Runtime maintenance in Lambda - Security Overview of AWS Lambda

Runtime maintenance in Lambda

Lambda provides support for these runtimes by continuously scanning for and deploying compatible updates and security patches, and by performing other runtime maintenance activities. This enables you to focus on just the maintenance and security of any code included in your function and layer. The Lambda team uses Amazon Inspector to discover known security issues, as well as other custom security issues notification mechanisms and pre-disclosure lists to ensure that our runtime languages and execution environment remain patched. If any new patches or updates are identified, Lambda tests and deploys the runtime updates without any involvement from customers. For more information about Lambda's compliance program, refer to the Lambda and compliance section of this document.

Typically, no action is required to pick up the latest patches for supported Lambda runtimes, but sometimes action might be required to test patches before they are deployed (for example, known incompatible runtime patches). If any action is required by customers, Lambda will contact them through the Personal AWS Health Dashboard, through the AWS account's email, or through other means.

You can use other programming languages in Lambda by implementing a custom runtime. For custom runtimes, maintenance of the runtime becomes the customer's responsibility, including making sure that the custom runtime includes the latest security patches. For more information, refer to Custom AWS Lambda runtimes in the AWS Lambda Developer Guide.

When upstream runtime language maintainers mark their language End-Of-Life (EOL), Lambda honors this by no longer supporting the runtime language version. When runtime versions are marked as deprecated in Lambda, Lambda stops supporting the creation of new functions and updates to existing functions that were authored in the deprecated runtime. To alert you of upcoming runtime deprecations, Lambda sends out notifications to customers of the upcoming deprecation date, and what they can expect.

Lambda does not provide security updates, technical support, or hotfixes for deprecated runtimes, and reserves the right to disable invocations of functions configured to run on a deprecated runtime at any time. If you want to continue to run deprecated or unsupported runtime versions, you can create your own custom AWS Lambda runtime. For details on when runtimes are deprecated, refer to our runtime deprecation policy.