Controlling Lambda runtime update permissions for high-compliance applications - Amazon Lambda
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Controlling Lambda runtime update permissions for high-compliance applications

To meet patching requirements, Lambda customers typically rely on automatic runtime updates. If your application is subject to strict patching freshness requirements, you may want to limit use of earlier runtime versions. You can restrict Lambda's runtime management controls by using Amazon Identity and Access Management (IAM) to deny users in your Amazon account access to the PutRuntimeManagementConfig API operation. This operation is used to choose the runtime update mode for a function. Denying access to this operation causes all functions to default to the Auto mode. You can apply this restriction across your organization by using a service control policies (SCP). If you must roll back a function to an earlier runtime version, you can grant a policy exception on a case-by-case basis.