diff --git a/README.md b/README.md
index edb10d6..b25d75c 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,11 @@
 
 Terraform module to create an AWS Lambda function.
 
-IMPORTANT: We do not pin modules to versions in our examples. We highly recommend that in your code you pin the version to the exact version you are using so that your infrastructure remains stable.
+> [!TIP] 
+> We do not pin modules to versions in our examples. We highly recommend that in your code you pin the version to the exact version you are using so that your infrastructure remains stable.
+
+> [!IMPORTANT] 
+> Exactly one of `var.filename`, `var.image_config.uri`, or `var.s3_bucket` must be specified when using the module.
 
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
@@ -58,14 +62,16 @@ IMPORTANT: We do not pin modules to versions in our examples. We highly recommen
 | <a name="input_execution_role_custom"></a> [execution\_role\_custom](#input\_execution\_role\_custom) | Optional existing IAM role for Lambda execution. Overrides the role configured in the execution\_role variable. | <pre>object({<br>    arn = string<br>  })</pre> | `null` | no |
 | <a name="input_filename"></a> [filename](#input\_filename) | The path to the function's deployment package within the local filesystem | `string` | `null` | no |
 | <a name="input_handler"></a> [handler](#input\_handler) | The function entrypoint in your code | `string` | `"main.handler"` | no |
+| <a name="input_image_config"></a> [image\_config](#input\_image\_config) | Container image configuration values. The ECR image URI must be a private ECR URI. | <pre>object({<br>    command           = optional(list(string), [])<br>    entry_point       = optional(list(string), [])<br>    uri               = optional(string)<br>    working_directory = optional(string)<br>  })</pre> | `null` | no |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | The ARN of the KMS key used to encrypt the cloudwatch log group and environment variables | `string` | `null` | no |
 | <a name="input_layers"></a> [layers](#input\_layers) | List of Lambda layer ARNs to be used by the Lambda function | `list(string)` | `[]` | no |
 | <a name="input_log_retention"></a> [log\_retention](#input\_log\_retention) | Number of days to retain log events in the specified log group | `number` | `365` | no |
 | <a name="input_memory_size"></a> [memory\_size](#input\_memory\_size) | The memory size of the lambda | `number` | `null` | no |
+| <a name="input_package_type"></a> [package\_type](#input\_package\_type) | The Lambda deployment package type. | `string` | `"Zip"` | no |
 | <a name="input_publish"></a> [publish](#input\_publish) | Whether to publish creation/change as new lambda function version | `bool` | `false` | no |
 | <a name="input_reserved_concurrency"></a> [reserved\_concurrency](#input\_reserved\_concurrency) | The amount of reserved concurrent executions for this lambda function | `number` | `null` | no |
 | <a name="input_retries"></a> [retries](#input\_retries) | Maximum number of retries for the Lambda invocation | `number` | `null` | no |
-| <a name="input_runtime"></a> [runtime](#input\_runtime) | The function runtime to use | `string` | `"python3.10"` | no |
+| <a name="input_runtime"></a> [runtime](#input\_runtime) | The function runtime to use | `string` | `"python3.13"` | no |
 | <a name="input_s3_bucket"></a> [s3\_bucket](#input\_s3\_bucket) | The S3 bucket location containing the function's deployment package | `string` | `null` | no |
 | <a name="input_s3_key"></a> [s3\_key](#input\_s3\_key) | The S3 key of an object containing the function's deployment package | `string` | `null` | no |
 | <a name="input_s3_object_version"></a> [s3\_object\_version](#input\_s3\_object\_version) | The object version containing the function's deployment package | `string` | `null` | no |
diff --git a/UPGRADING.md b/UPGRADING.md
index b601ba0..bb5af23 100644
--- a/UPGRADING.md
+++ b/UPGRADING.md
@@ -23,6 +23,9 @@ The following variables have been removed:
 
 * `create_policy`. This variable is not deemed necessary anymore, creating the policy is controlled by providing an `execution_role.policy`.
 
+The following variable defaults have been modified:
+
+* `runtime` → default: `python3.13` (previous: `python3.10`).
 
