🚀 Launch Week 10, September 22nd - 26th, 2025 🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
35Dashboards
1534Benchmarks
673Queries
9Variables
GitHub

Control: 3 Amazon Inspector Lambda code scanning should be enabled

Description

This control checks whether Amazon Inspector Lambda code scanning is enabled. For a standalone account, the control fails if Amazon Inspector Lambda code scanning is disabled in the account. In a multi-account environment, the control fails if the delegated Amazon Inspector administrator account and all member accounts don't have Lambda code scanning enabled.

In a multi-account environment, the control generates findings in only the delegated Amazon Inspector administrator account. Only the delegated administrator can enable or disable the Lambda code scanning feature for the member accounts in the organization. Amazon Inspector member accounts can't modify this configuration from their accounts. This control generates FAILED findings if the delegated administrator has a suspended member account that doesn't have Amazon Inspector Lambda code scanning enabled. To receive a PASSED finding, the delegated administrator must disassociate these suspended accounts in Amazon Inspector.

Amazon Inspector Lambda code scanning scans the custom application code within an AWS Lambda function for code vulnerabilities based on AWS security best practices. Lambda code scanning can detect injection flaws, data leaks, weak cryptography, or missing encryption in your code. This feature is available in specific AWS Regions only. You can activate Lambda code scanning together with Lambda standard scanning (see [Inspector.4] Amazon Inspector Lambda standard scanning should be enabled).

Remediation

To enable Amazon Inspector Lambda code scanning, see Activating scans in the Amazon Inspector User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_inspector_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_inspector_3 --share

SQL

This control uses a named query:

select
  'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource,
  case
    when r.steampipe_available = false then 'skip'
    when lambda_code_auto_enable then 'ok'
    when c.account_id is not null and (not lambda_code_auto_enable or lambda_code_auto_enable is null) then 'alarm'
    else 'alarm'
  end status,
  case
    when r.steampipe_available = false then r.region || ' is not available in the current connection configuration.'
    when lambda_code_auto_enable then 'AWS Inspector Lambda code scanning enabled for region ' || c.region || '(' || c.account_id || ').'
    when c.account_id is not null and (not lambda_code_auto_enable or lambda_code_auto_enable is null ) then 'AWS Inspector Lambda code scanning disabled for region ' || r.region || '(' || r.account_id || ').'
    else 'AWS Inspector deactivated for region ' || r.region || '(' || r.account_id || ').'
  end as reason
  , r.region, r.account_id
from
  aws_region as r
  left join aws_inspector2_organization_configuration as c on r.account_id = c.account_id and r.region = c.region;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = detection_services
foundational_security_item_id = inspector_3
plugin = aws
service = AWS/Inspector