AWS inspector documentation change
Summary
Clarified Lambda scanning types, added note about unsupported encryption with customer managed keys, and reorganized CloudTrail channel documentation
Security assessment
The change adds documentation about a security-related limitation (unsupported encryption with customer managed keys) but does not address a specific vulnerability. The note informs users about security controls (encryption) that are incompatible with the service.
Diff
diff --git a/inspector/latest/user/scanning-lambda.md b/inspector/latest/user/scanning-lambda.md index 3684093eb..3b2ab24d9 100644 --- a//inspector/latest/user/scanning-lambda.md +++ b//inspector/latest/user/scanning-lambda.md @@ -13 +13 @@ Amazon Inspector support for AWS Lambda functions and layers provides continuous -This is the default Lambda scan type. Lambda standard scanning scans application dependencies within a Lambda function and layers for [package vulnerabilities](./findings-types.html#findings-types-package). +This scan type is the default Lambda scan type. It scans application dependencies in Lambda functions and layers for [package vulnerabilities](./findings-types.html#findings-types-package). @@ -17 +17 @@ This is the default Lambda scan type. Lambda standard scanning scans application -This scan type scans the custom application code in your Lambda function and layers for [code vulnerabilities](./findings-types.html#findings-types-code). You can either activate Lambda standard scanning or activate Lambda standard scanning with Lambda code scanning.. +This scan type scans custom application code in your Lambda functions and layers for [code vulnerabilities](./findings-types.html#findings-types-code). You can activate Lambda standard scanning or Lambda standard scanning with Lambda code scanning. @@ -19 +19 @@ This scan type scans the custom application code in your Lambda function and lay -When you activate Lambda function scanning, Amazon Inspector creates the following [AWS CloudTrail service-linked channels](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-service-linked-channels.html) in your account: `cloudtrail:CreateServiceLinkedChannel` and `cloudtrail:DeleteServiceLinkedChannel`. Amazon Inspector manages these channels and uses them to monitor your CloudTrail events for scans. These channels allow you to see CloudTrail events in your account as if you had a trail in CloudTrail. We recommend you create your own trail in CloudTrail to manage events for your account. +If you want to activate Lambda code scanning, you must activate Lambda standard scanning first. For more information, see [Activating a scan type](https://docs.aws.amazon.com/inspector/latest/user/activate-scans.html). @@ -21 +21,5 @@ When you activate Lambda function scanning, Amazon Inspector creates the followi -For information about how to activate Lambda function scanning, see [Activating a scan type](https://docs.aws.amazon.com/inspector/latest/user/activate-scans.html). This section provides information about Lambda function scanning. +When you activate Lambda function scanning, Amazon Inspector creates the following service-linked channels in your account: `cloudtrail:CreateServiceLinkedChannel` and `cloudtrail:DeleteServiceLinkedChannel`. Amazon Inspector manages these channels and uses them to monitor CloudTrail events for scans. The channels allow you to view CloudTrail events in your account as if you had a trail in CloudTrail. We recommend creating your own trail in CloudTrail to manage events in your account. For information about how to view these channels, see [Viewing service-linked channels](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-service-linked-channels.html) in the _AWS CloudTrail User Guide_. + +###### Note + +Amazon Inspector does not support scanning [Lambda functions encrypted with customer managed keys](https://docs.aws.amazon.com/lambda/latest/dg/security-encryption-at-rest.html). This applies to Lambda standard scanning and Lambda code scanning.