Lambda deprecated runtime

AWS-LAMBDA-002 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks for Lambda functions using deprecated/end-of-life runtimes that no longer receive security patches.

Why it matters

Deprecated Lambda runtimes like Python 3.7, Node.js 14, and Java 8 (Amazon Linux 1) no longer receive security patches from AWS or the upstream language maintainers. Known vulnerabilities in these runtimes - such as Python 3.7 CVE-2023-24329 (URL parsing bypass) or Node.js 14 CVE-2023-44487 (HTTP/2 Rapid Reset) - remain permanently exploitable. AWS stops publishing security patches approximately 30 days after a runtime reaches end-of-life and eventually blocks function creation on deprecated runtimes. Existing functions continue to run but accumulate unpatched vulnerabilities. Upgrading runtime versions also provides performance improvements - Python 3.12 is 15-20% faster than Python 3.8 in typical Lambda workloads.

Common causes

Deprecated runtimes persist because Lambda functions deployed years ago continue running without updates as long as they work. Teams avoid runtime upgrades due to fear of breaking changes in language versions, especially for functions without test suites. Organizations without automated dependency scanning or Lambda inventory management lose track of which functions use which runtimes across dozens of accounts and regions.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws lambda update-function-configuration --function-name FUNCTION_NAME --runtime python3.12 --region REGION

Remediation: Terraform

resource "aws_lambda_function" "fn" {
  runtime = "python3.12"
}