All Products
Search

This Product

    Function Compute (2.0):Shared responsibilities

    Document Center

    Function Compute (2.0):Shared responsibilities

    Last Updated:Oct 24, 2023

    Function Compute provides various security mechanisms to help you reduce the workloads of security assurance. You must use the security mechanisms provided by Function Compute to ensure the security of businesses based on your business requirements.

    Prevent leakage of authentication information such as credentials

    The security of your businesses cannot be ensured if the authentication information such as identity credentials is leaked. You can use RAM to grant permissions to RAM users based on the principle of least privilege and use STS tokens to reduce the risk of leakage of authentication information, such as the identity credentials.

    Function code and layer security assurance

    • Function Compute provides temporary code and download addresses for authenticated users. You must avoid leakage of temporary download addresses to reduce the risk of leakage of code and libraries.

    • You must avoid recording authentication information such as identity credentials in the code or layer to prevent leakage of identity credentials.

    • You must pay attention to the size of the code and layers. Function instances may start too slowly or fail to start if the size of the code and layers is excessively large.

    • Function instances may be reused among different invocations. Previous invocations may cause modifications to global variables, environment variables, and file system content. You cannot make an assumption in the code that the invocation is executed in a new environment.

    • A function instance may or may not be reused among different invocations. Therefore, you cannot assume that the global variables, environment variables, file systems, and other content that have been modified by one invocation are still valid for another invocation.

    • In asynchronous invocation and asynchronous task scenarios, Function Compute retries the function execution when errors occur. An event can be executed at least once. However, you cannot assume that the same event triggers only one invocation.

    • When a function returns responses, Function Compute freezes the function instance. You cannot assume that all asynchronous processes, threads, and coroutines are executed when the invocation returns. You cannot also assume that the logs that are asynchronously written are refreshed.

    • Although a single Function Compute instance can execute multiple requests concurrently, the concurrency capability is related to the runtime language. For example, Node.js is in single-threaded mode. Python has global interpreter locks (GILs) and cannot concurrently execute compute-intensive invocations. You cannot assume that the number of concurrent executions is always as expected.

    • Various resource limits apply to function invocations. For example, the size of headers of invocation request packages and return packages cannot exceed 4 KB, the total size of environment variables cannot exceed 4 KB, and the size of the body of a request package cannot exceed 16 MB. The resource limit may be adjusted, subject to the official website documentation. When the resource limit is reached, the code may not run as expected.

    • The support time of the Function Compute runtime versions is synchronized with that of the community. When the community no longer supports a version, Function Compute also starts to stop the support. After the support is stopped, the function may not always run as expected. Users must deprecate the runtime versions that are not supported at the earliest opportunity.

    • Users must ensure the security of code and libraries, fix vulnerabilities and update functions at the earliest opportunity.

    Security assurance of function configurations

    Function resource configurations

    • You must set the maximum execution duration of a function to a proper value. If the value is excessively large, more fees may be generated when errors occur. If the value is excessively small, service availability may be affected.

    • You must set the value of maximum memory size to a proper value. If the value is excessively large, more fees will be generated. If the value is excessively small, the service availability or the execution performance may be affected.

    • You must set the invocation concurrency of a single function instance to a proper value. If the value is excessively large, the service availability or execution performance may be affected.

    • You must set the maximum resource quota to proper values to avoid generating more fees when errors occur.

    Function access permissions

    • You must use RAM to plan the permissions of different RAM users to access Function Compute to reduce security risks.

    • You must configure the access permissions of functions. For example, you can specify that a function can only be accessed over a specified VPC.

    • You must properly configure trigger permissions to prevent functions from being invoked unexpectedly.

    External access configurations of functions

    You must configure proper network access settings based on your business requirements. For example, you can specify to allow functions to access a specified VPC to avoid the leakage of sensitive information.

    Access to Alibaba Cloud services

    • You must properly configure access permissions on Alibaba Cloud services, such as OSS and Tablestore (OTS), for the Function Compute execution roles based on your business requirements to prevent leakage of sensitive information.

    • For Apsara File Storage NAS (NAS) that is configured by you, the data is transmitted over VPCs to ensure data security. You can enable transmission encryption based on your business requirements. For more information, see Encryption in transit for NFS file systems.