Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Lambda Using Latest Runtime Environment

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Lambda-001

Ensure that you always use the latest version of the execution environment configured for your Amazon Lambda functions in order to adhere to AWS cloud best practices and receive the newest software features, get the latest security patches and bug fixes, and benefit from better performance and reliability. A Lambda runtime (execution) environment is a container build based on the configuration settings that you provide when you create your Lambda function. Amazon Lambda serverless architecture supports several runtime environments such as Node.js, Edge Node.js, Java, Python and .NET Core (C#) that you can use to run your functions.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security
Reliability
Sustainability

When you execute your Lambda functions using the latest version of the implemented runtime environment, you should benefit from new features and enhancements, better security, performance and reliability.


Audit

To determine if there are any Lambda functions that are using old execution environment available within your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

03 In the left navigation panel, under AWS Lambda, choose Functions.

04 Click on the name (link) of the function that you want to examine.

05 Select the Code tab to access the function code properties and settings.

06 In the Runtime settings section, check the Runtime attribute value to determine the runtime version used by the selected function. Compare the function runtime with the updated list of Amazon Lambda runtimes supported by AWS. If the function's execution environment is not configured to use the latest version of its runtime, the selected Amazon Lambda function is using an old runtime environment.

07 Repeat steps no. 4 – 6 for each Lambda function available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-functions command (OSX/Linux/UNIX) to list the name of each Amazon Lambda function available in the selected AWS cloud region:

aws lambda list-functions
  --region us-east-1
  --output table
  --query 'Functions[*].FunctionName'

02 The command output should return a table with the requested function name(s):

----------------------------
|      ListFunctions       |
+--------------------------+
|  cc-app-worker-function  |
|  cc-s3-logging-function  |
+--------------------------+

03 Run get-function-configuration command (OSX/Linux/UNIX) using the name of the Amazon Lambda function that you want to examine as the identifier parameter and custom query filters to describe the runtime information available for the selected function:

aws lambda get-function-configuration
  --region us-east-1
  --function-name cc-app-worker-function
  --query 'Runtime'

04 The command output should return the requested execution environment information:

"python3.6"

Compare the function runtime returned by the get-function-configuration command output with the updated list of Amazon Lambda runtimes supported by AWS. If the function's execution environment is not configured to use the latest version of its runtime, as shown in the example above, the selected Amazon Lambda function is using an old runtime environment.

05 Repeat step no. 3 and 4 for each Lambda function available in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.

Remediation / Resolution

To upgrade the runtime environment version for your existing Amazon Lambda functions, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion":"2010-09-09",
	"Description": "Upgrade the Runtime Environment Version",
	"Resources":{
		"FunctionExecutionRole": {
			"Type": "AWS::IAM::Role",
			"Properties": {
				"RoleName": "LambdaExecutionRole",
				"AssumeRolePolicyDocument": {
				"Version": "2012-10-17",
				"Statement": [{
					"Effect": "Allow",
					"Principal": {
					"Service": [ "lambda.amazonaws.com" ]
					},
					"Action": [ "sts:AssumeRole" ]
				}]
				},
				"Path": "/",
				"Policies": [{
				"PolicyName": "AWSLambdaBasicExecutionRole",
				"PolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [{
					"Effect": "Allow",
					"Action": [
						"logs:CreateLogGroup",
						"logs:CreateLogStream",
						"logs:PutLogEvents"
					],
					"Resource": "*"
					}]
				}
				}]
			}
		},
		"ConsumerFunction": {
			"Type": "AWS::Lambda::Function",
			"Properties": {
				"FunctionName": "cc-app-worker-function",
				"Handler": "lambda_function.lambda_handler",
				"Role": {
					"Fn::GetAtt": [
						"FunctionExecutionRole",
						"Arn"
					]
				},
				"Code": {
					"S3Bucket": "cc-lambda-functions",
					"S3Key": "worker.zip"
				},
				"MemorySize" : 1024,
				"Timeout": 45,
				"Runtime": "python3.11"
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Upgrade the Runtime Environment Version
	Resources:
		FunctionExecutionRole:
		Type: AWS::IAM::Role
		Properties:
			RoleName: LambdaExecutionRole
			AssumeRolePolicyDocument:
			Version: '2012-10-17'
			Statement:
				- Effect: Allow
				Principal:
					Service:
					- lambda.amazonaws.com
				Action:
					- sts:AssumeRole
			Path: /
			Policies:
			- PolicyName: AWSLambdaBasicExecutionRole
				PolicyDocument:
				Version: '2012-10-17'
				Statement:
					- Effect: Allow
					Action:
						- logs:CreateLogGroup
						- logs:CreateLogStream
						- logs:PutLogEvents
					Resource: '*'
		ConsumerFunction:
		Type: AWS::Lambda::Function
		Properties:
			FunctionName: cc-app-worker-function
			Handler: lambda_function.lambda_handler
			Role: !GetAtt 'FunctionExecutionRole.Arn'
			Code:
			S3Bucket: cc-lambda-functions
			S3Key: worker.zip
			MemorySize: 1024
			Timeout: 45
			Runtime: python3.11

