Handling EOL Security Alerts
When you onboard your AWS account (master payer or child) into the nOps platform, a CloudFormation (CF) stack is deployed in your AWS Console.
This stack creates several resources, including a Lambda function named NopsCallback
, which uses a specific Python runtime version.
Over time, this runtime may reach EOL (End of Life) — meaning it no longer receives updates or security patches from AWS. As a result, it can trigger security alerts flagged by tools like AWS Security Hub, third-party scanners, or internal audits.
Recommended Solutions to Address the EOL Lambda
You can resolve this EOL Lambda security issue using either of the two approaches below:
Option 1: Delete the NopsCallback
Lambda Function
The
NopsCallback
Lambda is not used by the platform post-onboarding and can be safely removed.
Steps to Remove the Lambda
-
Log in to the AWS Console
-
Go to CloudFormation and select the stack you ran during onboarding
-
Navigate to the Resources tab
-
Look for a resource with Logical ID:
NopsCallback
-
Click the Physical ID link of this resource
- On the Lambda function page, click Actions → Delete
Note: There is no operational dependency on this Lambda after onboarding is complete.
If you manually delete this Lambda and later decide to delete the entire CloudFormation stack, AWS will:
- Show a warning that one or more resources (like
NopsCallback
) no longer exist. - Still proceed with the deletion of all remaining stack resources.
- Mark the stack as
DELETE_COMPLETE
once finished.
So, manually deleting
NopsCallback
does not block or interfere with future stack deletion.
AWS simply skips the missing resource and deletes the rest.
Option 2: Update the CF Stack with the Latest Template
This method updates the entire CloudFormation stack to the latest version, which includes a new Lambda runtime and other improvements.
Steps to Update the Stack
-
Log in to the AWS Console
-
Go to CloudFormation and select the stack used during onboarding
-
Click on Update in the top-right corner
-
Choose "Replace existing template"
-
In the next step, choose one of the following:
- Upload a template file
- Specify an Amazon S3 URL
-
Click Next
-
On the Parameters page:
- Review existing values
- Modify only if needed, otherwise leave them as it is
-
Continue clicking Next, then Update Stack to proceed
This ensures you're running the latest stack with updated runtime and secured resources.