Security Best Practices
Security is a shared responsibility between Huawei Cloud and you. Huawei Cloud is responsible for the security of cloud services. You need to properly use the security capabilities provided by cloud services to protect data. For details, see .Shared Responsibility.
This document provides security best practices for FunctionGraph to improve overall security capabilities. By following this guide, you can continuously assess the security status of functions, effectively integrate various security features of FunctionGraph, strengthen its security defense, and ensure data stored in FunctionGraph is not leaked or tampered with, while also safeguarding data transmission.
Make security configurations from the following dimensions to meet your service needs.
Trusted Code and Dependencies
- Before deploying function code, you are advised to use CodeArts Check to perform static scanning and vulnerability analysis to ensure code security.
- Use dependency libraries from reliable sources and update them periodically. Do not use third-party libraries with known vulnerabilities.
Sensitive Information Protection
- If your code or configuration contains sensitive information, such as AK/SK, token, and password, encrypt environment variables. Otherwise, the information may be displayed in plaintext on the UI or in the API return result, causing sensitive information leakage.
- Anonymize the privacy data (such as logs and personal information) during function processing. Do not print logs in plaintext to prevent sensitive information leakage.
- FunctionGraph provides temporary download links with expiration. You need to protect these links to prevent code leakage.
Fine-grained Permission Control and Identity Authentication
- When configuring agency permissions, AKs, and SKs for functions through Identity and Access Management (IAM), comply with the principle of least privilege to ensure that the functions can access only specified resources. For example, you can restrict the read and write permissions of a function on a specific OBS bucket to prevent unauthorized access.
- When configuring an APIG trigger, you are advised to enable IAM or custom authorizer to ensure that only authorized requests can trigger function execution. In addition, you can use APIG to implement request throttling to prevent resource exhaustion caused by malicious requests.
VPC Configuration
To access resources in a Virtual Private Cloud (VPC), such as RDS, you are advised to configure VPC access for your function to ensure that it can communicate with other cloud services in an isolated network environment.
Version Management
FunctionGraph supports version management. You are advised to create multiple versions for each function and use stable versions in the production environment. In addition, you can use aliases to switch versions in case of security issues.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
