Inspector Suppressor | Autobat Industries

Inspector Lambda Code Scanning Cost Control

Amazon Inspector is a powerful tool for analysing Lambda functions for security vulnerabilities. However, running scans every day quickly becomes expensive in a learning environment.

Problem: Constantly Scanning

Inspector will scan your Lambda functions often↗:

As soon as Amazon Inspector discovers an existing Lambda function.
When you deploy a new Lambda function to the Lambda service.
When you deploy an update to the application code or dependencies of an existing Lambda function or its layers.
Whenever Amazon Inspector adds a new common vulnerabilities and exposures (CVE) item to its database, and that CVE is relevant to your function.

This is fantastic for enterprise environments, but it can quickly become a large proportion of a lab's cost.

ChatGPT: Why should I scan my Lambda code for vulnerabilities regularly if the code hasn’t changed?

Even if your Lambda function’s code hasn’t changed, the security landscape around it has.

Here’s why regular scans still matter:

New vulnerabilities in libraries
Your Lambda might use dependencies (e.g., via node_modules, layers, or container images). These libraries can be updated externally with new CVEs—even if your own code is untouched.
Environment changes
AWS might change runtime environments, permissions, or integrations. A new risk can emerge from the surrounding infrastructure or IAM config.
Threat intelligence evolves
Tools like Amazon Inspector continuously update their scanning logic and CVE databases. A scan today might catch something that was undetectable last week.
Compliance and auditability
Even in a lab, it's valuable to practice what you’d do in production: show that scans are being performed consistently, even on “unchanged” code.

That said, daily scans may be overkill for learning environments. That's why we use scheduled tagging to get monthly snapshots—balancing security awareness with cost efficiency.

Solution: Scheduled Exclusion Tags

To balance between security insight and cost control, I built a simple tagging scheduler using EventBridge↗ and Lambda:

1st of the month: Remove Inspector Code Scan↗ and Standard Scan↗ exclusion tags from all functions in the account
3rd of the month: Add Inspector scan exclusion tags to all Lambda functions in the account

You can control whether any function is excluded from this process, and you can set your own schedules if you want to run it weekly.

Code Summary

Node.js code is available here↗.

The core Lambda function does the following:

Initialises an AWS Lambda client (uses SSO if running locally).
Gets all Lambda functions in the account.
For each function:
1. Skips if it has a suppression opt-out tag (InspectorSuppressorExclusion).
2. Adds or removes tags based on scanning instructions in the EventBridge event.
Logs the result (updated, skipped, or errored).

CloudFormation Resources

CloudFormation is available here↗.

Lambda Function
- Runs the tagging logic.
- Node.js 22.x, with X-Ray tracing.
EventBridge Rules
- enable-scanning: 1st of each month at 5 am
- disable-scanning: 3rd of each month at 5 am
IAM Role
- Grants Lambda permission to list, tag, and untag Lambda functions.
CloudWatch Log Group
- Custom log group with a 7-day retention policy.