By ByteBot
Amazon Linux 2 hits end of life in 15 days. On June 30, 2026, AWS stops patching the operating system that runs under six Lambda runtimes — and if you are on any of them, your functions will keep executing, but they will be running on an unpatched OS with no security fixes and no technical support. That sounds manageable until you see what follows: July 31, AWS drops support for provided.al2. August 31, you cannot create new functions on AL2. September 30, you cannot update existing ones. Miss June 30 and you are on a countdown to being locked out of your own functions.
Which Lambda Runtimes Are Affected
Check whether your functions are actually on Amazon Linux 2. These are the Lambda runtimes that run on AL2:
python3.10,python3.11java8.al2,java11,java17nodejs18.xprovided.al2(custom runtimes — Go, Rust, Ruby)
If your function uses python3.12, java21, nodejs20.x, nodejs22.x, or provided.al2023, you are already on Amazon Linux 2023 and there is nothing to do. Check your runtime first — you may already be clear.
Find Your Affected Functions Now
Before migrating anything, run an audit. This AWS CLI command lists every function in the current region running on an AL2 runtime:
aws lambda list-functions \
--query "Functions[?Runtime=='python3.10' || Runtime=='python3.11' \
|| Runtime=='java11' || Runtime=='java17' \
|| Runtime=='nodejs18.x' || Runtime=='provided.al2'] \
| [*].{Name:FunctionName, Runtime:Runtime}" \
--output tableRun this in every region where you deploy Lambda. Empty table means you are done. Any rows mean migration tasks.
Three Gotchas That Cause Production Incidents
For most functions, the runtime upgrade is a single CLI call. But AL2 and AL2023 diverge in three places that consistently break things:
1. Native Binaries Need a Rebuild
AL2023 ships glibc 2.34. AL2 shipped 2.26. That gap matters for anything compiled against system libraries. If your Lambda Layer bundles psycopg2 with C extensions, bcrypt, node-canvas, or any other native addon, those binaries will fail on startup under AL2023. Rebuild them against an AL2023 base image — or switch to pure-Python or pure-JS alternatives where available. The AL2023 migration guide covers which system library versions changed.
2. amazon-linux-extras Is Gone
AL2 had amazon-linux-extras for installing additional packages. AL2023 removes it entirely and uses DNF instead of YUM. If your custom runtime bootstrap script calls amazon-linux-extras install anywhere, it will fail. Replace those calls with dnf install. Package names are mostly the same — the command is what changed.
3. No System Python 2.7
AL2023 does not include Python 2.7 at the OS level. If any bootstrap scripts, shell scripts invoked from Lambda, or custom runtime code calls bare python instead of python3, they will get a command-not-found error. Find them before AL2023 finds them in production.
How to Migrate
Once you have audited for the gotchas above, the actual migration is one command per function. Update the runtime:
aws lambda update-function-configuration \
--function-name YOUR_FUNCTION_NAME \
--runtime python3.12Runtime mapping:
python3.10/python3.11→python3.12orpython3.13java11/java17→java21nodejs18.x→nodejs22.xprovided.al2→provided.al2023
If you manage Lambda with Terraform, update the runtime attribute in your aws_lambda_function resource and apply. The AWS blog on AL2023 Lambda support has additional context on what changed under the hood. One bonus: provided.al2023 is under 40 MB versus ~109 MB for provided.al2 — custom runtime cold starts get faster for free.
What to Do If You Cannot Migrate by June 30
If June 30 passes and you are still on AL2 runtimes, your functions will not stop running. AWS is not pulling the switch on July 1. What you lose is patches and support — and what you gain is a compliance problem and a growing attack surface. If you are stuck mid-migration:
- Prioritize internet-facing functions first — those carry the most exposure
- Move internal or low-risk functions to the back of the queue
- Document migration status for your security and compliance teams
- Hard deadline: get everything off AL2 before August 31, when AWS blocks new function creation on AL2 runtimes
The migration is not complicated for most teams. The risk is ignoring it. The deadline is 15 days out, and the consequences of missing it are not hypothetical — they are on a published schedule.
