How to scan your AWS Lambda functions with Amazon Inspector
Amazon Inspector is a vulnerability management and application security service that helps improve the security of your workloads. It automatically scans applications for vulnerabilities and provides you with a detailed list of security findings, prioritized by their severity level, as well as remediation instructions. In this blog post, we’ll introduce new features from Amazon Inspector that can help you improve the security posture of your AWS Lambda functions.
<p>At <a href="https://aws.amazon.com/blogs/aws/amazon-inspector-now-scans-aws-lambda-functions-for-vulnerabilities/" target="_blank" rel="noopener">re:Invent 2022</a>, Amazon Inspector announced the ability to perform automated security scans of the application package dependencies and associated layers in your Lambda functions. This adds to the existing ability to scan <a href="https://aws.amazon.com/ec2/" target="_blank" rel="noopener">Amazon Elastic Compute Cloud (Amazon EC2)</a> instances and container images in the <a href="https://aws.amazon.com/ecr/" target="_blank" rel="noopener">Amazon Elastic Container Registry (Amazon ECR)</a>. The list of operating systems and programming languages that are supported for scanning is available in the <a href="https://docs.aws.amazon.com/inspector/latest/user/supported.html" target="_blank" rel="noopener">Amazon Inspector documentation</a>. On February 28, 2023, Amazon Inspector also announced a new feature, in public preview, to scan your application code in Lambda functions for vulnerabilities. This new feature uses the <a href="https://docs.aws.amazon.com/codeguru/detector-library/" target="_blank" rel="noopener">Detector Library</a> from <a href="https://aws.amazon.com/codeguru/" target="_blank" rel="noopener">Amazon CodeGuru</a> to scan your Lambda code. For more details on how the service scans your code, see the <a href="https://docs.aws.amazon.com/inspector/latest/user/enable-disable-scanning-lambda.html" target="_blank" rel="noopener">Amazon Inspector documentation</a>.</p>
<p>Security is the top priority at AWS. For Lambda, our serverless compute offering, we released a <a href="https://docs.aws.amazon.com/pdfs/whitepapers/latest/security-overview-aws-lambda/security-overview-aws-lambda.pdf" target="_blank" rel="noopener">whitepaper</a> that goes into more detail about the security underpinnings of the service. It is important to highlight some differences in the model between infrastructure services such as Amazon EC2 and serverless options such as Lambda. Given the serverless nature of Lambda, besides the infrastructure, AWS also manages the <a href="https://github.com/firecracker-microvm/firecracker" target="_blank" rel="noopener">Firecracker microVM</a> software patches, the execution environment, and runtimes. Meanwhile, customers are responsible for using <a href="https://aws.amazon.com/iam/" target="_blank" rel="noopener">AWS Identity and Access Management (IAM)</a> to create roles and permissions for their Lambda functions and for securing their code that is used with Lambda.</p>
<h2>Activate Amazon Inspector</h2>
<p>Let’s go over the steps for activating Amazon Inspector.</p>
<p>First, if you’re an existing Amazon Inspector customer, you can enable the new Lambda features from the Amazon Inspector console. </p>
<h4>To enable Lambda scanning from the Amazon Inspector console</h4>
<ol>
<li>Sign in to one of your AWS accounts.</li>
<li>Navigate to the <a href="https://console.aws.amazon.com/inspector/v2/home" target="_blank" rel="noopener">Amazon Inspector console</a>.</li>
<li>In the left navigation pane, expand the <strong>Settings</strong> section, and choose <strong>Account Management</strong>.</li>
<li>On the <strong>Accounts</strong> tab, choose <strong>Activate</strong>, and then select one of two options:
<ul>
<li><strong>Lambda standard scanning</strong> — With this option enabled, Amazon Inspector only scans for package dependencies in your Lambda functions and associated layers.</li>
<li><strong>Lambda standard scanning and Lambda code scanning</strong> — With this option enabled, Amazon Inspector scans for package dependencies and also scans your proprietary application code in Lambda for code vulnerabilities. The code scanning feature is only available in certain <a href="https://docs.aws.amazon.com/inspector/latest/user/inspector_regions.html#ins-regional-feature-availability" target="_blank" rel="noopener">AWS Regions</a>.</li>
</ul> </li>
</ol>
<p>You can also activate Amazon Inspector in a multi-account environment by <a href="https://docs.aws.amazon.com/inspector/latest/user/enable-disable-scanning-lambda.html" target="_blank" rel="noopener">enabling it from the Amazon Inspector delegated administrator account</a>.</p>
