The control-plane workflow includes function permission control, as well as the addition, deletion, modification, and query of code and configurations. Control-plane workflows mainly involve secure transmission and storage of data, such as function metadata, code, layers, and image caches. This topic describes the safeguards at the control plane for Function Compute.
RAM manages user identities and resource access permissions
- Event source triggering: You must create a trigger for the event source and grant the trigger the execute permissions to trigger the execution of the function.
- Cloud service access: Users must be granted with permissions before they can access other cloud services, such as OSS, Log Service, and Tablestore.
- RAM user authorization: You can use Resource Access Management (RAM) to grant RAM users with different permissions on functions in Function Compute.
- Cross-account authorization: You can use RAM to grant different permissions on functions to other accounts in Function Compute.
Transmission encryption and storage encryption ensure the security of function metadata
- TLS 1.2 or later is used to encrypt internal communications and the calling of the Function Compute API.
- AES256 is used to encrypt the storage of function metadata. The cache duration of decrypted metadata is no more than 600 seconds.
Isolation, access control, and transmission encryption ensure the security of code and layer caches
When a user creates or updates a function, the code is uploaded to Function Compute by using Object Storage Service (OSS) or calling API operations. Function Compute uses isolated accounts to cache the code or layers to OSS. When a function instance is initialized, Function Compute applies for a temporary download address and downloads the code and layers to the execution environment. By using virtualization isolation, the function instance can access only its own code and the configured layers.
Users can download the code or layers by calling API operations, using the console, or using tools after they obtain a temporary download address with valid credentials.
TLS 1.2 or later is used to encrypt the transmission of code or layers in Function Compute.
Isolation, access control, and transmission encryption ensure the security of image caches
When a user uploads a container image to Function Compute, the container image is cached to Container Registry by using an isolated account. Only this account has the permission to download the image. When you initialize a function instance, Function Compute uses TLS 1.2 or later to download the container image.