Description:
Lambda is a compute service that lets you run code without provisioning or managing servers. Lambda runs your function only when needed and scales automatically, from a few requests per day to thousands per second.
Rationale:
When security updates are no longer available for a component of a runtime, Lambda deprecates the runtime.
Impact:
By keeping your Lambdas up to date with the latest programming languages versions we can prevent security gaps and at the same time, we get the latest features.
Default Value:
There is no rule configured to check the obsolete runtime of Lambda Functions.
Pre-requisites:
Sign in as admin or IAM user with required permissions
Note down the Lambda function’s configurations as backup
Remediation:
Test plan:
Sign in to the Amazon Management Console
Navigate to the AWS Config console at https://console.aws.amazon.com/config
Select the Rules from the left menu.
Make sure that the rule “lambda-function-settings-check“ is added or not.
If you notice a rule already exists, check whether the Lambda is compliant or not on the rule ”lambda-function-settings-check”. If it's not compliant follow the Implementation steps.
If Rule does not exist, follow the below steps
Click on the Add Rule on the right side.
Select “lambda-function-settings-check“ from the list and click on Next
Scroll down to the bottom and add the runtime environment. (we recommend choosing the latest runtime)
In the next window, click Add Rule. The new rule will be added.
Repeat step 5 to make sure the Rule is compliant or not, if not follow the implementation steps
Using AWS CLI :
To know the rule is attached or not
aws configservice describe-config-rules --config-rule-names <value>
to add a rule to aws config if it’s not attached
aws configservice put-config-rule --config-rule lambda-function-settings-check
Implementation steps:
Sign in to the Amazon Management Console
Navigate to the AWS Lambda at https://console.aws.amazon.com/lambda
Select Functions from the left menu.
Select the Function which is not compliant
Scroll down and click on the Edit option under the Runtime settings.
Select the supported runtime environment from the drop-down list, and click on Save.
You can check the supported runtime environments versions here: Runtime support policy -AWS Lambda (amazon.com)Now check whether the particular Lambda is Compliant or not by following the audit steps again.
Using AWS CLI :
To know the function Run time
aws lambda get-function-configuration \ --function-name <value>
To add the Runtime to function
aws lambda update-function-configuration \ --function-name my-function --runtime <value>
Backout Plan:
Sign in to the Amazon Management Console
Navigate to the AWS Lambda at https://console.aws.amazon.com/lambda
Click on Functions from the left menu.
Select the Function that you want to modify.
Scroll down and select the Edit option for the runtime.
Select the old runtime environment from the drop-down list, and click on Save.
Using AWS CLI :
aws lambda update-function-configuration \ --function-name my-function --runtime <value>
References:
Modifying the runtime environment - AWS Lambda (amazon.com)
Runtime support policy - AWS Lambda (amazon.com)