On June 13th 2023, Amazon Inspector announces the general availability of Code Scans for AWS Lambda function. Since November 28th 2022, AWS has announced Amazon Inspector support for AWS Lambda functions.
This repository has been updated to cover Lambda code scanning activation at scale: multi-accounts and multi-regions. Lambda code scanning is a sub-feature of Lambda scanning.
For Amazon Inspector2 to run CVE assessment, SSM Agent needs to be installed and enabled on the EC2 as per the documentation. By SSM Agent enabled, ensure that AWS Systems Manager is deployed and can communicate with your EC2 instances having the adequate instance profile.
- If you have questions regarding Amazon Inspector2, please reach out to the product team by opening a ticket.
- If you have questions regarding the script, you can contact the script author.
This script will help to deploy Amazon Inspector2 (released the 29th november 2021) across an AWS Organizations in multiple regions. The script uses Amazon Inspector2 AWS CLI commands to loop on accounts and in the specified regions.
Below the prerequites in order to successfully run the script to deploy Amazon Inspector2.
Using this script, it is assumed you have met the prerequites in the Amazon Inspector2 official documentation.
Launch AWS CloudShell as outlined in this page.
Download the code by executing on CloudShell:
git clone https://github.com/aws-samples/inspector2-enablement-with-cli.git
The below versions at the minimum expected to use Amazon Inspector2 CLI reference:
Note : The script works with CLI version 1 and CLI version 2. The script checks AWS CLI version when running.
WARNING: If you are not using CloudShell but your computer terminal with AWS CLI installed, you must set a default region in your ~/.aws/config.
jqwill likely be already installed in CloudShell.
jq is used in the script, so please checke if it is already installed (Run jq --version) or install jq.
The script has been tested with :
- bash version :
version 4.2.46(2)-release - zsh version :
zsh 5.8.1 (x86_64-apple-darwin21.0).
AWS Organizations is mandatory. The delegation of Amazon Inspector2 Delegated Administrator (DA) can only be done from the managment account.
From the Organization management account, designate a Delegated Administrator for Amazon Inspector2.
The effective management of Amazon Inspector2 will be done from the DA account. Unlike AWS Organizations, Amazon Inspector is a Regional service. This means that a delegated administrator must be designated in each Region and must add and enable scans for members in each AWS Region for which you would like to manage Amazon Inspector.
You must have permission to designate an Amazon Inspector delegated administrator. Add this statement to the end of an IAM policy to grant these permissions.
Attach the AmazonInspector2FullAccess managed policy to your IAM identities to grant full access to Amazon Inspector2 for its management.
Below are the default variables in the script :
$default_auto_enable_conf: Configure the scanning type to enable for new accounts that are associated to the DA. You must always set the value for all scanning types. By default in the script, the value is set :auto_enable_conf="ec2=true,ecr=true,lambda=true,lambdaCode=true"$default_rsstype: Inspector2 scanning type to enable. The default value is set to"EC2 ECR LAMBDA LAMBDA_CODE".
Below are the variables in the param_inspector2.json that you will need to update according to your Organization:
inspector2_da.id: AWS Account id you want to designate as Delegated Admin for Amazon Inspector2scanning_type.selected: Inspector2 scanning type to enable. Possible values are "ECR" | "EC2" | "LAMBDA | LAMBDA_CODE" (use upper case)auto_enable.conf: Configure the scanning type to enable for new accounts that are associated to the DA. You must always set the value for both ec2 and ecr, at an least with one of them being true. Example :auto_enable.conf="ec2=true,ecr=false"regions.enablement: The list of AWS regions where you want to enable/disable Amazon Inspector2. Example in the parameters file. If not specified in the file nor found as exported variable, then the script will use the current region.
If you do not want to update the values in the param_inspector2.json, you can export the values that match your environment:
export INSPECTOR2_DA="DA_ACCOUNTID"export INSPECTOR2_REGIONS="eu-west-1 us-east-1 eu-central-1"At the end of the script execution, unset the variables exported by doing:unset INSPECTOR2_DAunset INSPECTOR2_REGIONS.
The script runs locally using AWS CLI and works also on CloudShell. If you have designated an account different than the organization management account as "Delegated Administrator" for Amazon Inspector2, you will need to :
- run the script in the organization management account : As per the security principle, only this account can designate another account as admin
- run the script (the same one) in the Delegated Administrator account to manage Amazon Inspector2 : enable/disable, configure auto-enable, associate/disassociate members...
If you have designated the organization management account as the Delegated Administrator for Amazon Inspector2, then run all the steps solely in that account.
- If you run the script with no parameters you will see the list of options.
./inspector2_enablement_with_awscli.sh
Use -hor --help to see the commands options.
-
The list of actions that can be performed with the script require
-aor--action. It is a mandatory option. -
-a get_status: Check the enablement status of Amazon Inspector per regions and per scan type. When run from the delegated admin (DA) account, return the status of all the AWS Organizations. If run from an account different than the DA, than return the status only for that account. -
-a delegate_admin [-da ACCOUNTID]: Designate one account as DA on regions specified.-da ACCOUNTID: indicate the account that should be set as DA. If-dais not used, then the script will search for a value in the parameters file, if empty, will check to see if a value has been exported forINSPECTOR2_DA.