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 3.27"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_iam_role" "function-execution-role" {
	name = "LambdaExecutionRole"
	path = "/"
	managed_policy_arns = [ "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ]

	assume_role_policy = <<EOF
	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Action": "sts:AssumeRole",
				"Principal": {
					"Service": "lambda.amazonaws.com"
				},
				"Effect": "Allow"
			}
		]
	}
	EOF
}

resource "aws_lambda_function" "lambda-function" {
	function_name    = "cc-app-worker-function"
	s3_bucket        = "cc-lambda-functions"
	s3_key           = "sqs-consumer.zip" 
	role             = aws_iam_role.function-execution-role.arn
	handler          = "lambda_function.lambda_handler"
	memory_size      = 1024
	timeout          = 45   

	# Upgrade the Runtime Environment Version
	runtime          = "python3.11"

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

03 In the left navigation panel, under AWS Lambda, choose Functions.

04 Click on the name of the function that you want to reconfigure.

05 Select the Code tab to access the function code properties and settings.

06 In the Runtime settings section, choose Edit to change the runtime environment settings available for the selected function.

07 On the Edit runtime settings page, select the latest supported version of the runtime environment from the Runtime dropdown list. Choose Save to apply the changes.

08 Select the Code tab and choose Test from the Code source section to test the Lambda function within the new environment. If you need to define a new test event, choose Configure test event and provide an event to test your function with. Once the testing is completed, the execution result of your Lambda function will be listed in the Execution results section.

09 Repeat steps no. 4 – 8 to upgrade the runtime environment for each Amazon Lambda function available within the current AWS region.

10 Change the AWS cloud region from the navigation bar and repeat the Remediation process for the other regions.

Using AWS CLI

01 Run update-function-configuration command (OSX/Linux/UNIX) using the name of the Amazon Lambda function that you want to reconfigure as the identifier parameter, to upgrade the runtime environment for the selected Lambda function. To upgrade the function runtime environment to its latest version, check the updated list of Amazon Lambda runtimes supported by AWS. The following command example upgrades the runtime environment for a Lambda function named cc-app-worker-function from Python 3.6 to Python 3.11:

aws lambda update-function-configuration
  --region us-east-1
  --function-name cc-app-worker-function
  --runtime "python3.11"

02 The command output should return the metadata available for the reconfigured function:

{
	"FunctionName": "cc-app-worker-function",
	"FunctionArn": "arn:aws:lambda:us-east-1:123456789012:function:cc-app-worker-function",
	"Runtime": "python3.11",
	"Role": "arn:aws:iam::123456789012:role/service-role/cc-app-worker-function-role-abcdabcd",
	"Handler": "lambda_function.lambda_handler",
	"CodeSize": 550,
	"Timeout": 45,
	"MemorySize": 1024,
	"LastModified": "2021-08-30T10:00:00.000+0000",
	"Version": "$LATEST",
	"VpcConfig": {
		"SubnetIds": [
			"subnet-abcd1234",
			"subnet-1234abcd"
		],
		"SecurityGroupIds": [
			"sg-01234abcd1234abcd"
		],
		"VpcId": "vpc-abcdabcd"
	},
	"TracingConfig": {
		"Mode": "PassThrough"
	},
	"RevisionId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
	"Layers": [
		{
			"Arn": "arn:aws:lambda:us-east-1:580247275435:layer:LambdaInsightsExtension:12",
			"CodeSize": 4351068
		}
	],
	"State": "Active",
	"LastUpdateStatus": "Successful",
	"PackageType": "Zip"
}

03 Repeat steps no. 1 and 2 to upgrade the runtime environment for each Amazon Lambda function available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Remediation process for other regions.

References

Publication date Jun 12, 2017