Control: Amazon Inspector Lambda standard scanning should be enabled
Description
This control checks whether Amazon Inspector Lambda standard scanning is enabled. For a standalone account, the control fails if Amazon Inspector Lambda standard scanning is disabled in the account. In a multi-account environment, the control fails if the delegated Amazon Inspector administrator account and all member accounts don't have Lambda standard scanning enabled.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.inspector_lambda_scanning_enabled
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.inspector_lambda_scanning_enabled --share
SQL
This control uses a named query:
select 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource, c.account_id , lambda_auto_enable, case when r.steampipe_available = false then 'skip' when lambda_auto_enable then 'ok' when c.account_id is not null and (not lambda_auto_enable or lambda_auto_enable is null) then 'alarm' else 'alarm' end status, case when r.steampipe_available = false then r.region || ' is not available in the current connection configuration.' when lambda_auto_enable then 'AWS Inspector Lambda scanning enabled for region ' || c.region || '(' || c.account_id || ').' when c.account_id is not null and (not lambda_auto_enable or lambda_auto_enable is null ) then 'AWS Inspector Lambda scanning disabled for region ' || r.region || '(' || r.account_id || ').' else 'AWS Inspector deactivated for region ' || r.region || '(' || r.account_id || ').' end as reason , r.region, r.account_idfrom aws_region as r left join aws_inspector2_organization_configuration as c on r.account_id = c.account_id and r.region = c.region;