Amazon Inspector Lambda code scanning should be enabled
Description
This control checks whether Amazon Inspector Lambda code scanning is enabled. For a standalone account, the control fails if Amazon Inspector Lambda code scanning is disabled in the account. In a multi-account environment, the control fails if the delegated Amazon Inspector administrator account and all member accounts don't have Lambda code scanning enabled. In a multi-account environment, the control generates findings in only the delegated Amazon Inspector administrator account. Only the delegated administrator can enable or disable the Lambda code scanning feature for the member accounts in the organization. Amazon Inspector member accounts can't modify this configuration from their accounts. This control generates FAILED findings if the delegated administrator has a suspended member account that doesn't have Amazon Inspector Lambda code scanning enabled. To receive a PASSED finding, the delegated administrator must disassociate these suspended accounts in Amazon Inspector.
Remediation
To remediate Amazon Inspector Lambda code scanning, you need to enable Lambda code scanning in Amazon Inspector.
Steps
- Navigate to the Amazon Inspector console
- Go to 'Settings' in the left navigation
- Select 'Lambda' under 'Scanning'
- Enable 'Lambda code scanning'
- Configure scanning settings as needed
- Save the configuration
- Verify Lambda code scanning is active
- For multi-account environments, ensure all member accounts have Lambda code scanning enabled
- Disassociate any suspended accounts if needed
- Set up monitoring and alerting for scan results