Profile Applicability:
- Level 1
Description:
AWS Lambda provides several runtime environments for executing functions. These runtime environments are based on specific versions of programming languages, such as Node.js, Python, Java, and .NET Core. AWS periodically ends support for older versions of these runtimes to ensure security, performance, and compatibility with new features. It is essential to monitor and ensure that the runtime versions being used for Lambda functions do not reach their end-of-support (EOS) dates. Using unsupported runtime versions exposes your Lambda functions to potential vulnerabilities and compatibility issues, which can impact the performance and security of your applications.
Rationale:
Running Lambda functions on unsupported runtime environments introduces several risks:
Security vulnerabilities: Unsupported runtimes no longer receive security updates, which increases the risk of exploits and attacks.
Functionality breaks: As AWS and other services evolve, Lambda functions using deprecated runtimes may face compatibility issues, leading to system failures or degraded performance.
Non-compliance: Regulatory frameworks like HIPAA, PCI-DSS, and SOC 2 often require the use of supported and secure runtime environments to ensure that applications remain protected from known vulnerabilities.
Key Risks:
Security risks: Unpatched vulnerabilities in unsupported runtimes may expose Lambda functions to exploitation.
Application downtime: If a runtime version becomes unsupported and is not upgraded, it can lead to failures or broken functionality in Lambda functions.
Non-compliance: Compliance with industry standards and regulations may be compromised if unsupported runtimes are used.
Impact:
Pros:
Using supported runtime versions ensures that your Lambda functions are secure, efficient, and compatible with new AWS features and services.
Reduces the risk of security vulnerabilities and performance issues.
Helps maintain compliance with relevant security and regulatory standards.
Cons:
Requires periodic monitoring and maintenance of Lambda function runtime versions.
May require code modifications or refactoring if runtime versions need to be updated.
Updating runtime versions could lead to minor disruptions during the upgrade process.
Default Value:
By default, Lambda functions may use outdated or unsupported runtime versions if not regularly updated. AWS supports runtime upgrades to newer versions; however, the end-of-support dates for each runtime should be monitored and managed by the user.
Pre-requisites:
Ensure AWS Identity and Access Management (IAM) permissions to view and update Lambda function configurations.
Monitor AWS announcements for end-of-support dates for runtime versions used in Lambda functions.
Maintain an internal process for upgrading Lambda runtimes to ensure all functions use supported versions.
Remediation:
Test Plan:
Using AWS Console:
Log in to the AWS Management Console.
Navigate to the Lambda service.
For each Lambda function, review the "Runtime" setting under the "Configuration" tab.
Verify that the runtime version is supported by AWS. Refer to the AWS Lambda Runtime Support Policy for the supported versions and their end-of-support dates.
If the runtime version is deprecated or nearing its end-of-support date, update the function's runtime to a supported version.
Test the Lambda function after the runtime update to ensure it works correctly with the new runtime version.
Repeat this process for all Lambda functions in use.
Using AWS CLI:
Use the following AWS CLI command to check the runtime of a Lambda function:
aws lambda get-function-configuration --function-name <function-name> --query "Runtime"Review the output to ensure the runtime version is not deprecated.
If the runtime version is outdated, update the Lambda function's runtime using the following command:
aws lambda update-function-configuration --function-name <function-name> --runtime <new-runtime-version>Verify that the function is working correctly by invoking it after the runtime update.
Implementation Plan:
Using AWS Console:
Log in to the AWS Management Console.
Navigate to the Lambda service and select the desired function.
Click on the "Configuration" tab and find the "Runtime" setting.
Check the AWS Lambda Runtime Support Policy to ensure that the runtime version is still supported.
If the runtime version is no longer supported, update the function's runtime by selecting a newer version from the dropdown list.
Save the changes and deploy the function.
Test the function to confirm that it works correctly with the new runtime.
Using AWS CLI:
Run the command to retrieve the current runtime configuration of your Lambda function.
aws lambda get-function-configuration
If the runtime is outdated, use the command to update the runtime version.
aws lambda update-function-configuration
Test the updated Lambda function to ensure it works as expected.
Backout Plan:
Using AWS Console:
If issues occur after upgrading the runtime, navigate to the Lambda function's "Configuration" tab.
Select the previous runtime version from the "Runtime" dropdown list and save the changes.
Test the Lambda function to ensure it works with the old runtime version.
If the older runtime version is no longer supported, consider refactoring the code to work with a supported runtime.
Using AWS CLI:
To revert to the previous runtime, run the following command to update the runtime version:
aws lambda update-function-configuration --function-name <function-name> --runtime <previous-runtime-version>
Test the Lambda function to ensure that it works with the previous runtime.
References:
CIS Controls: