AWSOverview
AWS Lambda runtimes eventually reach deprecation when the language runtime or underlying operating system stops receiving community and vendor security updates. Functions left on deprecated runtimes can continue to run, but they accumulate unpatched vulnerability risk, may become unsupported by AWS, and can later be blocked from create or update workflows.
Treat deprecated runtimes as a software supply-chain and operational resilience issue: upgrade the runtime, validate dependencies, publish a new version, and shift traffic through aliases so rollback remains possible.
Remediation guidance
Remediation
Upgrade the affected Lambda function to a supported runtime after validating application and dependency compatibility. Prefer moving to the newest supported LTS/runtime family for the language rather than the next-oldest supported version.
AWS CLI
Update the function runtime. Replace {{manual.targetRuntime}} with the approved runtime, for example nodejs22.x, python3.13, java21, dotnet8, or another runtime supported by AWS for your deployment package type.
aws lambda update-function-configuration \
--region {{asset.region}} \
--function-name {{asset.name}} \
--runtime {{manual.targetRuntime}}
Wait for the update to complete before publishing or shifting traffic:
aws lambda wait function-updated \
--region {{asset.region}} \
--function-name {{asset.name}}
Validate the runtime now in use:
aws lambda get-function-configuration \
--region {{asset.region}} \
--function-name {{asset.name}} \
--query '{FunctionName:FunctionName,Runtime:Runtime,LastUpdateStatus:LastUpdateStatus}'
Rollout guidance
- Test the function with the new runtime in a staging account or with a canary alias before production traffic shift.
- Rebuild native dependencies and layers for the target runtime and architecture.
- Publish a new version and shift traffic gradually with aliases when the function is customer-facing or high-impact.
- Remove deprecated runtime references from IaC modules so new deployments cannot reintroduce the issue.
References
- https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html
- https://docs.aws.amazon.com/cli/latest/reference/lambda/update-function-configuration.html
Service-wide remediation
Use AWS Health notifications, Trusted Advisor deprecated runtime checks, CI/CD policy checks, and IaC module defaults to prevent deprecated runtimes from being deployed. Track runtime end-of-support dates as part of vulnerability management.
Query logic
These are the stored checks tied to this control.
AWS Lambda functions with deprecated runtimes
Connectors
Covered asset types
Expected check: eq []
{
functions(
where: {
cloudProvider: { eq: "aws" }
runtime_IN: [
"dotnet6"
"dotnetcore3.1"
"dotnetcore2.1"
"dotnetcore2.0"
"dotnetcore1.0"
"go1.x"
"java8"
"nodejs18.x"
"nodejs16.x"
"nodejs14.x"
"nodejs12.x"
"nodejs10.x"
"nodejs8.10"
"nodejs6.10"
"nodejs4.3"
"nodejs4.3-edge"
"python3.9"
"python3.8"
"python3.7"
"python3.6"
"python2.7"
"ruby2.7"
"ruby2.5"
"provided"
]
}
) {
...AssetFragment
}
}
