DEV Community

Cover image for Amazon Inspector can now scan AWS Lambda Functions
Jones Zachariah Noel for AWS Heroes

Posted on

Amazon Inspector can now scan AWS Lambda Functions

Amazon Inspector, a service focused on automated vulnerability scanner that continuously scans AWS workloads for vulnerabilities is now supporting scanning for AWS Lambda functions.

Amazon Inspector supports scanning of AWS Lambda functions and Lambda layers with Java, NodeJS and Python runtimes.

Need for vulnerability checks

Often times, we have code which depends on many packages from installed via different package managers which are prone to security leaks. Although, updating to new version could resolve it, you might have dependencies which are still prone to vulnerabilities. The best way to address is a regular scanning of your codebase to ensure there aren't serious issues.

Serverless specific, until now we had to depend on a third party tool to scan but now it's possible with Amazon Inspector

Enabling Inspector

First off, you would have to enable Inspector for your AWS Account.
Enabling Inspector for your account

Your first scan

Once enabled, you will need a few minutes for Amazon Inspector to scan across your resources across Amazon EC2 instances, Amazon ECR images and now AWS Lambda functions and Lambda layers.

After Amazon Inspector has scanned you can view the report on Inspector dashboard.
Amazon Inspector dashboard of all vulnerabilities

[Fun Fact] As you can see, I don't have a single EC2 instance running on this AWS Account.

Scanned findings

Inspector found that 9 of my Lambda functions had a vulnerabilities with critical, high and medium levels.
Inspector findings by Lambda functions

If you click on one of the functions, you can find the summary for vulnerabilities in that specific AWS Lambda function or the vulnerability because of using an AWS Lambda layer.

Summary for a Lambda function

Findings for a Lambda function

Let's dive into the finding

One of the vulnerability is with Axios NPM package.
Vulnerability with Axios

This also gives details about axios package and the affected with fixed version.
Affected packages

Inspector provides you the complete details of the vulnerability along with the link to National Vulnerability Database (NVD) report.
Vulnerability details

Along the details, you can also find how to fix it with the available remedy.
Remedy to fix the vulnerability
In this case, it's updating axios version.

Another way to understand the severity of the vulnerability, the score from National Vulnerability Database (NVD) and Inspector is available.
Inspector score

Pricing

Amazon Inspector is available as part of free trial for 15 days.
For Lambda scans alone, there is monthly based on average number of Lambda functions scanned per month and price is prorated based on total Inspector coverage hours for the month.

More details on Amazon Inspector Pricing.

Action time!

Now it's time to scan your Lambda functions and layers with Amazon Inspector.
Time for scans now

Top comments (5)

Collapse
 
rosswilliams profile image
rosswilliams

Scanning is done by inspecting package.json and package-lock.json or yarn.lock files. It does not scan the actual code.

If you bundle your code then inspector will not be able to detect vulnerabilities unless you ship your lock file in your asset bundle.

Collapse
 
zachjonesnoel profile image
Jones Zachariah Noel

Yep! It's with the package.json or package-lock.json which has the dependencies is what is scanned.

Collapse
 
eoinsha profile image
Eoin Shanaghy

This is a great summary! Many thanks for putting it together!

Collapse
 
zachjonesnoel profile image
Jones Zachariah Noel

Thanks Eoin! 🙌🙌 I'm amused with how Amazon Inspector scans for vulnerability.

Collapse
 
jeremybrooks profile image
Jeremy

Great article, but I am struggling to find any AWS documentation which calls out Inspector specifically using the package.json or lock files. Whilst it completely makes sense, do you have any URLs to share for this, I am interested in reading more about the details?