Aqua Security can scan AWS Lambda functions for vulnerabilities.
# Example: Scanning a Lambda function
aws lambda get-function --function-name my-lambda-function > lambda_config.json
aqua scan artifact --file lambda_config.json --output json
This command retrieves the configuration of my-lambda-function and then passes it to aqua scan artifact for analysis. Aqua will inspect the function’s code, its dependencies, and its runtime environment for known security issues.
The primary benefit of scanning Lambda functions with Aqua is proactive vulnerability management. Lambda functions, like any other piece of code, can inadvertently include libraries with known CVEs, misconfigurations, or insecure code patterns. By integrating Aqua into your CI/CD pipeline or running ad-hoc scans, you can identify and remediate these risks before they are deployed to production, preventing potential breaches or compliance failures.
Aqua analyzes several key areas within a Lambda function:
- Code Dependencies: It scans all installed libraries and packages within the Lambda deployment package for known vulnerabilities. This includes Node.js
node_modules, Pythonsite-packages, and any other language-specific dependency management. - Runtime Environment: Aqua can also assess the security posture of the Lambda runtime itself, identifying if it’s using an outdated or insecure version, or if it has inherent configuration weaknesses.
- Infrastructure as Code (IaC): If your Lambda function is defined using IaC tools like AWS CloudFormation or Terraform, Aqua can scan those templates for insecure configurations related to the Lambda function’s permissions, environment variables, or other settings.
- Secrets Detection: Aqua can be configured to scan for hardcoded secrets (API keys, passwords, etc.) within the function’s code or configuration, which is a critical security best practice.
To get started, ensure you have the Aqua Security CLI installed and configured with your Aqua Security platform credentials. You’ll also need to have the AWS CLI installed and configured with appropriate permissions to access your Lambda functions.
The aqua scan artifact command is versatile. When scanning a Lambda function, you typically point it to the function’s deployment package or its configuration details. If you have the deployment package locally (e.g., a .zip file), you can scan it directly:
aqua scan artifact --file /path/to/your/lambda_deployment.zip --output json
If you need to scan a function directly from AWS, you can use the AWS CLI to download the function’s code and then scan it. First, get the function’s code location:
aws lambda get-function --function-name my-lambda-function --query 'Code.Location' --output text > lambda_code_url.txt
Then, download the code:
wget $(cat lambda_code_url.txt) -O lambda_deployment.zip
Finally, scan the downloaded zip file:
aqua scan artifact --file lambda_deployment.zip --output json
Aqua’s output will detail any vulnerabilities found, including CVE IDs, severity levels, and remediation advice. For example, a finding might look like this:
{
"Vulnerability": "CVE-2023-12345",
"Severity": "HIGH",
"Package": "requests",
"Version": "2.25.0",
"FixedVersion": "2.28.1",
"Description": "A buffer overflow vulnerability in the requests library...",
"Remediation": "Upgrade requests to version 2.28.1 or later."
}
This means you need to update the requests library in your Lambda deployment package to at least version 2.28.1.
When configuring your Aqua Security platform, you can define policies that dictate what constitutes an acceptable risk for your Lambda functions. These policies can be based on CVE severity, package age, or specific compliance requirements. If a scan violates these policies, Aqua can alert your team or even block deployments.
One subtle but powerful aspect of Aqua’s Lambda scanning is its ability to understand the context of the function’s execution environment. It doesn’t just look at the code in isolation; it can infer potential risks based on the Lambda runtime version and associated system packages. For instance, an older, unsupported Lambda runtime might have known operating system-level vulnerabilities that Aqua can flag, even if your application code itself is clean. This holistic view is crucial for securing serverless workloads.
After successfully scanning and remediating vulnerabilities in your Lambda functions, the next common challenge you’ll encounter is managing the lifecycle of these functions and ensuring continuous compliance, often involving integrating these scans into your CI/CD pipeline for automated checks on every code change.