Guides
Start typing to search…

Ensure Lambda functions are not using deprecated runtimes

Lambda runtimes for .zip file archives are built around a combination of operating system, programming language, and software libraries that are subject to maintenance and security updates. When security updates are no longer available for a component of a runtime, Lambda deprecates the runtime. You should not use already deprecated runtime for Lambda functions

AWS Lambda Deprecated Runtime

Risk Level: High
Cloud Entity: AWS Lambda
CloudGuard Rule ID: D9.AWS.VLN.08
Covered by Spectral: No
Category: Compute

GSL Logic

Lambda should not have environment in($Lambda_Deprecated_Runtime)

Remediation

From AWS Portal

It is recommended to update Lambda functions to a supported runtime so that you continue to receive security patches and remain eligible for technical support. Use following steps to update the Lambda function runtime version.

  1. Open the Functions page of the Lambda console.
  2. Choose the function to update and choose the Code tab.
  3. Scroll down to the Runtime settings section, which is under the code editor.
  4. Choose Edit.
    a. For Runtime, select the runtime identifier.
    b. For Handler, specify file name and handler for your function.
    c. For Architecture, choose the instruction set architecture to use for your function.
  5. Choose Save.

Note: If you update the function configuration to use a new runtime, you may need to update the function code to be compatible with the new runtime. If you update the function configuration to use a different runtime, you must provide new function code that is compatible with the runtime and architecture.

From Terraform

resource "aws_lambda_function" "example" {
  function_name    = "lambda_function_name"
  s3_bucket        = "s3_bucket_name"
  s3_key           = "s3_key"
  role             = "aws_iam_role_arn"
  handler          = "lambda_handler"
  memory_size      = 1024
  timeout          = 45

  # Use 'runtime' parameter to upgrade the runtime version
  runtime          = "supported_runtime_version"
}

From Command Line

Run following command to upgrade the runtime environment for Lambda function:

aws lambda update-function-configuration \
  --region REGION_NAME \
  --function-name LAMBDA_FUNCTION_NAME \
  --runtime RUNTIME_VERSION_NAME

References

  1. https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html
  2. https://docs.aws.amazon.com/lambda/latest/dg/configuration-function-zip.html
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function
  4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html

About AWS Lambda

AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume - there is no charge when your code is not running.

With Lambda, you can run code for virtually any type of application or backend service - all with zero administration. Just upload your code and Lambda takes care of everything required to run and scale your code with high availability. You can set up your code to automatically trigger from other AWS services or call it directly from any web or mobile app.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • CloudGuard AWS All Rules Ruleset

Updated 4 days ago