Lambda function runtime outdated

About Lambda Functions

AWS Lambda is an event-driven, serverless platform that lets you run code directly inside standardized runtime environments—without having to provision or configure infrastructure. You don’t have to worry about creating new servers/containers with optimal resource specifications, or managing memory—it’s all done by the platform. As a developer, your only job is to execute your business logic via Lambda functions. 

The best part about Lambda is that it enables your application to scale up or down based on demand.

The main AWS Lambda principles are:

• Vendor-managed platform to initiate code run with predefined triggers
• High resource availability
• Automatic immediate scalability
• Pay-per-use

Developers can trigger logic execution using the Lambda API, based on events generated by other AWS services (e.g., if Lambda receives a “user signup” event from a web application, it can execute the function that inserts user data into a database.  

Lambda executes functions inside runtime environments that support multiple languages and platforms, e.g., Python, Node.js, Go, and Java. The runtime uses configurations that you specify while creating a function.

Cloud Risk Description

An outdated Lambda runtime might lack critical vulnerability patches or bug fixes. And your applications and data are at risk of compromise if the runtime versions of any of your Lambda functions are outdated. Moreover, outdated versions are less likely to contain the latest features or guarantee maximum performance. Ensure that you always use the latest runtime versions of your Lambda functions to access up-to-date features and security fixes.

How Orca Can Help

Orca discovers neglected workloads, i.e., machines running an unpatched or unsupported OS. In this specific example, Orca alerts you to outdated Lambda runtime, as seen in the screenshot above.

Related Cloud Risks

• Unsupported Host OS: Like an outdated Lambda runtime, an unsupported host operating system can also contain unpatched vulnerabilities or bugs. Cybercriminals can exploit these vulnerabilities/bugs to gain exclusive control over the host.
• Lambda Function Environment Variables Expose Secrets: In this risk, the Lambda function exposes sensitive data in the environment variables of the function. If an attacker can list this function (i.e. read its metadata), they may be able to use this information for lateral movement.

Recommended Mitigation Strategies

• 

  Always use the latest runtime versions for all Lambda functions.

• 

  Regularly audit to look for older/outdated runtimes and immediately upgrade them to the latest versions.

• 

  If you use third-party libraries in your Lambda functions, make sure you update them as and when required.

• 

  Encrypt Lambda environment variables that store security-critical data like passwords, encryption keys, and hash salts.

Useful Links

• Lambda runtimes: https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html
• AWS Lambda execution environment: https://docs.aws.amazon.com/lambda/latest/dg/runtimes-context.html
• Runtime deprecation policy: https://docs.aws.amazon.com/lambda/latest/dg/runtime-support-policy.html
• AWS Lambda runtime API: https://docs.aws.amazon.com/lambda/latest/dg/runtimes-api.html
• Invoking Lambda functions: https://docs.aws.amazon.com/lambda/latest/dg/lambda-invocation.html
• Configuring AWS Lambda functions: https://docs.aws.amazon.com/lambda/latest/dg/lambda-functions.html