All Products
Search

This Product

    Function Compute:Shared responsibilities

    Document Center

    Function Compute:Shared responsibilities

    Last Updated:Oct 31, 2024

    Function Compute provides security mechanisms to help you reduce the workload on security protections. You must use the security mechanisms provided by Function Compute based on your business requirements to ensure business security.

    Security of authentication information such as identity credentials

    Your business security cannot be ensured if authentication information such as identity credentials is leaked. You can use Resource Access Management (RAM) to grant permissions to RAM users based on the principle of least privilege. You can also use a Security Token Service (STS) token, which is a temporary identity credential. This reduces the leakage risk of authentication information such as identity credentials.

    Security of function code and layers

    • Function Compute provides temporary code and download URLs for authenticated users. You must prevent the temporary download URLs from being leaked to protect the security of code and libraries.

    • Do not record authentication information such as identity credentials in the code or layers. Otherwise, the identity credentials may be leaked.

    • Pay attention to the size of the code and layers. Function instances may have an extended cold start duration or fail to be started if the size of the code and layers is excessively large.

    • A function instance may be reused among function invocations. Previous invocations may cause modifications to global variables, environment variables, and file systems. You cannot assume that each invocation is processed in a new environment.

    • A function instance may not be reused among function invocations. Previous invocations may cause modifications to global variables, environment variables, and file systems. You cannot assume that the modifications are still valid for another invocation.

    • For asynchronous invocations and asynchronous tasks, Function Compute retries to execute a function when errors occur. An event can be processed at least once. However, you cannot assume that the same event triggers only one invocation.

    • When a function is executed and computing results are returned, Function Compute freezes the function instance that executes the function. You cannot assume that all asynchronous processes, threads, and coroutines are executed when the invocation results are returned. In addition, you cannot assume that the logs that are asynchronously written are refreshed.

    • A single function instance in Function Compute can concurrently process multiple invocation requests. However, the concurrency of a function instance is related to the runtime language. For example, Node.js supports only the single-threaded mode. Python has global interpreter locks (GILs) and cannot concurrently process compute-intensive invocation requests. You cannot assume that the concurrency of all function instances is as expected.

    • A function invocation has multiple resource limits. For example, the headers of an invocation request or a response cannot exceed 4 KB in size, environment variables cannot exceed 4 KB in size, and a request body cannot exceed 16 MB in size. The resource limits may be adjusted and are subject to the official documentation. If a resource limit is reached, the code may not be run as expected.

    • The period of time during which a runtime environment version is supported by Function Compute is synchronized with that supported by the community. If a runtime environment version is no longer supported by the community, Function Compute starts to stop providing specific services, such as function execution. You must stop using the runtime environment versions that are not supported by Function Compute at the earliest opportunity.

    • You must make sure that the code and libraries are secure, and fix vulnerabilities and update functions at the earliest opportunity.

    Security of function configurations

    Function resources

    • You must set the maximum execution duration of a function to a proper value. A longer duration may generate more fees if errors occur. A shorter duration may affect service availability.

    • You must set the maximum memory size of a function to a proper value. A larger memory size may generate more fees. A smaller memory size may affect service availability or execution performance.

    • You must set the invocation concurrency of a single function instance to a proper value. A higher concurrency may affect service availability or execution performance.

    • You must set the maximum resource quota to proper values to avoid generating more fees if errors occur.

    Permissions to access functions

    • You must properly use RAM to grant RAM users the access permissions on Function Compute to reduce security risks.

    • You must properly configure the access permissions on each function. For example, you can specify that a function can be accessed only over a specific virtual private cloud (VPC).

    • You must properly configure the access permissions on triggers to prevent functions from being invoked unexpectedly.

    External access of functions

    You must properly configure the access modes for functions to access external networks. For example, you can allow functions to access only specified VPCs to avoid the leakage of sensitive information.

    Access to Alibaba Cloud services

    • You must properly grant the RAM role that executes functions in Function Compute the permissions to access Alibaba Cloud services, such as Object Storage Service (OSS) and Tablestore. This prevents sensitive information from being leaked.

    • For File Storage NAS file systems that are mounted on Function Compute, the data is transmitted over VPCs to ensure data security. You can enable the transmission encryption feature based on your business requirements. For more information, see Encryption in transit for NFS file systems.