EOLkits audit report

Account: acme-prod (redacted)

Inputs: 3 Terraform files, 1 SAM template, 2 Dockerfiles

Report SHA-256: 3f9a…c1e2 — verifiable at /verify/<sha>

Findings: 2 critical · 3 high · 1 medium

Findings — scored by severity × blast-radius

Finding	Severity	Blast radius	Cited source
EC2 launch template pinned to an Amazon Linux 2 AMI (EOL 2026-06-30)	Critical	14 instances across 2 ASGs	AWS AL2 EOL notice
`yum` / `amazon-linux-extras` in user-data — removed on AL2023	Critical	Boot-time failure on every new instance	AL2023 release notes
Lambda `python3.9` runtime — update blocked 2027-03-03	High	6 functions	Lambda runtime table
`import distutils` — removed in Python 3.12	High	2 functions	Python 3.12 what's-new
`iptables` rules in cloud-init — nftables on AL2023	High	Network setup on 14 instances	AL2023 release notes
`ntpd` — replaced by chronyd on AL2023	Medium	Time sync on 14 instances	AL2023 release notes

Roll-forward roadmap

Now → deadline: rebuild the base AMI on AL2023; swap yum→dnf and drop amazon-linux-extras in user-data.
Same change: migrate iptables→nftables and ntpd→chronyd (bundle with the AMI rebuild).
Next: fix the two distutils imports and move the 6 Lambdas to python3.12 before the 2027 block dates.

Cost of not fixing

Leave the AL2 instances past 2026-06-30 and they stop receiving security patches while new launches fail at boot. Exposure for this account: ~14 production instances unpatched plus blocked autoscaling — hours of incident time at the worst possible moment.

Get this report for your own stack — from $299 →

Or run the free scan first →