Lambda.2: Lambdas run on deprecated, unpatched runtimes

What does AWS Security Hub Lambda.2 check?

Lambda.2 fails when a function runs on a runtime AWS has deprecated — an older Node.js, Python or other version that is past its supported window.

Why does Lambda.2 matter?

AWS deprecates runtimes in three 60-day phases, published more than a year ahead, but teams routinely find out in the last window — after functions have already stopped being updateable. At that point the only path is delete-and-recreate, which loses the function ARN, breaks every invoker referencing it, and forces IAM policy rewrites. A 30-minute upgrade becomes a two-day migration because nobody read the deprecation notice.

How do I fix Lambda.2?

1. List all functions by runtime to find those on deprecated or soon-to-be-deprecated versions.
2. Bump each function to a supported runtime, testing for the breaking changes that come with minor bumps (Node's `fetch`, Python's `ssl`).
3. For functions pinned by a custom runtime layer to an old Amazon Linux base, rebuild the layer on a current base.
4. Track the published deprecation schedule and upgrade well before a runtime stops being updateable.

# Enable auto minor version upgrade on every RDS instance that has it disabled.
for id in $(aws rds describe-db-instances \
    --query 'DBInstances[?AutoMinorVersionUpgrade==`false`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$id" \
    --auto-minor-version-upgrade --no-apply-immediately
done

# Move a deprecated Lambda function to a supported runtime.
aws lambda update-function-configuration --function-name auth-token-issuer \
  --runtime nodejs20.x

# Upgrade an out-of-support EKS control plane one minor version at a time (then catch up node groups).
aws eks update-cluster-version --name prod-payments --kubernetes-version 1.29