Amazon Inspector controls
These controls are related to Amazon Inspector resources.
These controls may not be available in all Amazon Web Services Regions. For more information, see Availability of controls by Region.
[Inspector.1] Amazon Inspector EC2 scanning should be enabled
Category: Detect > Detection services
Severity: High
Resource type: AWS::::Account
Amazon Config rule:
inspector-ec2-scan-enabled
Schedule type: Periodic
Parameters: None
This control checks whether Amazon Inspector EC2 scanning is enabled. The control fails if Amazon Inspector EC2 scanning isn't enabled.
Note
In a multi-account environment, this control only evaluates the delegated Amazon Inspector administrator account. Only the delegated administrator can enable or disable the EC2 scanning feature for the member accounts in the organization. Amazon Inspector member accounts can't modify this configuration from their accounts.
Amazon Inspector EC2 scanning extracts metadata from your Amazon Elastic Compute Cloud (Amazon EC2) instance, and then compares this metadata against rules collected from security advisories to produce findings. Amazon Inspector scans instances for package vulnerabilities and network reachability issues. For information about supported operating systems, including which operating system can be scanned without an SSM agent, see Supported operating systems: Amazon EC2 scanning.
Remediation
To enable Amazon Inspector EC2 scanning, see Activating scans in the Amazon Inspector User Guide.
[Inspector.2] Amazon Inspector ECR scanning should be enabled
Category: Detect > Detection services
Severity: High
Resource type: AWS::::Account
Amazon Config rule:
inspector-ecr-scan-enabled
Schedule type: Periodic
Parameters: None
This control checks whether Amazon Inspector ECR scanning is enabled. The control fails if Amazon Inspector ECR scanning isn't enabled.
Note
In a multi-account environment, this control only evaluates the delegated Amazon Inspector administrator account. Only the delegated administrator can enable or disable the ECR scanning feature for the member accounts in the organization. Amazon Inspector member accounts can't modify this configuration from their accounts.
Amazon Inspector scans container images stored in Amazon Elastic Container Registry (Amazon ECR) for software vulnerabilities to generate package vulnerability findings. When you activate Amazon Inspector scans for Amazon ECR, you set Amazon Inspector as your preferred scanning service for your private registry. This replaces basic scanning, which is provided at no charge by Amazon ECR, with enhanced scanning, which is provided and billed through Amazon Inspector. Enhanced scanning gives you the benefit of vulnerability scanning for both operating system and programming language packages at the registry level. You can review findings discovered using enhanced scanning at the image level, for each layer of the image, on the Amazon ECR console. Additionally, you can review and work with these findings in other services not available for basic scanning findings, including Amazon Security Hub and Amazon EventBridge.
Remediation
To enable Amazon Inspector ECR scanning, see Activating scans in the Amazon Inspector User Guide.
[Inspector.3] Amazon Inspector Lambda code scanning should be enabled
Category: Detect > Detection services
Severity: High
Resource type: AWS::::Account
Amazon Config rule:
inspector-lambda-code-scan-enabled
Schedule type: Periodic
Parameters: None
This control checks whether Amazon Inspector Lambda code scanning is enabled. The control fails if Amazon Inspector Lambda code scanning isn't enabled.
Note
In a multi-account environment, this control only evaluates the delegated Amazon Inspector administrator account. Only the delegated administrator can enable or disable the Lambda code scanning feature for the member accounts in the organization. Amazon Inspector member accounts can't modify this configuration from their accounts.
Amazon Inspector Lambda code scanning scans the custom application code within an Amazon Lambda function for code vulnerabilities based on Amazon security best practices. Lambda code scanning can detect injection flaws, data leaks, weak cryptography, or missing encryption in your code. This feature is available in specific Amazon Web Services Regions only. You can activate Lambda code scanning together with Lambda standard scanning (see [Inspector.4] Amazon Inspector Lambda standard scanning should be enabled).
Remediation
To enable Amazon Inspector Lambda code scanning, see Activating scans in the Amazon Inspector User Guide.
[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled
Category: Detect > Detection services
Severity: High
Resource type: AWS::::Account
Amazon Config rule:
inspector-lambda-standard-scan-enabled
Schedule type: Periodic
Parameters: None
This control checks whether Amazon Inspector Lambda standard scanning is enabled. The control fails if Amazon Inspector Lambda standard scanning isn't enabled.
Note
In a multi-account environment, this control only evaluates the delegated Amazon Inspector administrator account. Only the delegated administrator can enable or disable the Lambda standard scanning feature for the member accounts in the organization. Amazon Inspector member accounts can't modify this configuration from their accounts.
Amazon Inspector Lambda standard scanning identifies software vulnerabilities in the application package dependencies you add to
your Amazon Lambda function code and layers. If Amazon Inspector detects a vulnerability in your Lambda function application package dependencies,
Amazon Inspector produces a detailed Package Vulnerability type finding. You can activate Lambda code scanning together with Lambda standard scanning (see
[Inspector.3] Amazon Inspector Lambda code scanning should be enabled).
Remediation
To enable Amazon Inspector Lambda standard scanning, see Activating scans in the Amazon Inspector User Guide.