Added automatic lambda code scan to Inspector (#179)

* Added automatic lambda code scan to Inspector

* Fixed indentation

* Fixed linting

* Fixed more linting issues

Author: arya23065

CHANGELOG.md

@@ -3,6 +3,7 @@
 ## Table of Contents<!-- omit in toc -->
 
 - [Introduction](#introduction)
+- [2023-10-10](#2023-10-10)
 - [2023-09-22](#2023-09-22)
 - [2023-08-07](#2023-08-07)
 - [2023-07-07](#2023-07-07)
@@ -44,6 +45,9 @@
 All notable changes to this project will be documented in this file.
 
 ---
+## 2023-10-10
+
+- Updated [Inspector](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/inspector/inspector_org) solution to enable automatic lambda code scan.
 
 ## 2023-09-22
 

aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml

@@ -194,7 +194,7 @@ resources:
 
       # Inspector Solution
       - parameter_key: pScanComponents
-        parameter_value: 'EC2, ECR, LAMBDA'
+        parameter_value: 'EC2, ECR, LAMBDA, LAMBDA_CODE'
       - parameter_key: pEcrRescanDuration
         parameter_value: 'LIFETIME'
 

aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml

@@ -226,7 +226,7 @@ Metadata:
         default: SRA Staging S3 Bucket Stack Name
 
       pScanComponents:
-        default: Comma separated list of scan components (EC2, ECR, LAMBDA)
+        default: Comma separated list of scan components (EC2, ECR, LAMBDA, LAMBDA_CODE)
       pEcrRescanDuration:
         default: ECR Rescan Duration
       pDeployInspectorSolution:
@@ -522,8 +522,8 @@ Parameters:
     Type: String
 
   pScanComponents:
-    AllowedValues: [EC2, ECR, LAMBDA]
-    Default: EC2, ECR, LAMBDA
+    AllowedValues: [EC2, ECR, LAMBDA, LAMBDA_CODE]
+    Default: EC2, ECR, LAMBDA, LAMBDA_CODE
     Description: Lambda Function Logging Level
     Type: CommaDelimitedList
   pEcrRescanDuration:

aws_sra_examples/quick_setup/customizations_for_aws_control_tower/manifest-v2.yaml

@@ -185,7 +185,7 @@ resources:
       - parameter_key: pDeployInspectorSolution
         parameter_value: 'Yes'
       - parameter_key: pScanComponents
-        parameter_value: 'EC2, ECR, LAMBDA'
+        parameter_value: 'EC2, ECR, LAMBDA, LAMBDA_CODE'
       - parameter_key: pEcrRescanDuration
         parameter_value: 'LIFETIME'
 

aws_sra_examples/quick_setup/templates/sra-quick-setup-ssm.yaml

@@ -358,7 +358,7 @@ Metadata:
       pSRAStagingS3BucketName:
         default: SRA Staging S3 Bucket Name
       pScanComponents:
-        default: Comma separated list of scan components (EC2, ECR, LAMBDA)
+        default: Comma separated list of scan components (EC2, ECR, LAMBDA, LAMBDA_CODE)
       pSecurityContactAction:
         default: Security Alternate Contact Action
       pSecurityEmail:
@@ -929,8 +929,8 @@ Parameters:
       name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).
     Type: AWS::SSM::Parameter::Value<String>
   pScanComponents:
-    AllowedValues: [EC2, ECR, LAMBDA]
-    Default: EC2, ECR, LAMBDA
+    AllowedValues: [EC2, ECR, LAMBDA, LAMBDA_CODE]
+    Default: EC2, ECR, LAMBDA, LAMBDA_CODE
     Description: Lambda Function Logging Level
     Type: CommaDelimitedList
   pSecurityContactAction:

aws_sra_examples/solutions/inspector/inspector_org/README.md

@@ -85,7 +85,7 @@ The Inspector Organization solution will automate enabling Amazon Inspector by d
 #### 1.10 Inspector<!-- omit in toc -->
 