-
-a activate -t ACCOUNTID|members [-s all]: Activate scan type in regions. The other options are the following:- A target account(s) is mandatory:
-t members | ACCOUNTID. Either specified an ACCOUNTID-t ACCOUNTIDon which scan type will be enabled, or use-t membersto select all the accounts from AWS Organizations except the DA account on which to enable the scan type. - The scan type is specified
-s ec2|ecr|lambda|lambdaCode|all. This is optional, when not specified, then all scans type will be enabled - Example :
./inspector2_enablement_with_awscli.sh -a activate -t members [-s lambda]
- A target account(s) is mandatory:
-
-a associate -t ACCOUNTID|members: associate the specified target account(s) to the DA account -
-a auto_enable [-e "ec2=true,ecr=true,lambda=true,lambdaCode=true"]: configure the automatic activation of Amazon Inspector2 to accounts newly associated to the DA based on the configuration set.
-e "ec2=true,ecr=false,lambda=true,lambdaCode=true": specified the scan type to enable on each newly associated account. This is optional, when not used, the script will read the value in the parameter file. If nothing is set in the parameters file, then the script will applied the default value of$default_auto_enable_conf
-a deactivate -t ACCOUNTID|members [-s all]: deactivate a specified scan for Amazon Inspector2. In order to deactive Amazon Inspector2, all the scan types should be disabled.-a disassociate -t ACCOUNTID|members: Disassociate a target from the DA.-a remove_admin [-da ACCOUNTID]: Remove an an account as DA for Amazon Inspector2.
--dry-run | -r option is available for each command.
Below, examples of script usage with Dry run:
./inspector2_enablement_with_awscli.sh -a get_status -r
./inspector2_enablement_with_awscli.sh -a delegate_admin -da ACCOUNTD_ID --dry-run
./inspector2_enablement_with_awscli.sh -a activate -t ACCOUNTD_ID -s all -r
./inspector2_enablement_with_awscli.sh -a associate -t members --dry-run
./inspector2_enablement_with_awscli.sh -a activate -t members -s all -r
Ensure you have remove the dry-run option when you are running the commands of your choice.
Amazon Inspector2 would be enabled in all accounts, regions with the scan type you configured in the variales.
If your Delegated Administrator (DA) account is different than your organization management account, then after step 1, log into your DA account. If not, continue the next steps in the same account. You will need to execute the steps 2, 3, 4 and 5 in the DA account as shown in the table below. Caution: Wait around 3 minutes after step 3 for the association to be completed. You can check the progress through the console while the script is running.
| N° | Run the script in | Parameters | Description |
|---|---|---|---|
| 1 | Organization management account | -a delegate_admin -da DA_ACCOUNT_ID |
designate DA_ACCOUNT_ID as Inspector2 DA for AWS Organizations |
| 2 | Delegated Administrator account | -a activate -t DA_ACCOUNT_ID -s all |
Activate Inspector2 on the DA account for selected scans: ec2 or ecr or or lambda all = ec2 & ecr & lambda & lambdaCode |
| 3 | Delegated Administrator account | -a associate -t members |
Associate the member accounts to the DA account |
| 4 | Delegated Administrator account | -a activate -t members -s all |
Enable Inspector2 on the member accounts for selected scans |
| 5 | Delegated Administrator account | -a auto_enable -e "ec2=true,ecr=true,lambda=true,lambdaCode=true" |
Configure auto-enablement of Inspector2 on accounts newly associated with the DA |
Wait a few minutes for the Amazon Inspector2 to be enable in all the accounts and regions configured.
In the DA account, execute the script with - a get_status to get Amazon Inspector2 activation status for all accounts associated.
For Amazon Inspector2 deactivation, you will need to follow the steps below.
| N° | Run the script in | Parameters | Description |
|---|---|---|---|
| 6 | Delegated Administrator account | -a deactivate -t members -s all |
Deactivate a type of scan ec2 or ecr. Or deactivate Inspector2 by removing all = ec2 & ecr scans types from members accounts |
| 7 | Delegated Administrator account | -a disassociate -t members |
Disassociate the memebers accounts from the DA account |
| 8 | Delegated Administrator account | -a deactivate -t DA_ACCOUNT_ID -s all |
Deactivate Inspector2 on the DA account |
| 9 | Organization management account | -a remove_admin -da DA_ACCOUNT_ID |
Remove DA account |
Caution: Wait around 3 minutes after step 6 for the association to be completed. You can check the progress through the console while the script is running.
Wait around 5 minutes after step 6 then check the status with -a get_status. Most accounts should now have "DISABLING" or "DISABLED" as status for the scan(s) you deactivated.
Optionally, wait around 5 minutes after step 7 and then check the status with -a get_status. Most accounts should now have "DISASSOCIATED" as status.
Connect into the organization management account for step 9.
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.