<p>If you’re a new Amazon Inspector customer, we encourage you to try the service by enabling the <a href="https://aws.amazon.com/inspector/pricing/" target="_blank" rel="noopener">15-day free trial</a>, which includes both Lambda function standard scanning and, if available in your Region, code scanning. Figure 1 shows how the <strong>Account Management </strong>section of the Amazon Inspector console will look, after you enable both features for Lambda. You also have the ability to exclude Lambda functions from being scanned by using AWS tags, as explained in the <a href="https://docs.aws.amazon.com/inspector/latest/user/scanning-lambda.html" target="_blank" rel="noopener">Amazon Inspector documentation</a>.</p>
<blockquote>
<p><strong>Note</strong>: The <strong>Export CSV</strong> button in Figure 1 will be displayed only when you are logged in as the designated Inspector <a href="https://docs.aws.amazon.com/inspector/latest/user/designating-admin.html" target="_blank" rel="noopener">delegated administrator</a> in the Region.</p>
</blockquote>
<div id="attachment_29328" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-29328" src="https://www.infracom.com.sg/wp-content/uploads/2023/05/img1-1024x405-1.png" alt="Figure 1: Amazon Inspector account management area" width="760" class="size-large wp-image-29328">
<p id="caption-attachment-29328" class="wp-caption-text">Figure 1: Amazon Inspector account management area</p>
</div>
<p>Let’s see these features in action.</p>
<h4>To view security findings in the console</h4>
<ul>
<li>In the Amazon Inspector console, on the <strong>Findings</strong> menu, choose <strong>By Lambda function</strong> to display the security scan results that were performed on Lambda functions.</li>
</ul>
<p>You won’t see Lambda functions in the findings if there are no potential vulnerabilities detected by Amazon Inspector. Amazon Inspector discovers eligible Lambda functions in near real time when it is deployed to Lambda and automatically scans the function code and dependencies. For more details on how Lambda functions are scanned, see the <a href="https://docs.aws.amazon.com/inspector/latest/user/scanning-lambda.html" target="_blank" rel="noopener">Amazon Inspector documentation</a>.</p>
<h2>Package vulnerability findings examples</h2>
<p>As an example, we will walk through a simple Node.js 12 application. Figure 2 shows a sample Lambda function for which Amazon Inspector generated findings.</p>
<div id="attachment_29329" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-29329" src="https://www.infracom.com.sg/wp-content/uploads/2023/05/img2-1024x453-1.png" alt="Figure 2: Lambda function finding summary" width="760" class="size-large wp-image-29329">
<p id="caption-attachment-29329" class="wp-caption-text">Figure 2: Lambda function finding summary</p>
</div>
<p>Amazon Inspector found three findings marked with a severity rating of <strong>High</strong> or <strong>Medium</strong>, shown in Figure 3. Amazon Inspector detects software vulnerabilities in Lambda functions and categorizes them as type <strong>Package Vulnerability</strong> (a vulnerable package in Lambda functions or associated layers) or <strong>Code Vulnerability </strong>(code vulnerabilities in custom code written by a developer – this does not include third-party dependencies, because these are covered under package vulnerabilities). The three findings in Figure 3 are of type Package Vulnerability, and when you choose the Common Vulnerabilities and Exposures (CVE) title, you can find more details about the vulnerability and its status </p>
<div id="attachment_29330" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-29330" src="https://www.infracom.com.sg/wp-content/uploads/2023/05/img3-1024x475-1.png" alt="Figure 3: Amazon Inspector findings for a sample Lambda function" width="760" class="size-large wp-image-29330">
<p id="caption-attachment-29330" class="wp-caption-text">Figure 3: Amazon Inspector findings for a sample Lambda function</p>
</div>
<p>Each Lambda function can have up to five <a href="https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html" target="_blank" rel="noopener">layers</a> (at the time of this writing). A <em>layer</em> is a .zip file archive that can contain additional code or data. Amazon Inspector will also scan the functions’ available layers, and the findings from these scans will be available on the <strong>Layers</strong> tab, as shown in Figure 4.</p>
<div id="attachment_29331" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-29331" src="https://www.infracom.com.sg/wp-content/uploads/2023/05/img4-1024x230-1.png" alt="Figure 4: Amazon Inspector findings for Lambda Layers" width="760" class="size-large wp-image-29331">
<p id="caption-attachment-29331" class="wp-caption-text">Figure 4: Amazon Inspector findings for Lambda Layers</p>
</div>
<p>Amazon Inspector sources the data for its vulnerability intelligence database from more than 50 data feeds to generate its CVE findings. Let’s dive deeper into one finding from the sample application—for instance, the CVE-2021-43138-async package shown in Figure 5. The description of the CVE gives a high-level overview of the vulnerability, along with a CVE score to determine the severity.</p>
<div id="attachment_29332" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-29332" loading="lazy" src="https://www.infracom.com.sg/wp-content/uploads/2023/05/img5.png" alt="Figure 5: CVE-2021-43138 finding details" width="697" height="733" class="size-full wp-image-29332">
