Amazon Inspector is the dedicated AWS vulnerability management service designed to scan workloads. It provides two key features that directly address the requirements. First, Amazon Inspector enhanced scanning for Amazon ECR automatically scans container images for both operating system and programming language package vulnerabilities. Second, Amazon Inspector Lambda code scanning specifically analyzes the custom application code within Lambda functions to identify code security vulnerabilities, such as injection flaws or data leaks. This combination provides comprehensive vulnerability coverage for both the container images and the Lambda function code as requested.

A. Amazon GuardDuty is a threat detection service, not a vulnerability scanner. It does not perform static scanning of ECR images or Lambda code for vulnerabilities.

B. GuardDuty's Runtime Monitoring and Lambda Protection features detect threats and anomalies during execution, not by scanning the code or container images for pre-existing vulnerabilities at rest.

D. AWS Security Hub is a security posture management service that aggregates findings from other services like Amazon Inspector. It does not perform the scanning itself.

1. Amazon Inspector User Guide - Scanning Lambda functions with Amazon Inspector: "Amazon Inspector scans your AWS Lambda functions and Lambda layers for application package vulnerabilities... In addition to scanning for package vulnerabilities, Amazon Inspector also scans your Lambda functions for code vulnerabilities. Amazon Inspector Lambda code scanning scans the custom application code within your Lambda functions and layers for code vulnerabilities based on detectors from Amazon CodeGuru Detector Library and security best practices."

2. Amazon Inspector User Guide - Scanning Amazon ECR container images with Amazon Inspector: "Amazon Inspector integrates with Amazon ECR to scan container images for vulnerabilities... Enhanced scanning provides both operating system and programming language package vulnerability scanning for your container images."

3. Amazon GuardDuty User Guide - GuardDuty Lambda Protection: "GuardDuty Lambda Protection is a feature in Amazon GuardDuty that monitors the AWS Lambda function executions in your AWS account for potential security threats." (This confirms its focus is on runtime threat detection, not static vulnerability scanning).

4. AWS Security Hub User Guide - What is AWS Security Hub?: "Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues." (This confirms its role as an aggregator of findings, not a scanner).