# Deploying Lambda functions as .zip file archives
When you create a Lambda function, you package your function code into a deployment package. Lambda supports two types of deployment packages: container images and .zip file archives. The workflow to create a function depends on the deployment package type. To configure a function defined as a container image, see [Create a Lambda function using a container image](images-create.md).
You can use the Lambda console and the Lambda API to create a function defined with a .zip file archive. You can also upload an updated .zip file to change the function code.
**Note**
You cannot change the [deployment package type](https://docs.aws.amazon.com/lambda/latest/api/API_CreateFunction.html#lambda-CreateFunction-request-PackageType) (.zip or container image) for an existing function. For example, you cannot convert a container image function to use a .zip file archive. You must create a new function.
**Topics**
+ [Creating the function](#configuration-function-create)
+ [Using the console code editor](#configuration-functions-console-update)
+ [Updating function code](#configuration-function-update)
+ [Changing the runtime](#configuration-function-runtime)
+ [Changing the architecture](#configuration-function-arch)
+ [Using the Lambda API](#configuration-function-api)
+ [Downloading your function code](#configuration-function-download)
+ [CloudFormation](#configuration-function-cloudformation)
+ [Encrypting Lambda .zip deployment packages](encrypt-zip-package.md)
## Creating the function
When you create a function defined with a .zip file archive, you choose a code template, the language version, and the execution role for the function. You add your function code after Lambda creates the function.
**To create the function**
1. Open the [Functions page](https://console.aws.amazon.com/lambda/home#/functions) of the Lambda console.
1. Choose **Create function**.
1. Choose **Author from scratch** or **Use a blueprint** to create your function.
1. Under **Basic information**, do the following:
1. For **Function name**, enter the function name. Function names are limited to 64 characters in length.
1. For **Runtime**, choose the language version to use for your function.
1. (Optional) For **Architecture**, choose the instruction set architecture to use for your function. The default architecture is x86\$164. When you build the deployment package for your function, make sure that it is compatible with this [instruction set architecture](foundation-arch.md).
1. (Optional) Under **Permissions**, expand **Change default execution role**. You can create a new **Execution role** or use an existing role.
1. (Optional) Expand **Advanced settings**. You can choose a **Code signing configuration** for the function. You can also configure an (Amazon VPC) for the function to access.
1. Choose **Create function**.
Lambda creates the new function. You can now use the console to add the function code and configure other function parameters and features. For code deployment instructions, see the handler page for the runtime your function uses.
------
#### [ Node.js ]
[Deploy Node.js Lambda functions with .zip file archives](nodejs-package.md)
------
#### [ Python ]
[Working with .zip file archives for Python Lambda functions](python-package.md)
------
#### [ Ruby ]
[Deploy Ruby Lambda functions with .zip file archives](ruby-package.md)
------
#### [ Java ]
[Deploy Java Lambda functions with .zip or JAR file archives](java-package.md)
------
#### [ Go ]
[Deploy Go Lambda functions with .zip file archives](golang-package.md)
------
#### [ C\$1 ]
[Build and deploy C\$1 Lambda functions with .zip file archives](csharp-package.md)
------
#### [ PowerShell ]
[Deploy PowerShell Lambda functions with .zip file archives](powershell-package.md)
------
## Using the console code editor
The console creates a Lambda function with a single source file. For scripting languages, you can edit this file and add more files using the built-in code editor. To save your changes, choose **Save**. Then, to run your code, choose **Test**.
When you save your function code, the Lambda console creates a .zip file archive deployment package. When you develop your function code outside of the console (using an IDE) you need to [create a deployment package](nodejs-package.md) to upload your code to the Lambda function.
## Updating function code
For scripting languages (Node.js, Python, and Ruby), you can edit your function code in the embedded code editor. If the code is larger than 3MB, or if you need to add libraries, or for languages that the editor doesn't support (Java, Go, C\$1), you must upload your function code as a .zip archive. If the .zip file archive is smaller than 50 MB, you can upload the .zip file archive from your local machine. If the file is larger than 50 MB, upload the file to the function from an Amazon S3 bucket.
**To upload function code as a .zip archive**
1. Open the [Functions page](https://console.aws.amazon.com/lambda/home#/functions) of the Lambda console.
1. Choose the function to update and choose the **Code** tab.
1. Under **Code source**, choose **Upload from**.
1. Choose **.zip file**, and then choose **Upload**.
1. In the file chooser, select the new image version, choose **Open**, and then choose **Save**.
1. (Alternative to step 4) Choose **Amazon S3 location**.
