AWS inspector medium security documentation change
Summary
Updated code vulnerability documentation with Lambda scanning details, added encryption information for code snippets, and clarified delegated administrator access limitations
Security assessment
Added explicit details about encryption of code snippets (AWS owned keys vs customer managed keys) and access control limitations for delegated administrators. These changes address data protection and access control aspects, which are security concerns.
Diff
diff --git a/inspector/latest/user/findings-types.md b/inspector/latest/user/findings-types.md index 336c11a30..f026d648a 100644 --- a//inspector/latest/user/findings-types.md +++ b//inspector/latest/user/findings-types.md @@ -30 +30 @@ Amazon Inspector can generate package vulnerability findings for EC2 instances, -Code vulnerability findings identify lines in your code that attackers could exploit. Code vulnerabilities include injection flaws, data leaks, weak cryptography, or missing encryption in your code. +Code vulnerability findings help identify lines of code that can be exploited. Code vulnerabilities include missing encryption, data leaks, injection flaws, and weak cryptography. Amazon Inspector generates code vulnerability findings through [Lambda function scanning](https://docs.aws.amazon.com/inspector/latest/user/scanning-lambda.html) and its [Code Security](https://docs.aws.amazon.com/inspector/latest/user/code-security-assessments.html) feature. @@ -32 +32 @@ Code vulnerability findings identify lines in your code that attackers could exp -Amazon Inspector evaluates your Lambda function application code using automated reasoning and machine learning that analyzes your application code for overall security compliance. It identifies policy violations and vulnerabilities based on internal detectors developed in collaboration with Amazon CodeGuru. For a list of possible detections, see [CodeGuru Detector Library](https://docs.aws.amazon.com/codeguru/detector-library/). +Amazon Inspector evaluates Lambda function application code using automated reasoning and machine learning to analyzes application code for overall security compliance. It identifies policy violations and vulnerabilities based on internal detectors developed in collaboration with Amazon CodeGuru. For a list of possible detections, see [CodeGuru Detector Library](https://docs.aws.amazon.com/codeguru/detector-library/). @@ -34 +34 @@ Amazon Inspector evaluates your Lambda function application code using automated -###### Important +Code scanning captures snippets of code to highlight detected vulnerabilities. For example, a code snippet might show hardcoded credentials or other sensitive materials in plaintext. CodeGuru stores code snippets associated with code vulnerabilities. By default, your code is encrypted with an [AWS owned key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk). However, you can create a customer managed key to encrypt your code if you want more control over this information. For more information, see [Encryption at rest for code in your findings](./encryption-rest.html#encryption-code-snippets). @@ -36 +36 @@ Amazon Inspector evaluates your Lambda function application code using automated -Amazon Inspector code scanning captures code snippets to highlight detected vulnerabilities. These snippets may show hardcoded credentials or other sensitive materials in plaintext. +###### Note @@ -38,3 +38 @@ Amazon Inspector code scanning captures code snippets to highlight detected vuln -Amazon Inspector can generate **code vulnerability** findings for Lambda functions if you enable [Amazon Inspector Lambda code scanning](https://docs.aws.amazon.com/inspector/latest/user/scanning_resources_lambda_code.html). - -Code snippets detected in connection with a code vulnerability are stored by the CodeGuru service. By default an [AWS owned key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk) controlled by CodeGuru is used to encrypt your code, however, you can use your own customer managed key for encryption through the Amazon Inspector API. For more information see [Encryption at rest for code in your findings](./encryption-rest.html#encryption-code-snippets). +The delegated administrator for an organization cannot view code snippets that belong to member accounts.