Inspector.4: Lambda is not fully covered by Inspector

What does AWS Security Hub Inspector.4 check?

Inspector.4 fails when Amazon Inspector Lambda code scanning is not enabled in the account and region. This is a separate scope from dependency scanning — it inspects your own function source for injected secrets and insecure code patterns.

Why does Inspector.4 matter?

Dependency scanning catches vulnerable libraries, but it does not look at the code you wrote. Lambda code scanning analyses your function source for hardcoded credentials, injection flaws and other insecure patterns — the mistakes that ship secrets straight into production. Leaving it dark means your own code is the one part of the serverless stack nothing is checking.

How do I fix Inspector.4?

1. Enable the Lambda code scanning scope with aws inspector2 enable --resource-types LAMBDA_CODE, delegated from the Organization admin.
2. Verify the scope is active per region with aws inspector2 batch-get-account-status.
3. Review code findings in Security Hub and remove hardcoded secrets or fix the flagged patterns, rotating any exposed credentials.
4. Turn on auto-enable so new accounts and regions inherit the coverage.

# Enable the GuardDuty base detector in every Region (run from the delegated admin account).
for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
  existing=$(aws guardduty list-detectors --region "$region" --query 'DetectorIds[0]' --output text)
  if [ "$existing" = "None" ]; then
    aws guardduty create-detector --enable \
      --finding-publishing-frequency FIFTEEN_MINUTES --region "$region"
    echo "$region: GuardDuty detector created"
  fi
done

# Turn on Inspector EC2/ECR/Lambda scanning for this account and Region.
aws inspector2 enable --resource-types EC2 ECR LAMBDA

# Enable Macie (free bucket inventory clears Macie.1; discovery jobs are scoped separately by risk).
aws macie2 enable-macie --status ENABLED --finding-publishing-frequency FIFTEEN_MINUTES