 - The Inspector delegated administrator is registered within organizations in the `management account` using the Inspector APIs within each provided region.
-- EC2, ECR, and Lambda function scanning is set to be auto-enabled for all associated member accounts (newly associated and newly created accounts)
+- EC2, ECR, Lambda standard and Lambda code scanning is set to be auto-enabled for all associated member accounts (newly associated and newly created accounts)
 
 #### 1.11 Lambda Layer<!-- omit in toc -->
 
@@ -112,7 +112,7 @@ populated from the `SecurityAccountId` parameter within the `AWSControlTowerBP-B
 #### 2.3 Inspector (Delegated admin)<!-- omit in toc -->
 
 - Inspector is enabled in the delegated admin account within each provided region.
-- EC2, ECR, and Lambda function scanning is enabled.
+- EC2, ECR, Lambda standard and Lambda code scanning is enabled.
 
 ---
 
@@ -129,7 +129,7 @@ populated from the `SecurityAccountId` parameter within the `AWSControlTowerBP-B
 #### 3.3 Inspector (Members)<!-- omit in toc -->
 
 - Inspector is enabled from the delegated administrator account.
-- EC2, ECR, and Lambda function scanning is enabled.
+- EC2, ECR, Lambda standard and Lambda code scanning is enabled.
 
 ---
 
@@ -171,9 +171,9 @@ In the `management account (home region)`, launch an AWS CloudFormation **Stack*
    1. Verify that the delegated admin account is set for each region
 2. Log into the Audit account and navigate to the Inspector page
    1. Verify the Inspector service is enabled in each region
-   2. Verify the auto-enable ec2, ecr, and lambda scanning for new accounts is ON in each region
-   3. Verify all existing member accounts have inspector ec2, ecr, and lambda scanning enabled in each region
-3. Log into a member account and verify the inspector is enabled and configured to scan ec2, ecr, and lambda functions
+   2. Verify the auto-enable ec2, ecr and lambda standard scanning for new accounts is ON in each region, and lambda code scanning in supported regions
+   3. Verify all existing member accounts have inspector ec2, ecr, and lambda standard scanning enabled in each region, and lambda code scanning in supported regions
+3. Log into a member account and verify the inspector is enabled and configured to scan ec2, ecr, lambda functions and lambda code
 
 #### Solution Update Instructions<!-- omit in toc -->
 
@@ -205,3 +205,4 @@ In the `management account (home region)`, launch an AWS CloudFormation **Stack*
 - [Managing AWS SDKs in Lambda Functions](https://docs.aws.amazon.com/lambda/latest/operatorguide/sdks-functions.html)
 - [Lambda runtimes](https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html)
 - [Python Boto3 SDK changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst)
+- [AWS Regions where Lambda code scanning is currently available](https://docs.aws.amazon.com/inspector/latest/user/inspector_regions.html)

aws_sra_examples/solutions/inspector/inspector_org/customizations_for_aws_control_tower/manifest-v2.yaml

@@ -30,7 +30,7 @@ resources:
       - parameter_key: pSRASolutionVersion
         parameter_value: 'v1.0'
       - parameter_key: pScanComponents
-        parameter_value: EC2, ECR, LAMBDA
+        parameter_value: EC2, ECR, LAMBDA, LAMBDA_CODE
       - parameter_key: pEcrRescanDuration
         parameter_value: 'LIFETIME'
     deploy_method: stack_set

aws_sra_examples/solutions/inspector/inspector_org/customizations_for_aws_control_tower/parameters/sra-inspector-org-main-ssm.json

@@ -37,7 +37,7 @@
   },
   {
     "ParameterKey": "pScanComponents",
-    "ParameterValue": "EC2, ECR, LAMBDA"
+    "ParameterValue": "EC2, ECR, LAMBDA, LAMBDA_CODE"
   },
   {
     "ParameterKey": "pEcrRescanDuration",

aws_sra_examples/solutions/inspector/inspector_org/customizations_for_aws_control_tower/parameters/sra-inspector-org-main.json