1. In the text box, enter the S3 link URL of the .zip file archive, then choose **Save**.
## Changing the runtime
If you update the function configuration to use a new runtime, you may need to update the function code to be compatible with the new runtime. If you update the function configuration to use a different runtime, you **must** provide new function code that is compatible with the runtime and architecture. For instructions on how to create a deployment package for the function code, see the handler page for the runtime that the function uses.
The Node.js 20, Python 3.12, Java 21, .NET 8, Ruby 3.3, and later base images are based on the Amazon Linux 2023 minimal container image. Earlier base images use Amazon Linux 2. AL2023 provides several advantages over Amazon Linux 2, including a smaller deployment footprint and updated versions of libraries such as `glibc`. For more information, see [Introducing the Amazon Linux 2023 runtime for AWS Lambda](https://aws.amazon.com/blogs/compute/introducing-the-amazon-linux-2023-runtime-for-aws-lambda/) on the AWS Compute Blog.
**To change the runtime**
1. Open the [Functions page](https://console.aws.amazon.com/lambda/home#/functions) of the Lambda console.
1. Choose the function to update and choose the **Code** tab.
1. Scroll down to the **Runtime settings** section, which is under the code editor.
1. Choose **Edit**.
1. For **Runtime**, select the runtime identifier.
1. For **Handler**, specify file name and handler for your function.
1. For **Architecture**, choose the instruction set architecture to use for your function.
1. Choose **Save**.
## Changing the architecture
Before you can change the instruction set architecture, you need to ensure that your function's code is compatible with the target architecture.
If you use Node.js, Python, or Ruby and you edit your function code in the embedded editor, the existing code may run without modification.
However, if you provide your function code using a .zip file archive deployment package, you must prepare a new .zip file archive that is compiled and built correctly for the target runtime and instruction-set architecture. For instructions, see the handler page for your function runtime.
**To change the instruction set architecture**
1. Open the [Functions page](https://console.aws.amazon.com/lambda/home#/functions) of the Lambda console.
1. Choose the function to update and choose the **Code** tab.
1. Under **Runtime settings**, choose **Edit**.
1. For **Architecture**, choose the instruction set architecture to use for your function.
1. Choose **Save**.
## Using the Lambda API
To create and configure a function that uses a .zip file archive, use the following API operations:
+ [CreateFunction](https://docs.aws.amazon.com/lambda/latest/api/API_CreateFunction.html)
+ [UpdateFunctionCode](https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionCode.html)
+ [UpdateFunctionConfiguration](https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionConfiguration.html)
## Downloading your function code
You can download the current unpublished (`$LATEST`) version of your function code .zip via the Lambda console. To do this, first ensure that you have the following IAM permissions:
+ `iam:GetPolicy`
+ `iam:GetPolicyVersion`
+ `iam:GetRole`
+ `iam:GetRolePolicy`
+ `iam:ListAttachedRolePolicies`
+ `iam:ListRolePolicies`
+ `iam:ListRoles`
**To download the function code .zip**
1. Open the [Functions page](https://console.aws.amazon.com/lambda/home#/functions) of the Lambda console.
1. Choose the function you want to download the function code .zip for.
1. In the **Function overview**, choose the **Download** button, then choose **Download function code .zip**.
1. Alternatively, choose **Download AWS SAM file** to generate and download a SAM template based on your function's configuration. You can also choose **Download both** to download both the .zip and the SAM template.
## CloudFormation
You can use CloudFormation to create a Lambda function that uses a .zip file archive. In your CloudFormation template, the `AWS::Lambda::Function` resource specifies the Lambda function. For descriptions of the properties in the `AWS::Lambda::Function` resource, see [AWS::Lambda::Function](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html) in the *AWS CloudFormation User Guide*.
In the `AWS::Lambda::Function` resource, set the following properties to create a function defined as a .zip file archive:
+ AWS::Lambda::Function
+ PackageType – Set to `Zip`.
+ Code – Enter the Amazon S3 bucket name and .zip file name in the `S3Bucket` and `S3Key`fields. For Node.js or Python, you can provide inline source code of your Lambda function.
+ Runtime – Set the runtime value.
+ Architecture – Set the architecture value to `arm64` to use the AWS Graviton2 processor. By default, the architecture value is `x86_64`.
# Encrypting Lambda .zip deployment packages
Lambda always provides server-side encryption at rest for .zip deployment packages and function configuration details with an AWS KMS key. By default, Lambda uses an [AWS owned key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk). If this default behavior suits your workflow, you don't need to set up anything else. AWS doesn't charge you to use this key.
