Lambda functions should have concurrent execution limit configured

Every AWS account has a regional Lambda concurrency limit (default 1,000). A single function without a reserved concurrency limit can consume the entire pool during a traffic spike or retry storm, causing throttling across all other functions in the account. This is a common cause of cascading failures in serverless architectures.

Setting reserved_concurrent_executions on each function acts as both a ceiling and a guarantee. It caps the function's maximum parallel invocations and reserves that capacity exclusively, preventing noisy-neighbor problems between workloads sharing the same account.

Retrofit consideration

Setting reserved concurrency too low on existing high-traffic functions will immediately throttle invocations. Profile each function's peak concurrency using CloudWatch Lambda ConcurrentExecutions metrics before applying limits.

Implementation

Choose the approach that matches how you manage Terraform.

Compliance.tfOpen source moduleTerraform resources

Use the compliance.tf module to enforce this control by default. See get started with compliance.tf.

SOC 2HIPAA Omnibus Rule 2013NIST SP 800-53 Rev 5FedRAMP Moderate Baseline Rev 4NIST SP 800-171 Rev 2FFIEC Cybersecurity Assessment ToolRBI IT Framework for NBFCsFedRAMP Low Baseline Rev 4NIST Cybersecurity Framework v1.1

module "lambda" {
  source  = "soc2.compliance.tf/terraform-aws-modules/lambda/aws"
  version = ">=8.0.0"

  create_package         = false
  function_name          = "abc123"
  handler                = "index.lambda_handler"
  local_existing_package = "lambda_function.zip"
  runtime                = "python3.12"
}

module "lambda" {
  source  = "hipaa.compliance.tf/terraform-aws-modules/lambda/aws"
  version = ">=8.0.0"

  create_package         = false
  function_name          = "abc123"
  handler                = "index.lambda_handler"
  local_existing_package = "lambda_function.zip"
  runtime                = "python3.12"
}

module "lambda" {
  source  = "nist80053.compliance.tf/terraform-aws-modules/lambda/aws"
  version = ">=8.0.0"

  create_package         = false
  function_name          = "abc123"
  handler                = "index.lambda_handler"
  local_existing_package = "lambda_function.zip"
  runtime                = "python3.12"
}

module "lambda" {
  source  = "fedrampmoderate.compliance.tf/terraform-aws-modules/lambda/aws"
  version = ">=8.0.0"

  create_package         = false
  function_name          = "abc123"
  handler                = "index.lambda_handler"
  local_existing_package = "lambda_function.zip"
  runtime                = "python3.12"
}

module "lambda" {
  source  = "nist800171.compliance.tf/terraform-aws-modules/lambda/aws"
  version = ">=8.0.0"

  create_package         = false
  function_name          = "abc123"
  handler                = "index.lambda_handler"
  local_existing_package = "lambda_function.zip"
  runtime                = "python3.12"
}

module "lambda" {
  source  = "ffiec.compliance.tf/terraform-aws-modules/lambda/aws"
  version = ">=8.0.0"

  create_package         = false
  function_name          = "abc123"
  handler                = "index.lambda_handler"
  local_existing_package = "lambda_function.zip"
  runtime                = "python3.12"
}

module "lambda" {
  source  = "rbiitfnbfc.compliance.tf/terraform-aws-modules/lambda/aws"
  version = ">=8.0.0"

  create_package         = false
  function_name          = "abc123"
  handler                = "index.lambda_handler"
  local_existing_package = "lambda_function.zip"
  runtime                = "python3.12"
}

module "lambda" {
  source  = "fedramplow.compliance.tf/terraform-aws-modules/lambda/aws"
  version = ">=8.0.0"

  create_package         = false
  function_name          = "abc123"
  handler                = "index.lambda_handler"
  local_existing_package = "lambda_function.zip"
  runtime                = "python3.12"
}

module "lambda" {
  source  = "nistcsfv11.compliance.tf/terraform-aws-modules/lambda/aws"
  version = ">=8.0.0"

  create_package         = false
  function_name          = "abc123"
  handler                = "index.lambda_handler"
  local_existing_package = "lambda_function.zip"
  runtime                = "python3.12"
}

If you use terraform-aws-modules/lambda/aws, set the right module inputs for this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.

