Announcement: Performance Considerations for AWS Rust SDK in Lambda Environments

[landonxjames]

What You Need to Know

We want to make you aware of a recent performance regression when using the AWS Rust SDK in AWS Lambda environments.

Background

The Rust SDK crates use AWS-LC as the default crypto provider for creating TLS connections (via the rustls crate). Starting with AWS-LC v1.60 (aws-lc-rs v1.14.1), the underlying cryptographic library switched to CPU jitter as an entropy source for enhanced security. While this change strengthens the security posture by providing an additional entropy source, it introduces initialization latency that can impact Lambda cold starts.

Impact on Your Lambda Functions

You may observe:

• Additional latency ranging from several milliseconds to ~1 second during Lambda cold starts
• More noticeable impact on smaller Lambda functions or those with frequent cold starts
• Latency occurs once per process initialization, not on subsequent invocations

The performance impact is due to CPU jitter entropy collection running at process startup. This collection process is compiled without optimization (as required by the jitter entropy library specification) and uses SHA3, which has lower CPU performance compared to SHA2 on most processors.

Recommended Mitigation

If your application is sensitive to cold start latency, you can disable CPU jitter entropy by setting a build-time environment variable:

export AWS_LC_SYS_NO_JITTER_ENTROPY=1

Important: This environment variable must be set during the build/compilation phase of your Lambda function, not at runtime.

When disabled, the library continues to use secure traditional entropy sources such as RD_RAND or /dev/urandom.

Security Considerations

CPU jitter entropy provides an additional layer of security by offering a supplementary entropy source. Disabling it reduces the number of entropy sources but does not compromise the overall security of the cryptographic operations, as AWS-LC continues to use proven entropy sources.

We recommend evaluating the trade-off between cold start performance and the additional security layer based on your specific application requirements.

Additional Resources

• Technical details: Large performance regression 1.14.0 -> 1.14.1 aws/aws-lc-rs#899
• Configuration documentation: https://aws.github.io/aws-lc-rs/resources.html#entropy-configuration
• Available since: aws-lc-sys v0.32.3 (October 2025)

If you have questions or need assistance, please reach out through your standard AWS support channels.

[jlizen]

For context, AWS_LC by default disables the cpu jitter for snapstart Java lambdas due to performance impact (and ease of detecting host context).

[jlizen]

Also, here is an aws-lambda-rust-runtime discussion on this: aws/aws-lambda-rust-runtime#1101