Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Enable and Configure Provisioned Concurrency

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the Provisioned Concurrency performance feature is enabled for your Amazon Lambda functions in order to help your functions to scale without fluctuations in latency. Provisioned concurrency runs continuously and has a separate pricing plan for concurrency and execution duration.

This rule can help you work with the AWS Well-Architected Framework.

Performance
efficiency

When you are using Lambda functions for your serverless application, you are not provisioning hardware or networks, runtimes and operating systems, but you are able to enable and configure features such as provisioned concurrency which can directly affect your application's performance. Functions configured with provisioned concurrency can execute with consistent start-up latency, making them ideal for building interactive web and mobile back-ends, latency sensitive microservices, and synchronously invoked APIs.

Audit

To determine if your Amazon Lambda functions are configured to use provisioned concurrency, perform the following actions:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

  3. In the left navigation panel, under AWS Lambda, choose Functions.

  4. Click on the name (link) of the function that you want to examine.

  5. Select the Configuration tab and choose Concurrency from the left menu.

  6. In the Concurrency section, check the Provisioned concurrency configurations list for provisioned concurrency configurations created for the function's alias or version. Provisioned concurrency can be applied to a specific function version or alias. You can have different configurations for each version of a function. If there are no configurations available in the Provisioned concurrency configurations list, the selected**Amazon Lambda function is not configured to use provisioned concurrency for its versions and/or aliases.

  7. Repeat steps no. 4 – 6 for each Lambda function available within the current AWS region.

  8. Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

  1. Run list-functions command (OSX/Linux/UNIX) to list the names of all the Amazon Lambda functions available in the selected AWS region:

    aws lambda list-functions
  --region us-east-1
  --output table
  --query 'Functions[*].FunctionName'

  2. The command output should return a table with the requested function name(s):

    --------------------------
|      ListFunctions     |
+------------------------+
|  cc-export-user-data   |
|  cc-get-s3-log-data    |
|  cc-process-app-queue  |
+------------------------+

  3. Run list-aliasescommand (OSX/Linux/UNIX) to list the aliases of the Amazon Lambda function that you want to examine. If you want to list your function versions, run the list-versions-by-function command instead. Provisioned concurrency can be enabled for a specific function version or alias (i.e. a pointer to a specific version). You can have different settings for each version/alias of a function:

    aws lambda list-aliases
  --region us-east-1
  --function-name cc-export-user-data
  --output table
  --query 'Aliases[*].Name'

  4. The command output should return a table with the requested function aliases:

    --------------------
|    ListAliases   |
+------------------+
|  cc-live-export  |
|  cc-post-export  |
+------------------+

  5. Run get-provisioned-concurrency-config command (OSX/Linux/UNIX) using the Amazon Lambda function alias that you want to examine as the value for the --qualifier command parameter, to describe the provisioned concurrency configuration for the selected function alias:

    aws lambda get-provisioned-concurrency-config
  --region us-east-1
  --function-name cc-export-user-data
  --qualifier cc-live-export

  6. The command output should return the requested configuration information, otherwise it should return an error message:

    An error occurred (ProvisionedConcurrencyConfigNotFoundException) when calling the GetProvisionedConcurrencyConfig operation: No Provisioned Concurrency Config found for this function.

    If theget-provisioned-concurrency-config command output returns the ProvisionedConcurrencyConfigNotFoundException error, as shown in the example above, the selected function alias is not configured to use provisioned concurrency.

  7. Repeat step no. 5 and 6 to verify the provisioned concurrency configuration for each function qualifier (alias or version), created for the selected Lambda function.

  8. Repeat steps no. 3 – 7 for each Lambda function available in the selected AWS region.

  9. Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the Audit process for other regions.