<p id="caption-attachment-29332" class="wp-caption-text">Figure 5: CVE-2021-43138 finding details</p>
</div>
<p>The Amazon Inspector score assigned to the vulnerability will be affected by details such as whether an exploit is available. Amazon Inspector also uses the network reachability of the function as one of its score parameters. This helps you triage your findings appropriately to focus on the functions that could be most vulnerable.</p>
<p>Amazon Inspector will also provide you with remediation instructions for the vulnerable package, if available. In Figure 6, the recommendation to address this particular finding is to upgrade the async package to 3.2.2 to mitigate the vulnerability.</p>
<div id="attachment_29333" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-29333" loading="lazy" src="https://www.infracom.com.sg/wp-content/uploads/2023/05/img6.png" alt="Figure 6: Remediation instructions for the sample application finding" width="704" height="806" class="size-full wp-image-29333">
<p id="caption-attachment-29333" class="wp-caption-text">Figure 6: Remediation instructions for the sample application finding</p>
</div>
<h2>Code vulnerability findings examples</h2>
<p>Now let’s look at the new code scanning feature of Amazon Inspector. With this release, Amazon Inspector reviews the security and quality of the code written in your Lambda functions. To do this, the service uses the <a href="https://docs.aws.amazon.com/codeguru/detector-library/" target="_blank" rel="noopener">Amazon CodeGuru Detector Library</a>, which has trained data across millions of code reviews, to generate findings. Amazon Inspector scans the Lambda function code to detect security flaws like cross-site scripting, injection flaws, data leaks, log injection, OS command injections, and other risk categories in the <a href="https://owasp.org/Top10/" target="_blank" rel="noopener">OWASP Top 10</a> and <a href="https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html" target="_blank" rel="noopener">CWE Top 25</a>. When you enable code scanning, you can focus on building your application while also following current security recommendations. At the time of this writing, Amazon Inspector supports scanning Java, Node.js, Python, and Go Lambda runtimes. For a full list of supported programming language runtimes, see the <a href="https://docs.aws.amazon.com/inspector/latest/user/supported.html#supported-programming-languages-lambda" target="_blank" rel="noopener">Amazon Inspector documentation</a>.</p>
<p>As a demonstration of the Amazon Inspector code scanning feature, let’s take the simple Python Lambda function shown following, which accidentally overrides the <a href="https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html" target="_blank" rel="noopener">Lambda reserved environment variables</a> and also has an open-to-all socket connection.</p>
<div class="hide-language">
<pre class="unlimited-height-code"><code class="lang-text">import os
import json
import socket
def lambda_handler(event, context):
# print("Scenario 1");
os.environ['_HANDLER'] = 'hello'
# print("Scenario 1 ends")
# print("Scenario 2");
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('',0))
# print("Scenario 2 ends")
return {
'statusCode': 200,
'body': json.dumps("Inspector Code Scanning", default=str)
} </code></pre>
</div>
<p>Overriding reserved environment variables might lead to unexpected behavior or failure of the Lambda function. You can learn more about this vulnerability by reviewing the <a href="https://docs.aws.amazon.com/codeguru/detector-library/python/lambda-override-reserved/" target="_blank" rel="noopener">Detector Library documentation</a>. Similarly, a socket connection without an IP address opens the connection to all entities, allowing the function code to potentially access public IPv4 addresses from within the code. There can be external dependencies in your code, which might reuse the insecure socket connection. To learn more about insecure socket binds, see the <a href="https://docs.aws.amazon.com/codeguru/detector-library/python/insecure-socket-bind/" target="_blank" rel="noopener">Detector Library documentation</a>.</p>
<p>As shown in Figure 7, Amazon Inspector automatically detects these vulnerabilities and tags them as <strong>Code Vulnerability</strong>, which indicates that the vulnerability is in the code of the function, and not in one of the code-dependent libraries. You can see more details for these new finding types under the <strong>By Lambda function</strong> section of the Amazon Inspector console. You can filter the results based on the function name to see the active vulnerabilities. For this particular function, Amazon Inspector found two vulnerabilities.</p>
<div id="attachment_29334" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-29334" src="https://www.infracom.com.sg/wp-content/uploads/2023/05/img7-1024x430-1.png" alt="Figure 7: Code Vulnerability sample findings" width="760" class="size-large wp-image-29334">
