# Scanning AWS Lambda functions with Amazon Inspector
<a name="scanning-lambda"></a>

 Amazon Inspector support for AWS Lambda functions and layers provides continuous automated security vulnerability assessments. Amazon Inspector offers two types of Lambda function scanning: 

**[Amazon Inspector Lambda standard scanning](https://docs.aws.amazon.com/inspector/latest/user/scanning_resources_lambda_exclude_functions.html)**  
 This scan type is the default Lambda scan type. It scans application dependencies in Lambda functions and layers for [package vulnerabilities](findings-types.md#findings-types-package). 

**[Amazon Inspector Lambda code scanning](https://docs.aws.amazon.com/inspector/latest/user/scanning_resources_lambda_code.html)**  
 This scan type scans custom application code in your Lambda functions and layers for [code vulnerabilities](findings-types.md#findings-types-code). You can activate Lambda standard scanning or Lambda standard scanning with Lambda code scanning. 

 If you want to activate Lambda code scanning, you must activate Lambda standard scanning first. For more information, see [Activating a scan type](https://docs.aws.amazon.com/inspector/latest/user/activate-scans.html). 

 When you activate Lambda function scanning, Amazon Inspector creates the following service-linked channels in your account: `cloudtrail:CreateServiceLinkedChannel` and `cloudtrail:DeleteServiceLinkedChannel`. Amazon Inspector manages these channels and uses them to monitor CloudTrail events for scans. The channels allow you to view CloudTrail events in your account as if you had a trail in CloudTrail. We recommend creating your own trail in CloudTrail to manage events in your account. For information about how to view these channels, see [Viewing service-linked channels](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-service-linked-channels.html) in the *AWS CloudTrail User Guide*. 

**Note**  
 Amazon Inspector does not support scanning [Lambda functions encrypted with customer managed keys](https://docs.aws.amazon.com/lambda/latest/dg/security-encryption-at-rest.html). This applies to Lambda standard scanning and Lambda code scanning. 

## Scan behaviors for Lambda function scanning
<a name="lambda-scan-behavior"></a>

Upon activation, Amazon Inspector scans all Lambda functions invoked or updated in the last 90 days in your account. Amazon Inspector initiates vulnerability scans of Lambda functions in the following situations:
+ As soon as Amazon Inspector discovers an existing Lambda function.
+ When you deploy a new Lambda function to the Lambda service.
+ When you deploy an update to the application code or dependencies of an existing Lambda function or its layers.
+ Whenever Amazon Inspector adds a new common vulnerabilities and exposures (CVE) item to its database, and that CVE is relevant to your function.

Amazon Inspector monitors each Lambda function throughout its lifetime until it's either deleted or excluded from scanning.

You can check when a Lambda function was last checked for vulnerabilities from the **Lambda functions** tab on the **Account management** page or by using the [https://docs.aws.amazon.com/inspector/v2/APIReference/API_ListCoverage.html](https://docs.aws.amazon.com/inspector/v2/APIReference/API_ListCoverage.html) API. Amazon Inspector updates the **Last scanned at** field for a Lambda function in response to the following events:
+ When Amazon Inspector completes an initial scan of a Lambda function.
+ When a Lambda function is updated.
+ When Amazon Inspector re-scans a Lambda function because a new CVE item impacting that function was added to the Amazon Inspector database.

## Supported runtimes and eligible functions
<a name="supported-functions"></a>

Amazon Inspector supports different runtimes for Lambda standard scanning and Lambda code scanning. For a list of supported runtimes for each scan type, see [Supported runtimes: Amazon Inspector Lambda standard scanning](supported.md#supported-programming-languages-lambda-standard) and [Supported runtimes: Amazon Inspector Lambda code scanning](supported.md#supported-programming-languages-lambda-code).

In addition to having a supported runtime, a Lambda function needs to meet the following criteria to be eligible for Amazon Inspector scans:
+ The function has been invoked or updated in the last 90 days.
+ The function is marked `$LATEST`.
+ The function isn't excluded from scans by tags.

**Note**  
Lambda functions that haven't been invoked or modified in the last 90 days are automatically excluded from scans. Amazon Inspector will resume scanning an automatically excluded function if it is invoked again or if changes are made to the Lambda function code.

# Amazon Inspector Lambda standard scanning
<a name="scanning_resources_lambda"></a>

Amazon Inspector Lambda standard scanning identifies software vulnerabilities in the application package dependencies you add to your Lambda function code and layers. For example, if your Lambda function uses a version of the `python-jwt` package with a known vulnerability, Lambda standard scanning will generate a finding for that function.

If Amazon Inspector detects a vulnerability in your Lambda function application package dependencies, Amazon Inspector produces a detailed **Package Vulnerability** type finding.

For instructions on activating a scan type see [Activating a scan type](activate-scans.md).

**Note**  
Lambda standard scanning doesn't scan the AWS SDK dependency installed by default in the Lambda runtime environment. Amazon Inspector only scans dependencies uploaded with the function code or inherited from a layer.

