In this post, we will explore how to enable Amazon Inspector across one or more AWS accounts and receive alerts when vulnerabilities are detected in AWS Lambda functions. Amazon Inspector is an automated service that manages vulnerabilities by continuously scanning workloads for software weaknesses and unintended network exposure. It can assess various workloads, including Amazon Elastic Compute Cloud (Amazon EC2) instances and container images in Amazon Elastic Container Registry (Amazon ECR). Notably, at re:Invent 2022, support for Lambda functions and Lambda layers was introduced, providing a unified solution for compute environments.
Relying solely on pre-deployment vulnerability scans may not suffice, as vulnerabilities can emerge at any time—such as the widespread Apache Log4j vulnerability. Therefore, it is crucial to monitor and rescan workloads continuously in near real-time as new vulnerabilities are identified or workloads are modified.
Amazon Inspector scans are automatically triggered by updates to Lambda functions or the release of new relevant Common Vulnerabilities and Exposures (CVEs). The service operates without agents, eliminating the need to install libraries or agents in your Lambda functions or layers. When a vulnerability or network misconfiguration is detected, Amazon Inspector generates a finding that describes the issue, identifies the affected resource, assesses its severity, and suggests remediation steps.
Additionally, Amazon Inspector integrates seamlessly with various AWS services, including Amazon EventBridge and AWS Security Hub. With EventBridge, you can create automated workflows to receive notifications for specific vulnerability findings or implement automatic remediation using Lambda or AWS Systems Manager.
In this blog post, you’ll learn how to:
- Activate Amazon Inspector in a single AWS account and AWS Region.
- Observe the automated discovery and continuous vulnerability scanning process by deploying a new Lambda function that contains a vulnerable package dependency.
- Receive near real-time notifications when a specific severity vulnerability is detected in a Lambda function, utilizing EventBridge and Amazon Simple Notification Service (Amazon SNS).
- Remediate vulnerabilities using the guidance provided in the Amazon Inspector dashboard.
- Enable Amazon Inspector across multiple accounts or Regions through AWS Organizations.
Solution Architecture
The solution architecture involves several AWS services and their integrations, as illustrated in Figure 1.
Workflow:
- Deploy a new Lambda function using the AWS Serverless Application Model (AWS SAM).
- Amazon Inspector scans are triggered by new vulnerabilities or updates to existing Lambda functions.
- Amazon EventBridge receives events from Amazon Inspector and evaluates them against defined rules.
- An EventBridge rule is configured for Amazon Inspector findings, with the target set to an SNS topic for notifications to the system operations team.
- The EventBridge rule triggers the SNS topic with event data, sending an email to the subscribers.
- The operations team receives an email detailing the vulnerability, recommended package fixes, the Amazon Inspector score for prioritization, and the affected Lambda functions. Using the remediation information from Amazon Inspector, the team can take appropriate actions.
Prerequisites
To follow this demonstration, you should have:
- An AWS account.
- A command line interface: AWS CloudShell or AWS CLI. We suggest using CloudShell for its built-in tools (AWS CLI, AWS SAM, and Python), but your CLI with these tools will work as well.
- An AWS Region where Amazon Inspector Lambda code scanning is available.
- An IAM role with administrator privileges.
The solution includes services such as Amazon Inspector, AWS Lambda, Amazon EventBridge, AWS Identity and Access Management (IAM), Amazon SNS, AWS CloudShell, and AWS Organizations for scaling Amazon Inspector activation across multiple accounts.
Step 1: Activate Amazon Inspector in a Single Account
To activate Amazon Inspector:
- Log in to the AWS Management Console.
- Open AWS CloudShell. CloudShell inherits the permissions of the signed-in IAM principal, and it comes pre-installed with necessary CLIs and runtimes.
- Run the following command in CloudShell to check the activation status of Amazon Inspector:
- Activate Inspector for the LAMBDA resource type with:
- Verify the activation status again:
aws inspector2 batch-get-account-statusaws inspector2 enable --resource-types '["LAMBDA"]'aws inspector2 batch-get-account-statusYou should see a response indicating that Amazon Inspector is enabled for Lambda resources.
Step 2: Create an SNS Topic and Subscription for Notifications
Next, set up the SNS topic and subscription to receive notifications for new findings.
- Create the SNS topic and subscription using the following commands, replacing
<REGION_NAME>,<AWS_ACCOUNTID>, and<email@example.com>with your actual values: - Confirm the subscription by checking the email inbox for the confirmation from Amazon SNS.
- Verify the subscription status with:
aws sns create-topic --name amazon-inspector-findings-notifier
aws sns subscribe --topic-arn arn:aws:sns:<REGION_NAME>:<AWS_ACCOUNTID>:amazon-inspector-findings-notifier --protocol email --notification-endpoint <email@example.com>aws sns list-subscriptionsYou should see the details of your subscription, including the email address and ARN.
4. Test the setup by sending a message to your subscribed email:
aws sns publish --topic-arn "arn:aws:sns:<REGION_NAME>:<AWS_ACCOUNTID>:amazon-inspector-findings-notifier" --message "Test message"For further insights on this topic, you can refer to this excellent resource. Additionally, check out another blog post here for more updates. For authoritative information, visit this page.
Amazon IXD – VGT2, 6401 E Howdy Wells Ave, Las Vegas, NV 89115
Leave a Reply