Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Health event for aws-controltower-NotificationForwarder in Python 3.9 going EOL

1

So we are receiving a lot of AWS Health emails that we have Lambdas that use Python 3.9 that will go EOL at the end of the year. But the Lambdas are the aws-controltower-NotificationForwarder Lambda function deployed by Control Tower.

From reading other treads about when this happened with Python 3.6 the same situation occured where the version in use wasn't updated before the email was sent out.

So am just wondering if a update to Control Tower will be deployed before Python 3.9 goes EOL and if we can ignore these emails.

  • Naveen EXPERT
    10 months ago

    Hi Jens, If you've received a health event notification about the aws-controltower-NotificationForwarder Lambda function using Python 3.9 reaching end-of-life, here's what you need to know:

    AWS Control Tower automatically deploys a Lambda function called aws-controltower-NotificationForwarder to every enrolled account. This function:

    • Retrieves AWS Config compliance change notifications from local SNS topics
    • Forwards these notifications to SNS topics in your Audit/Security account
    • Currently runs on Python 3.9 runtime

    Action Required: None

    You can safely disregard the Python 3.9 end-of-life email for this specific function. Here's why:

    • This is an AWS-managed Lambda function (not customer-managed)
    • AWS will automatically upgrade the runtime to Python 3.13 in the coming weeks
    • The upgrade will happen before the December 15, 2025 EOL deadline
    • No customer action is required

    Important Distinction:

    • AWS-managed functions (like NotificationForwarder): Automatically updated by AWS
    • Customer-managed functions: Must be updated by customers before November 2025

    If you have other Lambda functions using Python 3.9 that you created yourself, those will still need to be updated manually.

    This information applies to AWS Control Tower managed Lambda functions only. Always review your own Lambda functions for runtime updates.

Topics
ServerlessManagement & GovernanceCompute
Tags
AWS LambdaAWS Control Tower
Language
English
asked 10 months ago993 views
2 Answers
1

Based on the available information, there appears to be some confusion about Python 3.9 end-of-life dates.

First, regarding your specific concern about the aws-controltower-NotificationForwarder Lambda function: AWS Control Tower has a history of updating their managed Lambda functions before runtime deprecation. For example, in April 2022, AWS Control Tower landing zone version 2.9 updated the notification forwarder Lambda from Python 3.6 to Python 3.9 runtime, addressing the deprecation of Python 3.6 which was planned for July 2022.

Regarding Python 3.9 end-of-life: The upstream end-of-life date for Python 3.9 (as used in Amazon Linux 2023 as the system Python) is actually June 30, 2029, which is quite far in the future. This suggests that the health events you're receiving might be premature or possibly referring to a different timeline specific to AWS Lambda runtimes rather than the general Python language support.

For Lambda functions created and managed by AWS services like Control Tower, these are typically managed automatically by AWS. You generally don't need to manually update these functions as AWS is responsible for maintaining them and ensuring they use supported runtimes.

Based on historical patterns, it's reasonable to expect that AWS will update the Control Tower notification forwarder Lambda to use a newer Python runtime before any actual end-of-life date. You can likely wait for AWS to release an update to address this issue rather than attempting to modify these managed resources yourself, which could lead to unexpected behavior.
Sources
January - December 2022 - AWS Control Tower
System Manager State Manager - AWS Lambda end of support for Python 3.9 | AWS re:Post
Package support statements - Amazon Linux 2023
Do I need to manually manage Lambda functions created by Quick Setup? | AWS re:Post

answered 10 months ago
EXPERT
reviewed 10 months ago
  • seanturner
    7 months ago

    I recently got this email from AWS.

    1. Is there any way to debug what went wrong specifically? A access-denied IAM Role foo could not be assumed (or similar) would be very helpful. I don't see any errors in cloudformation in the management account or child account. I just see the AWSControlTowerBP-BASELINE-CLOUDWATCH StackSet Detailed Status is pending for a number of accounts? And the drift detection says no drift?
    2. I can see that the AWSControlTowerBP-BASELINE-CLOUDWATCH Template in the management account has a Python version of 3.13, whereas the child account templates list python version 3.9
    3. Do I really need to reset my Landing Zone
    4. What does reseting my Landing Zone do actually

    Hello,

    AWS Lambda recently announced the deprecation of Python v3.9 planned for December 15, 2025. On September 3, 2025, AWS Control Tower attempted to upgrade the Python version in your environment but was unable to update this account due to a lack of permissions to modify the lambda. You can find details of any affected resources in the 'Affected resources' tab of the Health Dashboard or in the 'affectedEntities' field of EventBridge/API responses.

    To ensure your lambdas are receiving updates, we highly recommend to upgrade them. To upgrade to the latest Python version, you must perform a Reset Landing Zone operation [1] followed by re-registering all of your OUs [2].

    You must be on Landing Zone version 3.1 or above to Reset your Landing Zone in place.

    If you have an

0

I'm hoping we can get some official response here 2022 https://repost.aws/en/questions/QU4aAur2AXQNe11ySUoPYOyQ/upgrade-path-for-control-tower-python-3-6-lambdas indicated that support was working to eliminate notifications for Lambda deprecations that AWS controls themselves.

Imagine the total number of wasted labor hours across every AWS customer who utilizes Control Tower investigating the deprecation and remediation, only to eventually discover it's not something within their control to fix.

We are working with the Lambda team to limit any future notifications.

answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content