Amazon Inspector is a vulnerability management service that continuously scans AWS workloads. A specific feature, Amazon Inspector Lambda scanning, is designed to identify software vulnerabilities in Lambda functions and associated layers. It performs two types of scans: one for vulnerabilities in application package dependencies (e.g., libraries) and another for code vulnerabilities within the function's custom code, directly addressing the requirement to scan for code vulnerabilities. This is an automated, continuous process once enabled.

A. Use Amazon Macie.

Macie is a data security service for discovering and protecting sensitive data (like PII) stored in Amazon S3, not for scanning Lambda function code for vulnerabilities.

C. Use GuardDuty and Security Hub.

GuardDuty is a threat detection service, and Security Hub aggregates security findings. Neither service performs static code analysis or scans Lambda functions for code vulnerabilities.

D. Use GuardDuty Lambda Protection.

This GuardDuty feature detects runtime threats and anomalous behavior in Lambda functions, such as malicious invocations, but it does not scan the function's code for vulnerabilities.

1. AWS Documentation: Amazon Inspector User Guide. "Scanning AWS Lambda functions with Amazon Inspector." This section states, "When you activate Lambda scanning, Amazon Inspector automatically discovers all of your Lambda functions... and immediately starts scanning them for vulnerabilities... Amazon Inspector scans Lambda functions for two types of vulnerabilities: Package vulnerabilities... [and] Code vulnerabilities."

2. AWS Documentation: Amazon Inspector User Guide. "Amazon Inspector scans for code vulnerabilities." This page details how Inspector uses automated reasoning and machine learning to detect code vulnerabilities in Lambda functions, covering categories like injection flaws and data leaks.

3. AWS Documentation: Amazon Macie User Guide. "What is Amazon Macie?" The first sentence clarifies its purpose: "Amazon Macie is a data security service that discovers sensitive data by using machine learning and pattern matching."

4. AWS Documentation: Amazon GuardDuty User Guide. "Lambda Protection in GuardDuty." This document explains, "GuardDuty Lambda Protection is a feature in Amazon GuardDuty that monitors AWS CloudTrail management events and VPC Flow Logs to detect threats against your Lambda functions." This confirms its focus is on runtime threat detection, not static code scanning.