AWS Security ChangesHomeSearch

AWS inspector documentation change

Service: inspector · 2025-08-28 · Documentation low

File: inspector/latest/user/scanning-lambda.md

Summary

Clarified Lambda scanning types, added note about unsupported encryption with customer managed keys, and reorganized CloudTrail channel documentation

Security assessment

The change adds documentation about a security-related limitation (unsupported encryption with customer managed keys) but does not address a specific vulnerability. The note informs users about security controls (encryption) that are incompatible with the service.

Diff

diff --git a/inspector/latest/user/scanning-lambda.md b/inspector/latest/user/scanning-lambda.md
index 3684093eb..3b2ab24d9 100644
--- a//inspector/latest/user/scanning-lambda.md
+++ b//inspector/latest/user/scanning-lambda.md
@@ -13 +13 @@ Amazon Inspector support for AWS Lambda functions and layers provides continuous
-This is the default Lambda scan type. Lambda standard scanning scans application dependencies within a Lambda function and layers for [package vulnerabilities](./findings-types.html#findings-types-package). 
+This scan type is the default Lambda scan type. It scans application dependencies in Lambda functions and layers for [package vulnerabilities](./findings-types.html#findings-types-package). 
@@ -17 +17 @@ This is the default Lambda scan type. Lambda standard scanning scans application
-This scan type scans the custom application code in your Lambda function and layers for [code vulnerabilities](./findings-types.html#findings-types-code). You can either activate Lambda standard scanning or activate Lambda standard scanning with Lambda code scanning.. 
+This scan type scans custom application code in your Lambda functions and layers for [code vulnerabilities](./findings-types.html#findings-types-code). You can activate Lambda standard scanning or Lambda standard scanning with Lambda code scanning. 
@@ -19 +19 @@ This scan type scans the custom application code in your Lambda function and lay
-When you activate Lambda function scanning, Amazon Inspector creates the following [AWS CloudTrail service-linked channels](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-service-linked-channels.html) in your account: `cloudtrail:CreateServiceLinkedChannel` and `cloudtrail:DeleteServiceLinkedChannel`. Amazon Inspector manages these channels and uses them to monitor your CloudTrail events for scans. These channels allow you to see CloudTrail events in your account as if you had a trail in CloudTrail. We recommend you create your own trail in CloudTrail to manage events for your account. 
+If you want to activate Lambda code scanning, you must activate Lambda standard scanning first. For more information, see [Activating a scan type](https://docs.aws.amazon.com/inspector/latest/user/activate-scans.html). 
@@ -21 +21,5 @@ When you activate Lambda function scanning, Amazon Inspector creates the followi
-For information about how to activate Lambda function scanning, see [Activating a scan type](https://docs.aws.amazon.com/inspector/latest/user/activate-scans.html). This section provides information about Lambda function scanning. 
+When you activate Lambda function scanning, Amazon Inspector creates the following service-linked channels in your account: `cloudtrail:CreateServiceLinkedChannel` and `cloudtrail:DeleteServiceLinkedChannel`. Amazon Inspector manages these channels and uses them to monitor CloudTrail events for scans. The channels allow you to view CloudTrail events in your account as if you had a trail in CloudTrail. We recommend creating your own trail in CloudTrail to manage events in your account. For information about how to view these channels, see [Viewing service-linked channels](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-service-linked-channels.html) in the _AWS CloudTrail User Guide_. 
+
+###### Note
+
+Amazon Inspector does not support scanning [Lambda functions encrypted with customer managed keys](https://docs.aws.amazon.com/lambda/latest/dg/security-encryption-at-rest.html). This applies to Lambda standard scanning and Lambda code scanning.