for AWS Lambda functions.
Amazon Inspector supports scanning of AWS Lambda functions and Lambda layers with Java, NodeJS and Python runtimes.
Need for vulnerability checks
Often times, we have code which depends on many packages from installed via different package managers which are prone to security leaks. Although, updating to new version could resolve it, you might have dependencies which are still prone to vulnerabilities. The best way to address is a regular scanning of your codebase to ensure there aren't serious issues.
Serverless specific, until now we had to depend on a third party tool to scan but now it's possible with Amazon Inspector
Enabling Inspector
First off, you would have to enable Inspector for your AWS Account.
Your first scan
Once enabled, you will need a few minutes for Amazon Inspector to scan across your resources across Amazon EC2 instances, Amazon ECR images and now AWS Lambda functions and Lambda layers.
After Amazon Inspector has scanned you can view the report on Inspector dashboard.
[Fun Fact] As you can see, I don't have a single EC2 instance running on this AWS Account.
Scanned findings
Inspector found that 9 of my Lambda functions had a vulnerabilities with critical, high and medium levels.
If you click on one of the functions, you can find the summary for vulnerabilities in that specific AWS Lambda function or the vulnerability because of using an AWS Lambda layer.
Let's dive into the finding
One of the vulnerability is with Axios NPM package.
This also gives details about axios package and the affected with fixed version.
Inspector provides you the complete details of the vulnerability along with the link to National Vulnerability Database (NVD) report.
Along the details, you can also find how to fix it with the available remedy.
In this case, it's updating axios version.
Another way to understand the severity of the vulnerability, the score from National Vulnerability Database (NVD) and Inspector is available.
Pricing
Amazon Inspector is available as part of free trial for 15 days.
For Lambda scans alone, there is monthly based on average number of Lambda functions scanned per month and price is prorated based on total Inspector coverage hours for the month.
More details on Amazon Inspector Pricing.
Action time!
Now it's time to scan your Lambda functions and layers with Amazon Inspector.
Top comments (5)
Scanning is done by inspecting package.json and package-lock.json or yarn.lock files. It does not scan the actual code.
If you bundle your code then inspector will not be able to detect vulnerabilities unless you ship your lock file in your asset bundle.
Yep! It's with the
package.json
orpackage-lock.json
which has the dependencies is what is scanned.This is a great summary! Many thanks for putting it together!
Thanks Eoin! 🙌🙌 I'm amused with how Amazon Inspector scans for vulnerability.
Great article, but I am struggling to find any AWS documentation which calls out Inspector specifically using the package.json or lock files. Whilst it completely makes sense, do you have any URLs to share for this, I am interested in reading more about the details?