If you prefer, you can provide an AWS KMS customer managed key instead. You might do this to have control over rotation of the KMS key or to meet the requirements of your organization for managing KMS keys. When you use a customer managed key, only users in your account with access to the KMS key can view or manage the function's code or configuration.
Customer managed keys incur standard AWS KMS charges. For more information, see [AWS Key Management Service pricing](https://aws.amazon.com/kms/pricing/).
## Create a customer managed key
You can create a symmetric customer managed key by using the AWS Management Console, or the AWS KMS APIs.
**To create a symmetric customer managed key**
Follow the steps for [Creating symmetric encryption Creating symmetric KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#create-symmetric-cmk) in the *AWS Key Management Service Developer Guide*.
### Permissions
**Key policy**
[Key policies](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) control access to your customer managed key. Every customer managed key must have exactly one key policy, which contains statements that determine who can use the key and how they can use it. For more information, see [How to change a key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html#key-policy-modifying-how-to) in the *AWS Key Management Service Developer Guide*.
When you use a customer managed key to encrypt a .zip deployment package, Lambda doesn't add a [grant](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) to the key. Instead, your AWS KMS key policy must allow Lambda to call the following AWS KMS API operations on your behalf:
+ [kms:GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html)
+ [kms:Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html)
The following example key policy allows all Lambda functions in account 111122223333 to call the required AWS KMS operations for the specified customer managed key:
**Example AWS KMS key policy**
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-east-1:111122223333:key/key-id",
"Condition": {
"StringLike": {
"kms:EncryptionContext:aws:lambda:FunctionArn": "arn:aws:lambda:us-east-1:111122223333:function:*"
}
}
}
]
}
```
For more information about [troubleshooting key access](https://docs.aws.amazon.com/kms/latest/developerguide/policy-evaluation.html#example-no-iam), see the *AWS Key Management Service Developer Guide*.
**Principal permissions**
When you use a customer managed key to encrypt a .zip deployment package, only [principals](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html) with access to that key can access the .zip deployment package. For example, principals who don't have access to the customer managed key can't download the .zip package using the presigned S3 URL that's included in the [GetFunction](https://docs.aws.amazon.com/lambda/latest/api/API_GetFunction.html) response. An `AccessDeniedException` is returned in the `Code` section of the response.
**Example AWS KMS AccessDeniedException**
```
{
"Code": {
"RepositoryType": "S3",
"Error": {
"ErrorCode": "AccessDeniedException",
"Message": "KMS access is denied. Check your KMS permissions. KMS Exception: AccessDeniedException KMS Message: User: arn:aws:sts::111122223333:assumed-role/LambdaTestRole/session is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:us-east-1:111122223333:key/key-id with an explicit deny in a resource-based policy"
},
"SourceKMSKeyArn": "arn:aws:kms:us-east-1:111122223333:key/key-id"
},
...
```
For more information about permissions for AWS KMS keys, see [Authentication and access control for AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/control-access.html).
## Using a customer managed key for your .zip deployment package
Use the following API parameters to configure customer managed keys for .zip deployment packages:
+ [SourceKMSKeyArn](https://docs.aws.amazon.com/lambda/latest/api/API_FunctionCode.html#lambda-Type-FunctionCode-SourceKMSKeyArn): Encrypts the source .zip deployment package (the file that you upload).
+ [KMSKeyArn](https://docs.aws.amazon.com/lambda/latest/api/API_CreateFunction.html#lambda-CreateFunction-request-KMSKeyArn): Encrypts [environment variables](configuration-envvars-encryption.md) and [Lambda SnapStart](snapstart.md) snapshots.
When `SourceKMSKeyArn` and `KMSKeyArn` are both specified, Lambda uses the `KMSKeyArn` key to encrypt the unzipped version of the package that Lambda uses to invoke the function. When `SourceKMSKeyArn` is specified but `KMSKeyArn` is not, Lambda uses an [AWS managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) to encrypt the unzipped version of the package.
------
#### [ Lambda console ]
**To add customer managed key encryption when you create a function**
1. Open the [Functions page](https://console.aws.amazon.com/lambda/home#/functions) of the Lambda console.
1. Choose **Create function**.
1. Choose **Author from scratch** or **Container image**.
1. Under **Basic information**, do the following:
1. For **Function name**, enter the function name.
1. For **Runtime**, choose the language version to use for your function.
1. Expand **Advanced settings**, and then select **Enable encryption with an AWS KMS customer managed key**.
1. Choose a customer managed key.
1. Choose **Create function**.
To remove customer managed key encryption, or to use a different key, you must upload the .zip deployment package again.
