Learn how to implement automated CVE and code scanning for AWS Lambda functions and layers using Amazon Inspector, GuardDuty, and resource tagging.
Table of Contents
Question
A company has several AWS Lambda functions written in Python. The functions are deployed with the .zip package deployment type. The functions use a Lambda layer that contains common libraries and packages in a .zip file. The Lambda .zip packages and Lambda layer .zip file are stored in an Amazon S3 bucket.
The company must implement automatic scanning of the Lambda functions and the Lambda layer to identify CVEs. A subset of the Lambda functions must receive automated code scans to detect potential data leaks and other vulnerabilities. The code scans must occur only for selected Lambda functions, not all the Lambda functions.
Which combination of actions will meet these requirements? (Choose three.)
A. Activate Amazon Inspector. Start automated CVE scans.
B. Activate Lambda standard scanning and Lambda code scanning in Amazon Inspector.
C. Enable Amazon GuardDuty. Enable the Lambda Protection feature in GuardDuty.
D. Enable scanning in the Monitor settings of the Lambda functions that need code scans.
E. Tag Lambda functions that do not need code scans. In the tag, include a key of InspectorCodeExclusion and a value of LambdaCodeScanning.
F. Use Amazon Inspector to scan the 3 bucket that contains the Lambda .zip packages and the Lambda layer .zip file for code scans.
Answer
A. Activate Amazon Inspector. Start automated CVE scans.
B. Activate Lambda standard scanning and Lambda code scanning in Amazon Inspector.
E. Tag Lambda functions that do not need code scans. In the tag, include a key of InspectorCodeExclusion and a value of LambdaCodeScanning.
Explanation
To meet the requirements for automatic scanning of Lambda functions and layers for CVEs, as well as code scanning a subset of functions for data leaks and other vulnerabilities, you should take the following actions:
A. Activate Amazon Inspector. Start automated CVE scans.
Amazon Inspector can automatically scan Lambda functions, layers, and deployment packages stored in S3 for common vulnerabilities and exposures (CVEs). Activating Inspector and starting scans will address the CVE scanning requirement.
B. Activate Lambda standard scanning and Lambda code scanning in Amazon Inspector.
Within Inspector, enable the standard scanning option for Lambda to detect CVEs. Also enable the code scanning option which will perform deeper scans on functions to identify potential data leaks, hard-coded secrets, and other code-level issues. This will fulfill the code scanning requirement.
E. Tag Lambda functions that do not need code scans. In the tag, include a key of InspectorCodeExclusion and a value of LambdaCodeScanning.
To limit code scanning to only a subset of Lambda functions, add a resource tag to the functions you want to exclude. Inspector will skip code scanning any functions that have the specified “InspectorCodeExclusion” tag key and “LambdaCodeScanning” value. CVE scanning will still be performed on all functions.
The other options are incorrect because:
- GuardDuty and its Lambda Protection feature focus on monitoring for suspicious activity and configuration issues, not CVE/code scanning (C)
- There is no “Monitor settings” option in Lambda to enable scanning (D)
- Inspector scans the Lambda deployment packages directly, not by scanning the S3 bucket they are stored in (F)
In summary, using Amazon Inspector’s Lambda CVE and code scanning capabilities, along with resource tags to control the scope of code scans, will allow you to comprehensively and automatically scan Lambda for vulnerabilities while limiting deeper code analysis to only the desired subset of functions. Let me know if you have any other questions!
Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Professional SAP-C02 exam and earn Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification.