You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, only way to check for deprecated Lambda runtimes in our AWS account using an API call is a Trusted Advisor check(Business or Enterprise Edition). Otherwise we have to check manually on the console or on this documentation page https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html
A policy like the one below can be written but it would require the runtimes to be updated manually from time to time:
To fully automate that check with Custodian, my first thought would be adding an aws.account filter that looks at the Trusted Advisor check you mentioned. If you don't want to use Trusted Advisor in the first place, doing it the way you're doing here seems like the next best option.
(As far as I can tell, other ways of having more dynamic policies would require Custodian to crawl AWS docs or hardcode runtime status/deprecation timelines... which feels like a recipe for trouble)
Hi AJ, Could you please advise which filter to use under aws.account? "service-limit" doesn't do the trick as this particular check comes under security category in trusted advisor.
I think the directly looking at the runtimes is correct per the policy running against lambda is correct, and then update the policy periodically. this list doesn't change that often (like 1-2 times a year if). alternatively scrape the aws docs for deprecated as a json data file your policy can use, or ask your tam for a machine readable list or lambda api call / attribute re deprecated.
Describe the feature
Hi All,
Currently, only way to check for deprecated Lambda runtimes in our AWS account using an API call is a Trusted Advisor check(Business or Enterprise Edition). Otherwise we have to check manually on the console or on this documentation page https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html
A policy like the one below can be written but it would require the runtimes to be updated manually from time to time:
resource: aws.lambda
description: "Lambda-Deprecated-Runtimes"
filters:
key: Runtime
value: [python3.9 ,python2.7, dotnetcore2.1, ruby2.5, nodejs10.x, nodejs8.10 ,nodejs4.3 ,nodejs6.10 ,dotnetcore1.0 ,dotnetcore2.0 ,nodejs4.3-edge ,nodejs]
op: in
It would be helpful if this check can be fully automated using Cloud Custodian.
Extra information or context
No response
The text was updated successfully, but these errors were encountered: