Open menu
-->

Lambda Runtime Environment Version

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security
Reliability

Risk level: Medium (should be achieved)

Ensure that you always use the latest version of the execution environment for your Amazon Lambda functions in order to adhere to AWS best practices and receive the newest software features, get the latest security patches and bug fixes, and benefit from better performance and reliability. An AWS Lambda runtime (execution) environment is a container build based on the configuration settings that you provide when you create your Lambda function. Amazon Lambda serverless architecture supports several runtime environments such as Node.js, Edge Node.js, Java, Python and .NET Core (C#) that you can use to execute your functions.

This rule resolution is part of the Cloud Conformity Security Package

When you execute your AWS Lambda functions using the latest version of the implemented runtime environment, you should benefit from new features and enhancements, better security, performance and reliability. For example, upgrading your Node.js runtime environment version from 4.3 to 6.10 will get you all the improvements that come with Node.js ver. 6: new ECMAScript (ES) 6 features, updated V8 JavaScript engine, a 4x faster module loading, a new Buffer API and a lot of security improvements that reduce the risk of bugs and vulnerabilities leaking into JS functions.

Audit

To determine if there are any Lambda functions that are using old (deprecated) execution environment available within your AWS account, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Lambda dashboard at https://console.aws.amazon.com/lambda/.

03 In the navigation panel, under AWS Lambda section, choose Functions.

04 Choose the Lambda function that you want to examine then click on the function name to access its configuration page.

05 Select the Configuration tab to open the settings panel for the selected function.

06 Check the Runtime attribute value then open the associated dropdown list:

Runtime

to verify if the runtime environment utilizes the latest version of the software supported by AWS. If the execution environment is not configured to use the latest version of the software (e.g. Node.js), the selected AWS Lambda function is using an old (deprecated) runtime environment, therefore an upgrade is highly recommended.

07 Repeat steps no. 4 - 6 to verify the execution environment version for other Amazon Lambda functions available within the current region.

08 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Run list-domain-names command (OSX/Linux/UNIX) to list the names of all AWS Lambda functions currently available within the selected region:

aws lambda list-functions
	--region us-east-1
	--query 'Functions[*].FunctionName'

02 The command output should return an array with the requested function names:

[
    "MySQSPoller",
    "FetchS3ObjectMetadata"
]

03 Run get-function-configuration command (OSX/Linux/UNIX) using the Lambda function name returned at the previous step and custom query filters to expose the runtime environment details (including its version) used by the selected function:

aws lambda get-function-configuration
	--region us-east-1
	--function-name MySQSPoller
	--query 'Runtime'

04 The command output should return the requested execution environment details:

"nodejs4.3"

05 Check the latest version of the runtime environment supported by AWS Lambda, listed at this URL. If there is a newer version of the software supported by Amazon, the selected AWS Lambda function is using an old runtime environment, therefore you should upgrade the function configuration in order to benefit from all the improvements delivered with the latest version of the software used.

06 Repeat steps no. 3 - 5 to verify the execution environment version for other Amazon Lambda functions available within the current region.

07 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 6 to perform the entire audit process for other regions.

Remediation / Resolution

To upgrade the runtime environment version for your AWS Lambda functions, perform the following actions:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Lambda dashboard at >https://console.aws.amazon.com/lambda/.

03 In the navigation panel, under AWS Lambda section, choose Functions.

04 Choose the Lambda function that you want to reconfigure (see Audit section part I to identify the right Lambda resource) then click on the function name.

05 Select the Configuration tab to open the settings panel for the selected function.

06 Select the latest version of the execution environment used by the selected Lambda function from the Runtime dropdown list, e.g.:

Runtime

07 Click Save and Test button from the dashboard top menu to apply the configuration changes.

08 Predefined Security Policy:
Within Input test event dialog box, inside the text editor, enter an event to test your function with or select a predefined event template from the Sample event template dropdown list to test the selected function. After the test event is defined and reviewed click Save and test button to upgrade the function runtime environment and initiate the testing process. Once the testing is complete, the execution result of your function will be listed on the console.

09 Repeat steps no. 4 – 8 to upgrade the runtime environment version for other AWS Lambda functions available within the current region.

10 Change the AWS region from the navigation bar and repeat the remediation/resolution process for other regions.

Using AWS CLI

01 Run update-function-configuration command (OSX/Linux/UNIX) using the name of the function that you want to reconfigure (see Audit section part II to identify the right Lambda resource) to upgrade the runtime environment version for the selected Amazon Lambda function. You should check first the command reference URL for the latest runtime version supported by AWS. The following command example reconfigures a Lambda function named MySQSPoller by upgrading its execution environment to Node.js ver. 6.10:

aws lambda update-function-configuration
	--region us-east-1
	--function-name MySQSPoller
	--runtime "nodejs8.10"

02 The command output should return the configuration details (metadata) for the reconfigured AWS Lambda function:

{
    "CodeSha256": "at3y6fmlbawiAIZ3Yypw65bah4Sr3TQBiU2BoBGo7g7g9vs=",
    "FunctionName": "MySQSPoller",
    "VpcConfig": {
        "SubnetIds": [],
        "VpcId": "",
        "SecurityGroupIds": []
    },
    "MemorySize": 128,
    "FunctionArn": "arn:aws:lambda:us-east-1:123456789012:function:MySQSPoller",
    "Version": "$LATEST",
    "Role": "arn:aws:iam::123456789012:role/service-role/LambdaFunctionRole",
    "Timeout": 10,
    "LastModified": "2017-06-14T13:09:46.174+0000",
    "Handler": "index.handler",
    "Runtime": "nodejs8.10",
    "CodeSize": 928,
    "Description": "Periodically polls an AWS SQS queue and asynchronously consumes each message."
}

03 Repeat step no. 1 and 2 to upgrade the execution environment version for other Amazon Lambda functions available within the current region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 3 to perform the process for other regions.

References

Publication date Jun 12, 2017