Function runtimes can execute untrusted code paths and require strong isolation.
- Run functions in isolated containers/sandboxes with strict resource limits.
- Deny host filesystem and privileged container access.
- Restrict egress from function runtime to required services only.
¶ Secrets and Invocation Security
- Use secret manager for function credentials.
- Authenticate function invocations and API endpoints.
- Log invocation metadata and monitor anomalous execution patterns.