Lambda Rules
These rules identify Lambda functions not configured to use the cost-optimal Graviton2 architecture.
| Rule ID | Scan Type | Name |
|---|---|---|
| CLDBRN-AWS-LAMBDA-1 | Discovery and IaC | Lambda Function Not Using Cost-Optimal Architecture |
CLDBRN-AWS-LAMBDA-1
Lambda Function Not Using Cost-Optimal Architecture
Scan type: Discovery and IaC
What it checks
Flags Lambda functions not configured to run on the arm64 (Graviton2) architecture. Lambda on arm64 is approximately 20% cheaper per GB-second than the equivalent x86_64 configuration, and Graviton2 often executes functions faster, compounding the savings.
Why it matters
Lambda pricing is based on the number of requests and GB-seconds of compute. For functions that run frequently or with significant memory allocation, the 20% price reduction from arm64 adds up quickly. A function running 10 million invocations per month at 512 MB for 500ms costs roughly $8.35 on x86_64 vs $6.68 on arm64 — the saving grows proportionally with scale.
What triggers a finding
The function's architectures list does not include arm64.
How to remediate
Set the function architecture to arm64. Most Lambda runtimes support arm64 natively (Node.js, Python, Java, Go, .NET). Custom runtimes need to provide an arm64-compatible binary.
aws lambda update-function-configuration \
--function-name my-function \
--architectures arm64
After changing the architecture, test the function to confirm it behaves correctly. Graviton2 uses a different CPU architecture — if you have native binaries compiled for x86, you need to recompile them for arm64.
IaC resources checked
| IaC Tool | Resource Type |
|---|---|
| Terraform | aws_lambda_function |
| CloudFormation | AWS::Lambda::Function |
See Also
- CLI discover command — scan live Lambda functions
- CLI scan command — scan IaC templates for Lambda issues
- SDK Reference — run scans programmatically