Help Center/ FunctionGraph/ Service Overview/ Security/ Asset Identification and Management
Updated on 2025-07-09 GMT+08:00
View PDF
Share

Asset Identification and Management

FunctionGraph provides a secure running environment throughout the lifecycle of a function. You need to use the security mechanisms provided by FunctionGraph to ensure the security of your code, dependencies, and configurations.

Operating Environment Security

FunctionGraph provides compute nodes and function instances for code execution, offering scalable and secure resources based on user demand.

Compute Node Security

Compute nodes provide the following Huawei Cloud standard security protection capabilities. For details, see the Huawei Cloud Security White Paper.

  • Multi-AZ and multi-cluster DR: Compute nodes are deployed across multiple AZs and clusters within a region, ensuring availability.
  • Independent VPC environment: Compute nodes are located in a separate, isolated VPC. You cannot directly access compute nodes.
  • Host security protection: Compute nodes use Huawei Cloud HSS for vulnerability detection, security monitoring, and defense, with rapid response and remediation in collaboration with Huawei Cloud's security team.
  • Vulnerability fixing or security upgrade: FunctionGraph fixes vulnerabilities and performs security upgrade for compute nodes. The upgrade process is transparent to users. If incompatibility risks exist, users will be notified via notice or SMS message and provided with adaptation solutions to ensure smooth service migration.

Function Instance Security

Function instances provide function-level isolation. Each instance can run only one function.

  • Network isolation: Function instances cannot directly access each other, and function instances and nodes cannot directly access each other. You can determine whether to enable public access or VPC access. For details, see Configuring the Network.
  • Instance freezing: When malicious tenant attacks are detected, FunctionGraph can immediately freeze and isolate the malicious user's function instance to ensure the running environment's security.
  • Vulnerability fixing and security upgrade: FunctionGraph fixes vulnerabilities and performs security upgrade for function instances. The upgrade process is transparent to users. If incompatibility risks exist, users will be notified via notice or SMS message and provided with adaptation solutions to ensure smooth service migration.
  • Runtime end of maintenance: As community support ends, the runtimes provided by FunctionGraph will gradually be phased out. Users are prohibited from creating functions with unsupported runtimes. Users are advised to migrate existing functions to new runtimes as soon as possible. FunctionGraph does not guarantee the continued normal operation of unsupported runtime versions.

User Code Security

  • Code sharing and download: FunctionGraph provides users with temporary code and download addresses, and sets a validity period. Users should avoid the leakage of temporary download addresses to reduce the risk of code or library leakage.
  • Sensitive information leakage prevention: Users need to avoid recording sensitive information, such as access keys (AKs), security keys (SKs), and database passwords, in plaintext in code or dependencies. Tokens and passwords should not be recorded in user code logs.
  • Code vulnerability prevention: You need to ensure the security of your code, libraries, and dependencies, identify and fix vulnerabilities in a timely manner, and update your functions.

Huawei Cloud provides multiple security cloud services for FunctionGraph to enhance security capabilities such as code scanning and threat analysis.

Table 1 Huawei Cloud security cloud services

Service

Description

CodeArts Check

Scans FunctionGraph code from multiple dimensions, covering code style, quality, and security issues. Its core capabilities include:

  • Self-developed scanning engine: Supports mainstream languages like C/C++, Java, and Python, and detects security vulnerabilities (such as buffer overflows, unauthorized access, and encryption issues) as well as code standard issues.
  • Security standard support: Integrates standards like ISO 5055, CWE, and OWASP Top 10, and includes Huawei's own standards (such as Huawei C/C++ Coding Standard) built based on 30 years of R&D experience to ensure code meets security requirements.
  • Large-scale scanning: scans tens of billions of code items per day, supports elastic scheduling and disaster recovery, and is suitable for full code check of FunctionGraph.

SecMaster

Combined with Huawei Cloud years of experience in security and based on cloud-native security capabilities, SecMaster provides cloud asset management, security posture management, security information and incident management, security orchestration, automatic responses, and other functions, helping you implement integrated and automatic security operations management.

SecMaster analyzes logs of related FunctionGraph cloud services (such as OBS and VPC) to detect malicious behavior in real time.

  • Multi-dimensional log analysis: Collects IAM, DNS, and CTS logs, and uses AI engines and threat intelligence to identify brute-force attacks and penetration attacks.
  • Alarm and response: generates threat alarms and outputs statistics, helping you handle potential risks in a timely manner and ensuring service stability.

With CodeArts Check and SecMaster, FunctionGraph can protect the entire code process and monitor runtime threats.

User Configuration Security

  • Sensitive information protection: If your code or configuration contains sensitive information, use encrypted environment variables to prevent sensitive information from being displayed in plaintext on the UI or in the results returned by APIs.
  • Least privilege: When configuring triggers, VPC access, custom images, or mounting disks, FunctionGraph needs permissions to interact with other cloud services. Follow the principle of least privilege when setting up agencies to minimize the impact of token leakage.
  • KMS-based dynamic encryption and decryption: To decrypt sensitive data (such as database passwords and API keys) during function running, use the KMS SDK to dynamically manage keys. You can host the encryption and decryption keys in KMS, and create an agency in IAM to grant FunctionGraph the permission to access KMS (the authorization complies with the least privilege principle). The authorization policy is as follows: 
    {
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": "kms:Decrypt",
 "Resource": "arn:huaweicloud:kms:REGION:ACCOUNT_ID:keyring/kms-ring-123456/key/kms-key-123456"
 }
 ]
 }

    Add the KMS SDK code snippet to obtain the key for encrypting and decrypting sensitive data. The following uses the Python code snippet as an example.

    from huaweicloudsdkkms import KmsClient, models

 def decrypt_data():
 # Initialize the KMS client.
 kms_client = KmsClient(
 secret_id=os.getenv('KMS_SECRET_ID'),
 secret_key=os.getenv('KMS_SECRET_KEY'),
 region_name="cn-north-4"
 )

# Decrypt data.
 decrypt_request = models.DecryptRequest(
 key_id="kms-key-123456",
 ciphertext=b"encrypted_data_base64",
 encryption_algorithm="AES_256_CBC"
 )
 response = kms_client.decrypt(decrypt_request)
 return response.plaintext.decode('utf-8')
Parent Topic: Security