Ensure Lambda functions are not using deprecated runtimes
Lambda runtimes for .zip file archives are built around a combination of operating system, programming language, and software libraries that are subject to maintenance and security updates. When security updates are no longer available for a component of a runtime, Lambda deprecates the runtime. You should not use already deprecated runtime for Lambda functions
Risk Level: High
Cloud Entity: AWS Lambda
CloudGuard Rule ID: D9.AWS.VLN.08
Covered by Spectral: No
Category: Compute
GSL LOGIC
Lambda should not have environment in($Lambda_Deprecated_Runtime)
REMEDIATION
From Portal:
It is recommended to update Lambda functions to a supported runtime so that you continue to receive security patches and remain eligible for technical support. Use following steps to update the Lambda function runtime version.
- Open the Functions page of the Lambda console.
- Choose the function to update and choose the Code tab.
- Scroll down to the Runtime settings section, which is under the code editor.
- Choose Edit.
a. For Runtime, select the runtime identifier.
b. For Handler, specify file name and handler for your function.
c. For Architecture, choose the instruction set architecture to use for your function. - Choose Save.
Note: If you update the function configuration to use a new runtime, you may need to update the function code to be compatible with the new runtime. If you update the function configuration to use a different runtime, you must provide new function code that is compatible with the runtime and architecture.
From TF
resource "aws_lambda_function" "example" {
function_name = "lambda_function_name"
s3_bucket = "s3_bucket_name"
s3_key = "s3_key"
role = "aws_iam_role_arn"
handler = "lambda_handler"
memory_size = 1024
timeout = 45
Use 'runtime' parameter to upgrade the runtime version
runtime = "supported_runtime_version"
**From Command Line:**
Run following command to upgrade the runtime environment for Lambda function.
aws lambda update-function-configuration --region REGION_NAME --function-name LAMBDA_FUNCTION_NAME
--runtime RUNTIME_VERSION_NAME
References:
1. https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html
2. https://docs.aws.amazon.com/lambda/latest/dg/configuration-function-zip.html
3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function
4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html
## AWS Lambda
AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume - there is no charge when your code is not running.
With Lambda, you can run code for virtually any type of application or backend service - all with zero administration. Just upload your code and Lambda takes care of everything required to run and scale your code with high availability. You can set up your code to automatically trigger from other AWS services or call it directly from any web or mobile app.
## Compliance Frameworks
- AWS CloudGuard Best Practices
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago