Overview

Why It’s Important

Security should never be an afterthought, and this is just as true in the world of serverless computing as everywhere else. The “shifting left” of security responsibility is a reality we are seeing with more customers and brings a new set of challenges. Another inescapable reality is that AWS Lambda has become a ubiquitous part of customer environments, whether as core compute or specific integration tasks, making the security of our Lambda functions very important. A couple of new capabilities from AWS are making it easier to identify and address potential security issues at an early stage of development, reducing the risk of security breaches and saving valuable time and resources in the long run.

Simplify Your Stack

Customers building on AWS have long had to combine multiple tools to scan workloads for common vulnerabilities and weaknesses, especially in environments that leverage a mix of EC2 instances, ECS tasks, and Lambda functions. The landscape of SAST and DAST tools is broad and deep, and like many other AWS services, more customers are finding use cases where the managed first-party options get the job done.

AI for Security

The engine under the hood of these new AWS capabilities is the CodeGuru Security service, which uses machine learning trained on millions of code reviews and the CodeGuru Detector Library to detect security policy violations and vulnerabilities.

Transparently using the CodeGuru Security service foundation behind the scenes, Amazon CodeWhisperer scans code in a growing number of languages right in the IDE, and Amazon Inspector has a dramatically increased breadth and depth of scanning capabilities.

Another piece of good news: both are easy to enable.

Let’s Turn Some Things On

Enabling CodeWhisperer security scan

We’re going to use VS Code to show the steps, but it works very similarly in the JetBrains ecosystem.

If you’re already developing for AWS with VS Code, you almost certainly have the AWS toolkit activated, and this is where you can access CodeWhisperer settings and functionality.

With an active file open, navigate to the AWS toolkit and click “Run Security Scan”. If you’re using Java, build your project in VS Code first so CodeWhisperer has access to your build artifacts.

The output of the security scan can be viewed in the “Problems” panel of VS Code.

Be aware that there are file size limitations that vary by programming language, and certain file types are not supported, such as JSON and YAML.

Enabling Amazon Inspector Lambda Code Scanning

Amazon Inspector Lambda code scanning went to General Availability (GA) in June of this year, which means Inspector can now continuously scan Lambda code for security vulnerabilities and code quality issues. Before June, Inspector already had the capability to scan for package vulnerabilities in Lambda dependencies with Amazon Inspector Lambda standard scanning, and extending this capability to the actual functions is a major leap forward.

Amazon Inspector Lambda code scanning is supported for several versions of Java, Node.js, and Python today:

User Authorization

IAM Policies for admin and read-only authorization in Inspector are managed by AWS, which makes life a lot easier. The AmazonInspector2FullAccess policy for admin functionality can be attached to your IAM identities and will allow the creation of the necessary service-linked role the first time Inspector is activated via console, API, or CLI.

Be aware that we’ve seen a customer run up against PowerUserAccess not granting permission to view Inspector findings, although it will for SecurityHub & GuardDuty.

Activate

Inspector is a regional service and needs to be activated in the same region as the Lambda functions. The type of scanning (standard vs. code) is selected in the "account management" menu.

For standalone accounts, this is as easy as clicking through "Get Started" and "Activate Inspector" in the console when you are in the correct region.

For multi-account environments managed through AWS organizations, you'll log in to the management account and designate another account the "delegated administrator". The delegated administrator account can then activate scanning for any member account associated with the Organizations management account. There is a very helpful script and explanation of this piece of the puzzle from the service team posted here.

Scans get initiated by customer actions as well as AWS service updates:

Across container images and Lambda functions, we have two types of scans:

• Customer-initiated scans are triggered when customers add or modify a resource.

• System-initiated scans occur when new code vulnerability detectors are deployed.

Findings

Findings can always be investigated in the console as needed, but the most popular approach we’re seeing is to investigate Inspector findings in Security Hub. This opens up a world of options for integrating into the rest of your security and operations approaches.

One of the most Interesting things we’ve seen down this road is leveraging Amazon Detective for the investigation piece once findings are in SecurityHub, as Danilo outlines very well in this blog post.

Pricing

CodeWhisperer is currently free for individual users.

Inspector charges $0.30 for standard scanning and $0.90 for standard+code scanning per "average number of AWS Lambda functions scanned per month", which basically means quantity of Lambdas prorated against whether they existed all month.

Takeaway

It feels like there is a LOT more to come from AWS regarding the "behind the scenes" addition of AI for security functionality. Integrating these capabilities into other AWS services without requiring a major lift from customers is a great way to keep raising the bar. We have helped several customers take advantage of these new capabilities this summer, so don't hesitate to reach out to bex@buildstr.com for help!