 ## Upgrading to v1.0.0
 
diff --git a/main.tf b/main.tf
index c24f508..976d7f0 100644
--- a/main.tf
+++ b/main.tf
@@ -5,6 +5,7 @@ locals {
   ephemeral_storage          = var.ephemeral_storage_size != null ? { create : true } : {}
   execution_type             = var.subnet_ids == null ? "Basic" : "VPCAccess"
   filename                   = var.filename != null ? var.filename : data.archive_file.dummy.output_path
+  image_config               = var.image_config != null ? { create : true } : {}
   source_code_hash           = var.source_code_hash != null ? var.source_code_hash : var.filename != null ? filebase64sha256(var.filename) : null
   tracing_config             = var.tracing_config_mode != null ? { create : true } : {}
   vpc_config                 = var.subnet_ids != null ? { create : true } : {}
@@ -134,16 +135,18 @@ resource "aws_lambda_function" "default" {
   architectures                  = [var.architecture]
   code_signing_config_arn        = var.code_signing_config_arn
   description                    = var.description
-  filename                       = var.s3_bucket == null ? local.filename : null
+  filename                       = var.s3_bucket == null && var.image_config == null ? local.filename : null
   function_name                  = var.name
-  handler                        = var.handler
+  handler                        = var.package_type == "Zip" ? var.handler : null
+  image_uri                      = var.image_config != null ? var.image_config.uri : null
   kms_key_arn                    = var.environment != null ? var.kms_key_arn : null
   layers                         = var.layers
   memory_size                    = var.memory_size
+  package_type                   = var.package_type
   publish                        = var.publish
   reserved_concurrent_executions = var.reserved_concurrency
   role                           = var.execution_role_custom != null ? var.execution_role_custom.arn : module.lambda_role[0].arn
-  runtime                        = var.runtime
+  runtime                        = var.package_type == "Zip" ? var.runtime : null
   s3_bucket                      = var.s3_bucket
   s3_key                         = var.s3_key
   s3_object_version              = var.s3_object_version
@@ -167,6 +170,24 @@ resource "aws_lambda_function" "default" {
     }
   }
 
+  dynamic "ephemeral_storage" {
+    for_each = local.ephemeral_storage
+
+    content {
+      size = var.ephemeral_storage_size
+    }
+  }
+
+  dynamic "image_config" {
+    for_each = local.image_config
+
+    content {
+      command           = var.image_config.command
+      entry_point       = var.image_config.entry_point
+      working_directory = var.image_config.working_directory
+    }
+  }
+
   dynamic "tracing_config" {
     for_each = local.tracing_config
 
@@ -183,12 +204,4 @@ resource "aws_lambda_function" "default" {
       security_group_ids = length(var.security_group_ids) > 0 ? var.security_group_ids : [aws_security_group.default[0].id]
     }
   }
-
-  dynamic "ephemeral_storage" {
-    for_each = local.ephemeral_storage
-
-    content {
-      size = var.ephemeral_storage_size
-    }
-  }
 }
diff --git a/variables.tf b/variables.tf
index 7f75d22..935533b 100644
--- a/variables.tf
+++ b/variables.tf
@@ -105,6 +105,22 @@ variable "handler" {
   description = "The function entrypoint in your code"
 }
 
+variable "image_config" {
+  type = object({
+    command           = optional(list(string), [])
+    entry_point       = optional(list(string), [])
+    uri               = optional(string)
+    working_directory = optional(string)
+  })
+  default     = null
+  description = "Container image configuration values. The ECR image URI must be a private ECR URI."
+
+  validation {
+    condition     = var.image_config == null || can(regex("^[0-9]{12}.dkr.ecr.[a-zA-Z0-9-]+.amazonaws.com/.+$", var.image_config.uri))
+    error_message = "The \"uri\" be a valid private ECR URI."
+  }
+}
+
 variable "kms_key_arn" {
   type        = string
   default     = null
@@ -134,6 +150,17 @@ variable "name" {
   description = "The name of the lambda"
 }
 
+variable "package_type" {
+  type        = string
+  default     = "Zip"
+  description = "The Lambda deployment package type."
+
+  validation {
+    condition     = contains(["Image", "Zip"], var.package_type)
+    error_message = "Allowed values are \"Image\" or \"Zip\"."
+  }
+}
+
 variable "publish" {
   type        = bool
   default     = false
@@ -154,7 +181,7 @@ variable "retries" {
 
 variable "runtime" {
   type        = string
-  default     = "python3.10"
+  default     = "python3.13"
   description = "The function runtime to use"
 }
 
@@ -176,12 +203,6 @@ variable "s3_object_version" {
   description = "The object version containing the function's deployment package"
 }
 
-variable "security_group_ids" {
-  type        = list(string)
-  default     = []
-  description = "The security group(s) for running the Lambda within the VPC. If not specified a minimal default SG will be created"
-}
-
 variable "security_group_egress_rules" {
   type = list(object({
     cidr_ipv4                    = optional(string)
@@ -202,6 +223,12 @@ variable "security_group_egress_rules" {
   }
 }
 
+variable "security_group_ids" {
+  type        = list(string)
+  default     = []
+  description = "The security group(s) for running the Lambda within the VPC. If not specified a minimal default SG will be created"
+}
+
 variable "security_group_name_prefix" {
   type        = string
   default     = null
@@ -236,4 +263,9 @@ variable "tracing_config_mode" {
   type        = string
   default     = null
   description = "The lambda's AWS X-Ray tracing configuration"
+
+  validation {
+    condition     = var.tracing_config_mode == null || var.tracing_config_mode == "Active" || var.tracing_config_mode == "PassThrough"
+    error_message = "If provided, allowed values are \"Active\" or \"PassThrough\"."
+  }
 }