Remediation / Resolution

To enable and configure provisioned concurrency for your existing Amazon Lambda functions, perform the following actions:

Using AWS CloudFormation

  1. CloudFormation template (JSON):

    {
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"FunctionExecutionRole": {
			"Type": "AWS::IAM::Role",
			"Properties": {
				"RoleName": "LambdaExecutionRole",
				"AssumeRolePolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Effect": "Allow",
							"Principal": {
								"Service": [
									"lambda.amazonaws.com"
								]
							},
							"Action": [
								"sts:AssumeRole"
							]
						}
					]
				},
				"Path": "/",
				"Policies": [
					{
						"PolicyName": "AWSLambdaBasicExecutionRole",
						"PolicyDocument": {
							"Version": "2012-10-17",
							"Statement": [
								{
									"Effect": "Allow",
									"Action": [
										"logs:CreateLogGroup",
										"logs:CreateLogStream",
										"logs:PutLogEvents",
										"ec2:DescribeNetworkInterfaces",
										"ec2:CreateNetworkInterface",
										"ec2:DeleteNetworkInterface",
										"ec2:DescribeInstances",
										"ec2:AttachNetworkInterface"
									],
									"Resource": "*"
								}
							]
						}
					}
				]
			}
		},
		"LambdaFunction": {
			"Type": "AWS::Lambda::Function",
			"Properties": {
				"FunctionName": "cc-app-worker-function",
				"Handler": "lambda_function.lambda_handler",
				"Role": {
					"Fn::GetAtt": [
						"FunctionExecutionRole",
						"Arn"
					]
				},
				"Code": {
					"S3Bucket": "cc-lambda-functions",
					"S3Key": "worker.zip"
				},
				"Runtime": "python3.9",
				"MemorySize": 1024,
				"Timeout": 45,
				"VpcConfig": {
					"SecurityGroupIds": [
						"sg-0abcd1234abcd1234"
					],
					"SubnetIds": [
						"subnet-abcd1234",
						"subnet-1234abcd"
					]
				}
			}
		},
		"LambdaVersion": {
			"Type": "AWS::Lambda::Version",
			"Properties": {
				"FunctionName": {
					"Ref": "LambdaFunction"
				},
				"Description": "v1"
			}
		},
		"LambdaAlias": {
			"Type": "AWS::Lambda::Alias",
			"Properties": {
				"FunctionName": {
					"Ref": "LambdaFunction"
				},
				"FunctionVersion": {
					"Fn::GetAtt": [
						"LambdaVersion",
						"Version"
					]
				},
				"Name": "cc-app-worker",
				"ProvisionedConcurrencyConfig": {
					"ProvisionedConcurrentExecutions": 300
				}
			}
		}
	}
}

  2. CloudFormation template (YAML):

    AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	FunctionExecutionRole:
		Type: AWS::IAM::Role
		Properties:
		RoleName: LambdaExecutionRole
		AssumeRolePolicyDocument:
			Version: '2012-10-17'
			Statement:
			- Effect: Allow
				Principal:
				Service:
					- lambda.amazonaws.com
				Action:
				- sts:AssumeRole
		Path: /
		Policies:
			- PolicyName: AWSLambdaBasicExecutionRole
			PolicyDocument:
				Version: '2012-10-17'
				Statement:
				- Effect: Allow
					Action:
					- logs:CreateLogGroup
					- logs:CreateLogStream
					- logs:PutLogEvents
					- ec2:DescribeNetworkInterfaces
					- ec2:CreateNetworkInterface
					- ec2:DeleteNetworkInterface
					- ec2:DescribeInstances
					- ec2:AttachNetworkInterface
					Resource: '*'
	LambdaFunction:
		Type: AWS::Lambda::Function
		Properties:
		FunctionName: cc-app-worker-function
		Handler: lambda_function.lambda_handler
		Role: !GetAtt 'FunctionExecutionRole.Arn'
		Code:
			S3Bucket: cc-lambda-functions
			S3Key: worker.zip
		Runtime: python3.9
		MemorySize: 1024
		Timeout: 45
		VpcConfig:
			SecurityGroupIds:
			- sg-0abcd1234abcd1234
			SubnetIds:
			- subnet-abcd1234
			- subnet-1234abcd
	LambdaVersion:
		Type: AWS::Lambda::Version
		Properties:
		FunctionName: !Ref 'LambdaFunction'
		Description: v1
	LambdaAlias:
		Type: AWS::Lambda::Alias
		Properties:
		FunctionName: !Ref 'LambdaFunction'
		FunctionVersion: !GetAtt 'LambdaVersion.Version'
		Name: cc-app-worker
		ProvisionedConcurrencyConfig:
			ProvisionedConcurrentExecutions: 300

Using Terraform (AWS Provider)

