Description:

Lambda is a compute service that lets you run code without provisioning or managing servers. Lambda runs your function only when needed and scales automatically, from a few requests per day to thousands per second.


Rationale:

When security updates are no longer available for a component of a runtime, Lambda deprecates the runtime. 


Impact:

By keeping your Lambdas up to date with the latest programming languages versions we can prevent security gaps and at the same time, we get the latest features.


Default Value:

There is no rule configured to check the obsolete runtime of Lambda Functions.


Pre-requisites:

Sign in as admin or IAM user with required permissions

Note down the Lambda function’s configurations as backup

Remediation:

Test plan: 

  1. Sign in to the Amazon Management Console

  2. Navigate to the AWS Config console at https://console.aws.amazon.com/config

  3. Select the Rules from the left menu.

  4. Make sure that the rule “lambda-function-settings-check“ is added or not.

  5. If you notice a rule already exists, check whether the Lambda is compliant or not on the rule ”lambda-function-settings-check”. If it's not compliant follow the Implementation steps.

  6. If Rule does not exist, follow the below steps

    1. Click on the Add Rule on the right side.

    2. Select “lambda-function-settings-check“ from the list and click on Next

    3. Scroll down to the bottom and add the runtime environment(we recommend choosing the latest runtime)

    4. In the next windowclick Add Rule. The new rule will be added.

  7. Repeat step 5 to make sure the Rule is compliant or not, if not follow the implementation steps

Using AWS CLI : 

  1. To know the rule is attached or not

    aws configservice describe-config-rules --config-rule-names <value>
  2. to add a rule to aws config if it’s not attached 

    aws configservice put-config-rule --config-rule lambda-function-settings-check 

Implementation steps:

  1. Sign in to the Amazon Management Console

  2. Navigate to the AWS Lambda at https://console.aws.amazon.com/lambda

  3. Select Functions from the left menu.

  4. Select the Function which is not compliant

  5. Scroll down and click on the Edit option under the Runtime settings.

  6. Select the supported runtime environment from the drop-down list, and click on Save.
    You can check the supported runtime environments versions here: Runtime support policy -AWS Lambda (amazon.com)

  7. Now check whether the particular Lambda is Compliant or not by following the audit steps again.

Using AWS CLI : 

  1. To know the function Run time

    aws lambda get-function-configuration \
        --function-name  <value>
  2. To add the Runtime to function 

    aws lambda update-function-configuration \
        --function-name  my-function 
        --runtime <value>


Backout Plan:

  1. Sign in to the Amazon Management Console

  2. Navigate to the AWS Lambda at https://console.aws.amazon.com/lambda

  3. Click on  Functions from the left menu.

  4. Select the Function that you want to modify.

  5. Scroll down and select the Edit option for the runtime.

  6. Select the old runtime environment from the drop-down list, and click on Save.

 Using AWS CLI :

aws lambda update-function-configuration \
    --function-name  my-function 
    --runtime <value>


References:

Modifying the runtime environment - AWS Lambda (amazon.com)

Runtime support policy - AWS Lambda (amazon.com)