A control-plane workflow includes the access control of a function, as well as the insertion, deletion, modification, and query of function code and configurations. Control-plane workflows mainly involve secure transmission and storage of data, such as the metadata of functions, code, layers, and image caches. This topic describes the security protections provided by Function Compute on the control plane.
Access security ensured by using RAM
Event source triggering: You must create a trigger for an event source and grant the trigger the execute permissions to trigger the execution of a function.
Cloud service access: You must be granted permissions before you can access other Alibaba Cloud services, such as Object Storage Service (OSS), Simple Log Service (SLS), and Tablestore.
Resource Access Management (RAM) user authorization: You can use RAM to grant RAM users different operation permissions on functions in Function Compute.
Cross-account authorization: You can use RAM to grant other accounts different operation permissions on functions in Function Compute.
Metadata security of functions ensured by using transmission encryption and storage encryption
Function Compute uses Transport Layer Security (TLS) 1.2 or later to encrypt API operations and internal communications.
The AES-256 encryption algorithm is used to encrypt the metadata of functions. The cache duration of decrypted metadata can be up to 600 seconds.
Security of code and layer caches ensured by using isolation, access control, and transmission encryption
To create or update a function, you can synchronize data from OSS or call API operations to upload function code to Function Compute. Function Compute uses isolated accounts to cache the code or layers to Object Storage Service. During the initialization of a function instance, Function Compute applies for a temporary download URL and downloads the code and layers to the execution environment. By using the virtualization isolation technology, the function instance can access only its own code and configured layers.
You can download the code or layers by calling API operations, using the console, or using tools after you obtain the temporary download URL with valid credentials.
TLS 1.2 or later is used to encrypt the transmission of code and layers in Function Compute.
Security of image caches ensured by using isolation, access control, and transmission encryption
If you upload a container image to Function Compute, the container image is cached to Container Registry by using an isolated account. Only this account has the permissions to download the container image. During the initialization of a function instance, Function Compute uses TLS 1.2 or later to download the container image.