  1. Terraform configuration file (.tf):

    terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_iam_role" "lambda-execution-role" {
	name = "LambdaExecutionRole"
	path = "/"
	managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"]

	assume_role_policy = <<EOF
	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Action": "sts:AssumeRole",
				"Principal": {
					"Service": "lambda.amazonaws.com"
				},
				"Effect": "Allow"
			}
		]
	}
	EOF
}

resource "aws_lambda_function" "lambda-function" {
	function_name    = "cc-app-worker-function"
	s3_bucket        = "cc-lambda-functions"
	s3_key           = "worker.zip" 
	role             = aws_iam_role.lambda-execution-role.arn
	handler          = "lambda_function.lambda_handler"
	runtime          = "python3.9"
	memory_size      = 1024
	timeout          = 45   
	vpc_config {
		subnet_ids         = [ "subnet-01234abcd1234abcd", "subnet-0abcd1234abcd1234" ]
		security_group_ids = [ "sg-0abcd1234abcd1234" ]
	}
}

resource "aws_lambda_alias" "lambda-function-alias" {
	function_name    = aws_lambda_function.lambda-function.function_name
	function_version = aws_lambda_function.lambda-function.version
	name             = "cc-app-worker"
}

resource "aws_lambda_provisioned_concurrency_config" "lambda-provisioned-concurrency" {
	function_name                     = aws_lambda_alias.lambda-function-alias.function_name
	provisioned_concurrent_executions = 300
	qualifier                         = aws_lambda_alias.lambda-function-alias.name
}

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

  3. In the left navigation panel, under AWS Lambda, choose Functions.

  4. Click on the name of the function that you want to reconfigure.

  5. Select the Configuration tab and choose Concurrency from the left menu.

  6. In the Concurrency section, under Provisioned concurrency configurations, choose Add configuration to create a provisioned concurrency configuration for the function's alias or version.

  7. On the Configure provisioned concurrency page, perform the following operations:

    1. For Qualifier type, choose to configure provisioned concurrency for an alias or a version. Provisioned concurrency can be enabled for a specific function version or alias ($LATEST version can't be used). You can have different settings for each version of a function. It's much easier to apply provisioned concurrency to the correct version of your function using an alias.
    2. Select the alias or version that you want to configure from the Alias/Version dropdown list.
    3. Provide the amount of provisioned concurrency to allocate for the selected function version or alias in the Provisioned concurrency box.
    4. Choose Save to apply the changes. Provisioned concurrency does not become active immediately after you configure it. Amazon Lambda starts allocating provisioned concurrency after a minute or two of preparation. During this time the function remains available and continues to serve traffic.

  8. Repeat step no. 7 to configure provisioned concurrency for other function versions or aliases, created for the selected Lambda function.

  9. Repeat steps no. 4 – 8 to enable provisioned concurrency for each Lambda function available within the current AWS region.

  10. Change the AWS cloud region from the navigation bar and repeat the Remediation process for the other regions.

Using AWS CLI

  1. Run put-provisioned-concurrency-config command (OSX/Linux/UNIX) using the name and the alias or version of the Amazon Lambda function that you want to reconfigure as the identifier parameter, to update the function's alias/version configuration in order to enable provisioned concurrency for the selected resource. Use the--provisioned-concurrent-executionscommand parameter to provide the amount of provisioned concurrency to allocate for the selected function alias/version:

    aws lambda put-provisioned-concurrency-config
  --region us-east-1
  --function-name cc-export-user-data
  --qualifier cc-live-export
  --provisioned-concurrent-executions 300

  2. The output should return the put-provisioned-concurrency-config command request metadata. The provisioned concurrency allocation is now in progress. The execution environment is being prepared to serve concurrent incoming requests. During this time the function remains available and continues to serve traffic:

    {
	"RequestedProvisionedConcurrentExecutions": 300,
	"AllocatedProvisionedConcurrentExecutions": 0,
	"AvailableProvisionedConcurrentExecutions": 0,
	"LastModified": "2021-08-30T10:10:10+0000",
	"Status": "IN_PROGRESS"
}

  3. Repeat steps no. 1 and 2 to configure provisioned concurrency for other function versions or aliases, created for the selected Lambda function.

  4. Repeat steps no. 1 – 3 to enable provisioned concurrency for each Lambda function available in the selected AWS region.

  5. Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 4 to perform the Remediation process for other regions.

References

Publication date Sep 12, 2021

Related Lambda rules