**Note**  
Deactivating Amazon Inspector Lambda standard scanning will also deactivate Amazon Inspector Lambda code scanning.

# Excluding functions from Lambda standard scanning
<a name="scanning_resources_lambda_exclude_functions"></a>

 You can add tags to Lambda functions, so you can exclude them from Amazon Inspector Lambda standard scans. Excluding functions from scans can prevent unactionable alerts. When you tag a function for exclusion, the tag must have the following key-value pair. 
+  Key:`InspectorExclusion` 
+  Value:`LambdaStandardScanning` 

 This topic describes how to tag a function for exclusion from scans. For more information about adding tags in Lambda, see [Using tags on Lambda functions](https://docs.aws.amazon.com/lambda/latest/dg/configuration-tags.html). 

**To exclude a function from scans**

1.  Sign in using your credentials, and then open the Lambda console at [https://console.aws.amazon.com/lambda/](https://console.aws.amazon.com/lambda/). 

1.  From the navigation pane, choose **Functions**. 

1.  Choose the name of the function you would want to exclude from Amazon Inspector Lambda standard scans. 

1.  Choose **Configuration**, and then choose **Tags**. 

1.  Choose **Manage tags**, and then **Add new tag**. 

   1. For **Key**, enter `InspectorExclusion`.

   1.  For **Value**, enter `LambdaStandardScanning` 

1.  Choose **Save**. 

# Amazon Inspector Lambda code scanning
<a name="scanning_resources_lambda_code"></a>

**Important**  
 This feature captures snippets of Lambda functions to highlight detected vulnerabilities. These snippets can show hardcoded credentials and other sensitive materials. 

 With this feature, Amazon Inspector scans application code in a Lambda function for code vulnerabilities based on AWS security best practices to detect data leaks, injection flaws, missing encryption, and weak cryptography. Amazon Inspector uses automated reasoning and machine learning to evaluate your Lambda function application code. It also uses internal detectors that are developed in collaboration with Amazon Q to identify policy violations and vulnerabilities. 

 Amazon Inspector generates a [code vulnerability](https://docs.aws.amazon.com/inspector/latest/user/findings-types.html#findings-types-code) when it detects a vulnerability in your Lambda function application code. This finding type includes a code snippet showing the issue and where you can find the issue in your code. It also suggests how to remediate the issue. The suggestion includes plug-and-play code blocks that you can use to replace vulnerable lines of code. These code fixes are provided in addition to general code remediation guidance for this finding type. 

 Code remediation suggestions is powered by automated reasoning. Some code remediation suggestions might not work as intended. You are responsible for the code remediation suggestions you adopt. Always review code remediation suggestions before adopting them. You might need to edit them to make sure your code performs as intended. For more information, see the [Responsible AI Policy](https://aws.amazon.com/machine-learning/responsible-ai/policy/). 

 If you want to activate Lambda code scanning, you must activate Lambda standard scanning first. For more information, see [Activating a scan type](https://docs.aws.amazon.com/inspector/latest/user/activate-scans.html). For information about which AWS Regions support this feature, see [Region-specific feature availability](inspector_regions.md#ins-regional-feature-availability). 

## Encrypting your code in code vulnerability findings
<a name="lambda-code-encryption"></a>

 Amazon Q stores code snippets that are detected to be in connection with a code vulnerability finding using Lambda code scanning. By default, Amazon Q controls [the AWS owned key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk) used to encrypt your code. However, you can use your own customer managed key for encryption through the Amazon Inspector API. For more information, see [Encryption at rest for code in your findings](encryption-rest.md#encryption-code-snippets). 

# Excluding functions from Lambda code scanning
<a name="scanning_resources_lambda_code_exclude_functions"></a>

 You can add tags to Lambda functions, so you can exclude them from Amazon Inspector Lambda code scans. Excluding functions from scans can prevent unactionable alerts. When you tag a function for exclusion, the tag must have the following key-value pair. 
+  Key – `InspectorCodeExclusion` 
+  Value – `LambdaCodeScanning` 

 This topic describes how to tag a function for exclusion from code scans. For more information about adding tags in Lambda, see [Using tags on Lambda functions](https://docs.aws.amazon.com/lambda/latest/dg/configuration-tags.html). 

**To exclude a function from code scans**

1.  Sign in using your credentials, and then open the Lambda console at [https://console.aws.amazon.com/lambda/](https://console.aws.amazon.com/lambda/). 

1.  From the navigation pane, choose **Functions**. 

1.  Choose the name of the function you would want to exclude from Amazon Inspector Lambda code scans. 

1.  Choose **Configuration**, and then choose **Tags**. 

1.  Choose **Manage tags**, and then **Add new tag**. 

   1. For **Key**, enter `InspectorCodeExclusion`.

   1.  For **Value**, enter `LambdaCodeScanning` 

1.  Choose **Save**.