Description:

Lambda is a compute service that lets you run code without provisioning or managing servers. Lambda runs your function only when needed and scales automatically, from a few requests per day to thousands per second.


Rationale:

When security updates are no longer available for a component of a runtime, Lambda deprecates the runtime. 


Impact:

By keeping your Lambdas up to date with the latest programming languages versions we can prevent security gaps and at the same time, we get the latest features.


Default Value:

There is no rule configured to check the obsolete runtime of Lambda Functions.


Audit: 

  1. Sign in to the Amazon Management Console

  2. Navigate to the AWS Config console at https://console.aws.amazon.com/config

  3. Select the Rules from the Left menu.

  4. Make sure that the rule “lambda-function-settings-check“ is added or not.

  5. If you notice rule already exists, check whether the Lambda is compliant or not on the rule ”lambda-function-settings-check”. If it's not compliant follow the Implementation steps.

  6. If Rule not exists, follow the below steps

    1. Click on the Add Rule on the right side.

    2. Select “lambda-function-settings-check“ from the list and click on Next

    3. Scroll down to the bottom and add the runtime environment(we recommend choosing the latest runtime)

    4. In the next windowclick Add RuleThe new rule will be added.

  7. Repeat step 5 to make sure the Rule is compliant or not, if not follow the implementation steps


Remediation:

Pr-requisites:

Sign in as admin or IAM user with required permissions

Note down the Lambda function’s configurations as backup


Implementation steps:

  1. Sign in to the Amazon Management Console

  2. Navigate to the AWS Lambda at https://console.aws.amazon.com/lambda

  3. Select Functions from the left menu.

  4. Select the Function which is not compliant

  5. Scroll down and click on Edit option under the Runtime settings.

  6. Select the supported runtime environment from the drop-down list, and click on Save.
    You can check the supported runtime environments versions here: Runtime support policy - AWS Lambda (amazon.com)

  7. Now check whether the particular Lambda is Compliant or not by following the audit steps again.



Backout Plan:

  1. Sign in to the Amazon Management Console

  2. Navigate to the AWS Lambda at https://console.aws.amazon.com/lambda

  3. Click on  Functions from the left menu.

  4. Select the Function that you want to modify.

  5. Scroll down and select Edit option for the runtime.

  6. Select the old runtime environment from the drop-down list, and click on Save.

 

References:

Modifying the runtime environment - AWS Lambda (amazon.com)

Runtime support policy - AWS Lambda (amazon.com)