module "lambda" {
  source  = "terraform-aws-modules/lambda/aws"
  version = ">=8.0.0"

  create_package         = false
  function_name          = "abc123"
  handler                = "index.lambda_handler"
  local_existing_package = "lambda_function.zip"
  runtime                = "python3.12"
}

Use AWS provider resources directly. See docs for the resources involved: aws_lambda_function.

resource "aws_lambda_function" "this" {
  filename                       = "lambda_function.zip"
  function_name                  = "pofix-abc123"
  handler                        = "index.handler"
  reserved_concurrent_executions = 100
  role                           = "arn:aws:iam::123456789012:role/example-role"
  runtime                        = "python3.12"
  source_code_hash               = "base64encodedhashabcdef1234567890=="
}

What this control checks

The control checks that every aws_lambda_function resource has reserved_concurrent_executions set to a non-negative integer. Omitting the argument leaves the function drawing from the unreserved account pool, failing the check. A value of 0 is valid (it disables the function entirely); any positive integer reserves that many concurrent slots. It passes when every function includes reserved_concurrent_executions with a value of 0 or greater.

Common pitfalls

Setting reserved concurrency to 0 disables the function
A reserved_concurrent_executions value of 0 passes the control check but completely disables the function. All invocations will be throttled immediately. This can be intentional (kill switch) but is dangerous if set by accident.
Over-reserving concurrency starves other functions
The sum of all reserved concurrency values across functions in a region cannot exceed the account limit minus 100 (AWS reserves 100 for unreserved functions). If you reserve too aggressively, aws_lambda_function creation or updates will fail with an InvalidParameterValueException. Plan your concurrency budget before distributing limits.
Provisioned concurrency is not the same as reserved concurrency
The aws_lambda_provisioned_concurrency_config resource pre-warms execution environments but does not satisfy this control. You must still set reserved_concurrent_executions on the aws_lambda_function resource itself. Provisioned concurrency counts against reserved concurrency but does not replace it.
Functions deployed outside Terraform are invisible to plan-time checks
Lambda functions created via SAM, CDK, Serverless Framework, or console deployments bypass Terraform plan enforcement. Pair this control with an AWS Config rule like lambda-concurrency-check to catch functions regardless of deployment method.

Audit evidence

AWS Config evaluation results for lambda-concurrency-check showing all functions compliant, or a CSPM report scanning ReservedConcurrentExecutions across all regions, covers the baseline. Per-function output from aws lambda get-function --function-name <name> showing the Concurrency block with a ReservedConcurrentExecutions value provides function-level detail.

CloudWatch metrics showing per-function ConcurrentExecutions alongside the configured reserved limit demonstrate the limits are sized for actual workload patterns, not just set to satisfy the check.

Framework-specific interpretation

SOC 2: The A1 availability criteria call for capacity management that protects availability commitments. If one function can exhaust the account concurrency pool, system-level availability guarantees are only as strong as that function's traffic patterns, which is exactly the risk reserved concurrency mitigates.

HIPAA Omnibus Rule 2013: Healthcare workloads processing ePHI must stay available under the Security Rule's administrative safeguards. A runaway function that monopolizes account concurrency can degrade or disable other functions handling patient data, which is a straightforward availability failure under 45 CFR 164.306(a)(2).

NIST SP 800-53 Rev 5: SC-5 and SC-6 both apply here. SC-5 covers denial-of-service protection; a single unthrottled function consuming the full account concurrency pool is functionally a self-inflicted DoS. SC-6 requires predictable allocation of compute resources, which reserved_concurrent_executions enforces at the function level.

FedRAMP Moderate Baseline Rev 4: The Moderate baseline maps this to SC-5 (Denial of Service Protection) and SC-6 (Resource Availability). An unreserved Lambda function can exhaust the regional concurrency pool just as an external DoS attack would, making execution limits a direct SC-5 control within the authorization boundary.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

Compliance.tf Control: lambda_function_concurrent_execution_limit_configured
AWS Config Managed Rule: LAMBDA_CONCURRENCY_CHECK
Checkov Check: CKV_AWS_115
Powerpipe Control: aws_compliance.control.lambda_function_concurrent_execution_limit_configured

Last reviewed: 2026-03-09