Control: 4 Amazon Inspector Lambda standard scanning should be enabled
Description
This control checks whether Amazon Inspector Lambda standard scanning is enabled. For a standalone account, the control fails if Amazon Inspector Lambda standard scanning is disabled in the account. In a multi-account environment, the control fails if the delegated Amazon Inspector administrator account and all member accounts don't have Lambda standard scanning enabled.
In a multi-account environment, the control generates findings in only the delegated Amazon Inspector administrator account. Only the delegated administrator can enable or disable the Lambda standard scanning feature for the member accounts in the organization. Amazon Inspector member accounts can't modify this configuration from their accounts. This control generates FAILED findings if the delegated administrator has a suspended member account that doesn't have Amazon Inspector Lambda standard scanning enabled. To receive a PASSED finding, the delegated administrator must disassociate these suspended accounts in Amazon Inspector.
Amazon Inspector Lambda standard scanning identifies software vulnerabilities in the application package dependencies you add to your AWS Lambda function code and layers. If Amazon Inspector detects a vulnerability in your Lambda function application package dependencies, Amazon Inspector produces a detailed Package Vulnerability type finding. You can activate Lambda code scanning together with Lambda standard scanning (see [Inspector.3] Amazon Inspector Lambda code scanning should be enabled).
Remediation
To enable Amazon Inspector Lambda standard scanning, see Activating scans in the Amazon Inspector User Guide.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_inspector_4
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_inspector_4 --share
SQL
This control uses a named query:
select 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource, c.account_id , lambda_auto_enable, case when r.steampipe_available = false then 'skip' when lambda_auto_enable then 'ok' when c.account_id is not null and (not lambda_auto_enable or lambda_auto_enable is null) then 'alarm' else 'alarm' end status, case when r.steampipe_available = false then r.region || ' is not available in the current connection configuration.' when lambda_auto_enable then 'AWS Inspector Lambda scanning enabled for region ' || c.region || '(' || c.account_id || ').' when c.account_id is not null and (not lambda_auto_enable or lambda_auto_enable is null ) then 'AWS Inspector Lambda scanning disabled for region ' || r.region || '(' || r.account_id || ').' else 'AWS Inspector deactivated for region ' || r.region || '(' || r.account_id || ').' end as reason , r.region, r.account_idfrom aws_region as r left join aws_inspector2_organization_configuration as c on r.account_id = c.account_id and r.region = c.region;