Control: 2 Lambda functions should use supported runtimes

Description

This control checks that the Lambda function settings for runtimes match the expected values set for the supported runtimes for each language. This control checks for the following runtimes: nodejs20.x, nodejs18.x, nodejs16.x, python3.12, python3.11, python3.10, python3.9, python3.8, ruby3.3, ruby3.2, java21, java17, java11, java8.al2, dotnet8, dotnet6

Lambda runtimes are built around a combination of operating system, programming language, and software libraries that are subject to maintenance and security updates. When a runtime component is no longer supported for security updates, Lambda deprecates the runtime. Even though you cannot create functions that use the deprecated runtime, the function is still available to process invocation events. Make sure that your Lambda functions are current and do not use out-of-date runtime environments.

Remediation

For more information on supported runtimes and deprecation schedules, see the Runtime support policy section of the AWS Lambda Developer Guide. When you migrate your runtimes to the latest version, follow the syntax and guidance from the publishers of the language.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_lambda_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_lambda_2 --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when package_type <> 'Zip' then 'skip'
    when runtime like any ($1) then  'ok'
    when runtime like any ($2) then 'alarm'
    else 'info'
  end as status,
  case
    when package_type <> 'Zip' then title || ' package type is ' || package_type || '.'
    when runtime like any ($1) then title || ' uses latest runtime - ' || runtime || '.'
    when runtime like any ($2) then title || ' uses ' || runtime || ' which is not the latest version.'
    else title || ' uses runtime ' || runtime || ' which is yet to be released.'
  end as reason
  
  , region, account_id
from
  aws_lambda_function;

Params

Args Name Default Description Variable

lambda_latest_runtimes

Args	Name	Default	Description	Variable
$1	lambda_latest_runtimes	`["nodejs20.x","nodejs18.x","nodejs16.x","python3.12","python3.11","python3.10","python3.9","ruby3.3","ruby3.2","java21","java17","java11","java8.al2","dotnet8","dotnet6"]`	A list of latest lambda runtimes.	lambda_latest_runtimes
$2	lambda_deprecated_runtimes	`["java8","go1.x","provided","ruby2.7","nodejs14.x","python3.7","python3.8","dotnetcore3.1","nodejs12.x","python3.6","dotnet5.0","dotnetcore2.1","nodejs10.x","ruby2.5","python2.7","nodejs8.10","nodejs4.3","nodejs4.3-edge","nodejs6.10","dotnetcore1.0","dotnetcore2.0","nodejs"]`	A list of deprecated lambda runtimes.	lambda_deprecated_runtimes

["nodejs20.x","nodejs18.x","nodejs16.x","python3.12","python3.11","python3.10","python3.9","ruby3.3","ruby3.2","java21","java17","java11","java8.al2","dotnet8","dotnet6"]

A list of latest lambda runtimes.

lambda_latest_runtimes

lambda_deprecated_runtimes

["java8","go1.x","provided","ruby2.7","nodejs14.x","python3.7","python3.8","dotnetcore3.1","nodejs12.x","python3.6","dotnet5.0","dotnetcore2.1","nodejs10.x","ruby2.5","python2.7","nodejs8.10","nodejs4.3","nodejs4.3-edge","nodejs6.10","dotnetcore1.0","dotnetcore2.0","nodejs"]

A list of deprecated lambda runtimes.

lambda_deprecated_runtimes

Control: 2 Lambda functions should use supported runtimes

Description

Remediation

Usage

SQL

Params

Tags