Lambda Function Using Supported Runtime
Overview
This check identifies AWS Lambda functions running on obsolete or deprecated runtimes. AWS periodically deprecates older runtimes (like python3.8, nodejs14.x, go1.x, and ruby2.7) and stops providing security patches for them.
Keeping your Lambda functions on supported runtimes ensures you receive security updates and can continue to deploy changes without interruption.
Risk
Running Lambda functions on deprecated runtimes creates two main problems:
-
Security vulnerabilities: Deprecated runtimes no longer receive security patches. Known vulnerabilities (CVEs) in the runtime or its libraries remain unpatched, potentially exposing your code and data.
-
Operational disruptions: AWS eventually blocks creating or updating functions on deprecated runtimes. This can break your CI/CD pipelines and prevent you from deploying fixes.
Remediation Steps
Prerequisites
- Access to the AWS Console with permission to modify Lambda functions
- Knowledge of which functions need updating (from your Prowler scan results)
Optional: AWS CLI setup
If you prefer using the command line, ensure you have:
- AWS CLI installed and configured
- IAM permissions for
lambda:UpdateFunctionConfiguration
AWS Console Method
-
Open the AWS Lambda Console
-
Click on the function name that needs updating
-
Scroll down to Runtime settings and click Edit
-
In the Runtime dropdown, select a supported runtime version:
- For Python:
python3.12orpython3.13 - For Node.js:
nodejs20.xornodejs22.x - For Java:
java21orjava17 - For Ruby:
ruby3.3orruby3.2 - For Go: Use
provided.al2023with a custom runtime - For .NET:
dotnet8
- For Python:
-
Click Save
-
Test your function to ensure it works correctly with the new runtime
Important: Before upgrading, review your code for any runtime-specific changes. Some upgrades may require code modifications due to language version differences.
AWS CLI (optional)
Update a Lambda function's runtime using the AWS CLI:
aws lambda update-function-configuration \
--function-name <your-function-name> \
--runtime python3.12 \
--region us-east-1
Replace <your-function-name> with your actual function name and python3.12 with your target supported runtime.
Example for Node.js:
aws lambda update-function-configuration \
--function-name my-api-handler \
--runtime nodejs20.x \
--region us-east-1
Batch update multiple functions:
# List functions with deprecated runtimes
aws lambda list-functions \
--region us-east-1 \
--query "Functions[?Runtime=='python3.8'].FunctionName" \
--output text
# Update each function (replace python3.8 functions with python3.12)
for func in $(aws lambda list-functions --region us-east-1 \
--query "Functions[?Runtime=='python3.8'].FunctionName" --output text); do
echo "Updating $func..."
aws lambda update-function-configuration \
--function-name "$func" \
--runtime python3.12 \
--region us-east-1
done
CloudFormation (optional)
Update the Runtime property in your CloudFormation template to use a supported runtime.
Before (deprecated):
Resources:
MyLambdaFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: my-function
Runtime: python3.8 # Deprecated
Handler: index.handler
Role: !GetAtt LambdaExecutionRole.Arn
Code:
S3Bucket: my-deployment-bucket
S3Key: my-function.zip
After (supported):
Resources:
MyLambdaFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: my-function
Runtime: python3.12 # Supported LTS runtime
Handler: index.handler
Role: !GetAtt LambdaExecutionRole.Arn
Code:
S3Bucket: my-deployment-bucket
S3Key: my-function.zip
Complete example with execution role:
AWSTemplateFormatVersion: '2010-09-09'
Description: Lambda function with supported runtime
Resources:
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: lambda-execution-role
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
MyLambdaFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: my-secure-function
Description: Lambda function using supported runtime
Runtime: python3.12
Handler: index.handler
Role: !GetAtt LambdaExecutionRole.Arn
Timeout: 30
MemorySize: 256
Code:
S3Bucket: !Sub 'deployment-bucket-${AWS::AccountId}'
S3Key: functions/my-function.zip
Outputs:
FunctionArn:
Description: Lambda function ARN
Value: !GetAtt MyLambdaFunction.Arn
Deploy the updated template:
aws cloudformation update-stack \
--stack-name my-lambda-stack \
--template-body file://template.yaml \
--capabilities CAPABILITY_NAMED_IAM \
--region us-east-1
Terraform (optional)
Update the runtime argument in your Terraform configuration to use a supported runtime.
Before (deprecated):
resource "aws_lambda_function" "example" {
function_name = "my-function"
runtime = "python3.8" # Deprecated
handler = "index.handler"
role = aws_iam_role.lambda_exec.arn
filename = "function.zip"
source_code_hash = filebase64sha256("function.zip")
}
After (supported):
resource "aws_lambda_function" "example" {
function_name = "my-function"
runtime = "python3.12" # Supported LTS runtime
handler = "index.handler"
role = aws_iam_role.lambda_exec.arn
filename = "function.zip"
source_code_hash = filebase64sha256("function.zip")
}
Complete example with IAM role:
# IAM role for Lambda execution
resource "aws_iam_role" "lambda_exec" {
name = "lambda-execution-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "lambda.amazonaws.com"
}
}
]
})
}
# Attach basic execution policy
resource "aws_iam_role_policy_attachment" "lambda_basic" {
role = aws_iam_role.lambda_exec.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}
# Lambda function with supported runtime
resource "aws_lambda_function" "example" {
function_name = "my-secure-function"
description = "Lambda function using supported runtime"
runtime = "python3.12"
handler = "index.handler"
role = aws_iam_role.lambda_exec.arn
filename = "function.zip"
source_code_hash = filebase64sha256("function.zip")
timeout = 30
memory_size = 256
tags = {
Environment = "production"
ManagedBy = "terraform"
}
}
Apply the changes:
terraform plan
terraform apply
Verification
After updating the runtime, verify the change was successful:
-
In the AWS Console, open your Lambda function and confirm the Runtime shows the new version
-
Run a test invocation to ensure the function works correctly
-
Re-run the Prowler check to confirm the finding is resolved:
Verification commands
Check the current runtime via CLI:
aws lambda get-function-configuration \
--function-name <your-function-name> \
--region us-east-1 \
--query "Runtime" \
--output text
Run Prowler to verify remediation:
prowler aws --check awslambda_function_using_supported_runtimes \
--region us-east-1
Additional Resources
- AWS Lambda Runtimes Documentation
- AWS Lambda Runtime Deprecation Policy
- AWS Lambda Runtime Updates
- Prowler Check Documentation
Notes
-
Test before upgrading: Runtime upgrades may introduce breaking changes due to language version differences. Always test your function thoroughly after upgrading.
-
Check dependencies: Ensure your function's dependencies (Lambda layers, third-party libraries) are compatible with the new runtime version.
-
Container images: If your function uses a container image instead of a .zip deployment, update the base image to use a supported runtime.
-
Gradual rollout: For critical functions, consider deploying to a test alias first, then gradually shifting traffic using weighted aliases.
-
Supported runtime list: AWS maintains a current list of supported runtimes. Check the Lambda runtimes page for the latest supported versions.
-
AL2023 recommendation: For custom runtimes or Go functions, AWS recommends using
provided.al2023(Amazon Linux 2023) as it provides the latest security patches.