<p id="caption-attachment-29334" class="wp-caption-text">Figure 7: Code Vulnerability sample findings</p>
</div>
<p>Similar to other finding types, Amazon Inspector tagged the vulnerability based on its severity level, which can help you to triage findings. Let’s focus on the <strong>High</strong> severity vulnerability in Figure 8 to learn how you can remediate the issue. Selecting the finding reveals additional details, like the name of the detector, the vulnerability location, and remediation details.</p>
<div id="attachment_29335" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-29335" loading="lazy" src="https://www.infracom.com.sg/wp-content/uploads/2023/05/img8-665x1024-1.png" alt="Figure 8: Code Vulnerability finding details" width="665" height="1024" class="size-large wp-image-29335">
<p id="caption-attachment-29335" class="wp-caption-text">Figure 8: Code Vulnerability finding details</p>
</div>
<p>Now let’s see how you can remediate these vulnerabilities according to the suggested remediation. The code is attempting to change the function handler. AWS recommends that you don’t try to override reserved Lambda environment variables, because this can lead to unexpected results. For this case, we recommend that you delete line 8 from the sample code shown here and instead update the Lambda function handler name by using the runtime settings configuration in the Lambda console, as shown in Figure 9.</p>
<h4>To change the Lambda function handler</h4>
<ol>
<li>In the Lambda console, search for and then select your Lambda function.</li>
<li>Scroll down to the <strong>Runtime settings</strong> area and choose <strong>Edit</strong>.</li>
<li>Under <strong>Edit runtime settings</strong>, update the handler name, and then choose <strong>Save</strong>.
<div id="attachment_29336" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-29336" src="https://www.infracom.com.sg/wp-content/uploads/2023/05/img9-1024x130-1.png" alt="Figure 9: Lambda function runtime settings" width="720" class="size-large wp-image-29336">
<p id="caption-attachment-29336" class="wp-caption-text">Figure 9: Lambda function runtime settings</p>
</div> </li>
</ol>
<p>To address the second finding, we also updated the function by passing an IP address when binding to a socket, according to the recommendations that were included in the finding. Amazon Inspector will automatically detect the changes that are made to fix the issues, and change the status of the finding to closed, as shown in Figure 10. By changing the findings filter to <strong>Show all</strong>, you can see active and closed findings.</p>
<div id="attachment_29337" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-29337" src="https://www.infracom.com.sg/wp-content/uploads/2023/05/img10-1024x209-1.png" alt="Figure 10: Findings summary after remediation" width="760" class="size-large wp-image-29337">
<p id="caption-attachment-29337" class="wp-caption-text">Figure 10: Findings summary after remediation</p>
</div>
<p>You can create more complex workflows by using the Amazon Inspector integration with <a href="https://aws.amazon.com/eventbridge/" target="_blank" rel="noopener">Amazon EventBridge</a> to manually or automatically respond to findings by creating various playbooks to respond to unique events. These findings will also be routed to <a href="https://aws.amazon.com/security-hub/" target="_blank" rel="noopener">AWS Security Hub</a> for a centralized view of your Amazon Inspector findings in your AWS accounts and Regions.</p>
<h2>Pricing</h2>
<p>Pricing for Lambda standard scanning is available on the <a href="https://aws.amazon.com/inspector/pricing/" target="_blank" rel="noopener">Amazon Inspector pricing page</a>. During the public preview, the code scanning feature will be available at no additional cost.</p>
<h2>Conclusion </h2>
<p>In this blog post, we introduced two new Amazon Inspector features that scan your Lambda function application package dependencies, as well as your application code, for security vulnerabilities. With these new features, you can strengthen your security posture by scanning for code security vulnerabilities such as injection flaws, data leaks, and unsanitized input, according to current AWS security recommendations. We encourage you to test Lambda function scanning in your own environment by enabling the free trial for Amazon Inspector and following the steps in the <a href="https://docs.aws.amazon.com/inspector/latest/user/scanning-lambda.html" target="_blank" rel="noopener">Amazon Inspector documentation</a>.</p>
<p>If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, start a new thread on the <a href="https://s12d.com/rePost" rel="noopener" target="_blank">Security, Identity, & Compliance re:Post</a> or <a href="https://console.aws.amazon.com/support/home" rel="noopener" target="_blank">contact AWS Support</a>.</p>
<p><strong>Want more AWS Security news? Follow us on <a title="Twitter" href="https://twitter.com/AWSsecurityinfo" target="_blank" rel="noopener noreferrer">Twitter</a>.</strong></p>
<!-- '"` -->