Test case for check inspector_lambda_standard_scan_enabled

[Gunjan-Katre-Comprinno]

Here's your test description in the required format for the TestInspectorLambdaStandardScanEnabled class:

---

Context

This change adds a unit test for the inspector_lambda_standard_scan_enabled check, which ensures that Amazon Inspector2 Lambda function scanning is enabled. This contributes to broader AWS Lambda security coverage by detecting unscanned and potentially vulnerable Lambda functions.
Fixes potential coverage gap in tests for Lambda resource scanning under Inspector2.

---

Description

The TestInspectorLambdaStandardScanEnabled test class validates the behavior of the check in various states returned by the batch_get_account_status API. Covered scenarios include:

• Lambda scanning is ENABLED → check passes.
• Lambda scanning is DISABLED → check fails.
• Lambda scanning is SUSPENDED → check fails.
• Lambda scanning is TRANSITIONING → check returns unknown status.
• API call to Inspector2 fails → check returns unknown status with appropriate error summary.

The AWS clients (inspector2 and sts) are mocked using unittest.mock, and no live AWS calls are made.

---

Checklist

• Added new checks? If yes, reviewed necessary permissions
• Code covered by tests (positive, negative, transitional, and error-handling scenarios)
• Documentation follows [Google Python Style Guide](https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings)
• Considered if backporting is needed (not applicable)

---

License

I confirm that my contribution is made under the terms of the Apache 2.0 license.

[aafaq-rashid-comprinno]

⚠️ Suggestions for Improvement

⚠️ 1. Handle Missing lambda Key in resourceState

Right now, the test assumes "lambda" key will always be present inside resourceState. But in real-world APIs, if scanning has never been initialized, this key could be missing altogether.

✅ Suggested additional test:

def test_lambda_resource_key_missing(self):
    self.mock_inspector_client.batch_get_account_status.return_value = {
        "accounts": [{"resourceState": {}}]  # no 'lambda' key
    }
report = self.check.execute(self.mock_session)

assert report.status == CheckStatus.UNKNOWN
assert any("transitional" in r.summary.lower() or "unknown" in r.status.name.lower()
           for r in report.resource_ids_status)

---

⚠️ 2. Test for AWS ClientError Specifically

Just like in iam_password_policy_lowercase, include a test for when AWS throws a structured ClientError, not just a generic exception.

✅ Suggested additional test:

from botocore.exceptions import ClientError
def test_lambda_scan_client_error(self):

self.mock_inspector_client.batch_get_account_status.side_effect = ClientError(

error_response={"Error": {"Code": "AccessDenied", "Message": "Access Denied"}},

operation_name="BatchGetAccountStatus"

)
report = self.check.execute(self.mock_session)

assert report.status == CheckStatus.UNKNOWN
assert any("access denied" in r.summary.lower() for r in report.resource_ids_status)

---

⚠️ 3. Consider Showing Account ID in Summary

Since you're already extracting the account_id, including it in the summary string would help improve visibility in multi-account dashboards or CSV exports.

✅ Minor UX improvement:

summary = f"Inspector Lambda standard scan is enabled for account {account_id}."

---