turbot/steampipe-mod-aws-compliance

Control: Amazon Inspector Lambda standard scanning should be enabled

Description

This control checks whether Amazon Inspector Lambda standard scanning is enabled. For a standalone account, the control fails if Amazon Inspector Lambda standard scanning is disabled in the account. In a multi-account environment, the control fails if the delegated Amazon Inspector administrator account and all member accounts don't have Lambda standard scanning enabled.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.inspector_lambda_scanning_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.inspector_lambda_scanning_enabled --share

SQL

This control uses a named query:

select
'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource,
c.account_id ,
lambda_auto_enable,
case
when r.steampipe_available = false then 'skip'
when lambda_auto_enable then 'ok'
when c.account_id is not null and (not lambda_auto_enable or lambda_auto_enable is null) then 'alarm'
else 'alarm'
end status,
case
when r.steampipe_available = false then r.region || ' is not available in the current connection configuration.'
when lambda_auto_enable then 'AWS Inspector Lambda scanning enabled for region ' || c.region || '(' || c.account_id || ').'
when c.account_id is not null and (not lambda_auto_enable or lambda_auto_enable is null ) then 'AWS Inspector Lambda scanning disabled for region ' || r.region || '(' || r.account_id || ').'
else 'AWS Inspector deactivated for region ' || r.region || '(' || r.account_id || ').'
end as reason
, r.region, r.account_id
from
aws_region as r
left join aws_inspector2_organization_configuration as c on r.account_id = c.account_id and r.region = c.region;

Tags