**To add customer managed key encryption to an existing function**
1. Open the [Functions page](https://console.aws.amazon.com/lambda/home#/functions) of the Lambda console.
1. Choose the name of a function.
1. In the **Code source** pane, choose **Upload from**.
1. Choose **.zip file** or **Amazon S3 location**.
![\[\]](http://docs.aws.amazon.com/lambda/latest/dg/images/upload-zip.png)
1. Upload the file or enter the Amazon S3 location.
1. Choose **Enable encryption with an AWS KMS customer managed key**.
1. Choose a customer managed key.
1. Choose **Save**.
------
#### [ AWS CLI ]
**To add customer managed key encryption when you create a function**
In the following [create-function](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/create-function.html) example:
+ `--code`: Specifies the local path to the .zip deployment package (`ZipFile`) and the customer managed key to encrypt it (`SourceKMSKeyArn`).
+ `--kms-key-arn`: Specifies the customer managed key to encrypt the environment variables and the unzipped version of the deployment package.
```
aws lambda create-function \
--function-name myFunction \
--runtime nodejs24.x \
--handler index.handler \
--role arn:aws:iam::111122223333:role/service-role/my-lambda-role \
--code ZipFile=fileb://myFunction.zip,SourceKMSKeyArn=arn:aws:kms:us-east-1:111122223333:key/key-id \
--kms-key-arn arn:aws:kms:us-east-1:111122223333:key/key2-id
```
In the following [create-function](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/create-function.html) example:
+ `--code`: Specifies the location of the .zip file in an Amazon S3 bucket (`S3Bucket`, `S3Key`, `S3ObjectVersion`) and the customer managed key to encrypt it (`SourceKMSKeyArn`).
+ `--kms-key-arn`: Specifies the customer managed key to encrypt the environment variables and the unzipped version of the deployment package.
```
aws lambda create-function \
--function-name myFunction \
--runtime nodejs24.x --handler index.handler \
--role arn:aws:iam::111122223333:role/service-role/my-lambda-role \
--code S3Bucket=amzn-s3-demo-bucket,S3Key=myFileName.zip,S3ObjectVersion=myObjectVersion,SourceKMSKeyArn=arn:aws:kms:us-east-1:111122223333:key/key-id \
--kms-key-arn arn:aws:kms:us-east-1:111122223333:key/key2-id
```
**To add customer managed key encryption to an existing function**
In the following [update-function-code](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-code.html) example:
+ `--zip-file`: Specifies the local path to the .zip deployment package.
+ `--source-kms-key-arn`: Specifies the customer managed key to encrypt the zipped version of the deployment package. Lambda uses an AWS owned key to encrypt the unzipped package for function invocations. If you want to use a customer managed key to encrypt the unzipped version of the package, run the [update-function-configuration](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html) command with the `--kms-key-arn` option.
```
aws lambda update-function-code \
--function-name myFunction \
--zip-file fileb://myFunction.zip \
--source-kms-key-arn arn:aws:kms:us-east-1:111122223333:key/key-id
```
In the following [update-function-code](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-code.html) example:
+ `--s3-bucket`: Specifies the location of the .zip file in an Amazon S3 bucket.
+ `--s3-key`: Specifies the Amazon S3 key of the deployment package.
+ `--s3-object-version`: For versioned objects, the version of the deployment package object to use.
+ `--source-kms-key-arn`: Specifies the customer managed key to encrypt the zipped version of the deployment package. Lambda uses an AWS owned key to encrypt the unzipped package for function invocations. If you want to use a customer managed key to encrypt the unzipped version of the package, run the [update-function-configuration](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html) command with the `--kms-key-arn` option.
```
aws lambda update-function-code \
--function-name myFunction \
--s3-bucket amzn-s3-demo-bucket \
--s3-key myFileName.zip \
--s3-object-version myObject Version
--source-kms-key-arn arn:aws:kms:us-east-1:111122223333:key/key-id
```
**To remove customer managed key encryption from an existing function**
In the following [update-function-code](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-code.html) example, `--zip-file` specifies the local path to the .zip deployment package. When you run this command without the `--source-kms-key-arn` option, Lambda uses an AWS owned key to encrypt the zipped version of the deployment package.
```
aws lambda update-function-code \
--function-name myFunction \
--zip-file fileb://myFunction.zip
```
------