The company requires two different types of security analysis: vulnerability scanning for CVEs and code-level scanning for sensitive data exposure. Amazon Inspector provides both Lambda Standard Scanning and Lambda Code Scanning. These capabilities allow Inspector to examine Lambda deployment packages and Lambda layers for software vulnerabilities, and also perform static code analysis to detect insecure coding patterns. To meet the requirement that only certain Lambda functions receive deeper code scanning, Inspector allows enabling or disabling code scanning at the individual Lambda function level through the function's Monitor settings. Inspector additionally supports resource exclusion based on tagging, allowing administrators to prevent specific Lambda functions from participating in code scans. Tag-based exclusion satisfies the requirement to scan only a subset of Lambda functions.

Option B is required because enabling both Lambda standard scanning and Lambda code scanning activates the functionality necessary for CVE detection and code security analysis.

Option D is required because enabling scanning at the function level ensures that code scanning runs only for selected Lambda functions.

Option E is required because resource exclusion using tags allows the administrator to exclude non-target Lambda functions from code scanning automatically.

Options A and C do not satisfy the requirement because simply activating Amazon Inspector does not configure per-function scanning behavior, and GuardDuty Lambda Protection does not scan for CVEs or code vulnerabilities. Option F is not valid because Amazon Inspector does not perform scans directly against objects stored in Amazon S3; scanning occurs against the deployed Lambda function versions themselves.