@@ -53,7 +53,7 @@
   },
   {
     "ParameterKey": "pScanComponents",
-    "ParameterValue": "EC2, ECR, LAMBDA"
+    "ParameterValue": "EC2, ECR, LAMBDA, LAMBDA_CODE"
   },
   {
     "ParameterKey": "pEcrRescanDuration",

aws_sra_examples/solutions/inspector/inspector_org/lambda/src/app.py

@@ -36,7 +36,7 @@
 UNEXPECTED = "Unexpected!"
 SERVICE_NAME = "inspector2.amazonaws.com"
 SNS_PUBLISH_BATCH_MAX = 10
-ALL_INSPECTOR_SCAN_COMPONENTS = ["EC2", "ECR", "LAMBDA"]
+ALL_INSPECTOR_SCAN_COMPONENTS = ["EC2", "ECR", "LAMBDA", "LAMBDA_CODE"]
 
 helper = CfnResource(json_logging=True, log_level=log_level, boto_level="CRITICAL", sleep_on_delete=120)
 
@@ -172,7 +172,9 @@ def get_validated_parameters(event: Dict[str, Any]) -> dict:
     params.update(parameter_pattern_validator("SNS_TOPIC_ARN", os.environ.get("SNS_TOPIC_ARN"), pattern=sns_topic_pattern))
     params.update(
         parameter_pattern_validator(
-            "SCAN_COMPONENTS", os.environ.get("SCAN_COMPONENTS"), pattern=r"(?i)^((ec2|ecr|lambda),?){0,2}(ec2|ecr|lambda){1}$"
+            "SCAN_COMPONENTS",
+            os.environ.get("SCAN_COMPONENTS"),
+            pattern=r"(?i)^((ec2|ecr|lambda|lambda_code),?){0,3}(ec2|ecr|lambda|lambda_code){1}$",
         )
     )
     params.update(parameter_pattern_validator("ECR_SCAN_DURATION", os.environ.get("ECR_SCAN_DURATION"), pattern=r"^(LIFETIME|DAYS_30|DAYS_180){1}$"))
@@ -374,22 +376,17 @@ def setup_inspector_in_region(
         scan_components: list of components to scan
         ecr_scan_duration: ecr scan duration
     """
-    scan_component_dict: AutoEnableTypeDef = {"ec2": False, "ecr": False, "lambda": False}
+    scan_component_dict: AutoEnableTypeDef = {"ec2": False, "ecr": False, "lambda": False, "lambdaCode": False}
     for scan_component in scan_components:
-        if scan_component.lower() == "ec2":
-            scan_component_dict["ec2"] = True
-        elif scan_component.lower() == "ecr":
-            scan_component_dict["ecr"] = True
-        elif scan_component.lower() == "lambda":
-            scan_component_dict["lambda"] = True
+        scan_component_dict[common.snake_to_camel(scan_component)] = True  # type: ignore
+
+    if scan_component_dict["lambdaCode"] and not scan_component_dict["lambda"]:
+        scan_component_dict["lambda"] = True
 
     disabled_components: list = []
-    if scan_component_dict["ec2"] is False:
-        disabled_components.append("ec2")
-    if scan_component_dict["ecr"] is False:
-        disabled_components.append("ecr")
-    if scan_component_dict["lambda"] is False:
-        disabled_components.append("lambda")
+    for scan_component in scan_component_dict:
+        if scan_component_dict[scan_component] is False:  # type: ignore
+            disabled_components.append(scan_component)
 
     LOGGER.info(f"setup_inspector_in_region: scan_components - ({scan_components}) in {region}")
     LOGGER.info(f"setup_inspector_in_region: created scan_component_dict as ({scan_component_dict})")