Managing AWS EC2 instances requires some overhead -- even if you're only running relatively simple or lightweight services. AWS Lambda is a fine-grained method for deploying code, provisioning services and monitoring the health of lightweight services. Here are five best practices for getting the most out of AWS Lambda.
- Re-use identity and access management policies, when possible. AWS Lambda functions require invocation and execution roles; execution roles require an access and trust policy. The access policy grants resource permissions -- the ability to read or write from Simple Storage Service (S3) bucket. The execution policy specifies who can assume the role. It makes sense to re-use access policies you have established from other programs. But be careful of over-privileging. If your function only needs to read from an S3 bucket, do not give it an access policy that also allows for writing. Even though AWS Lambda functions are small, admins still need to consider security best practices, such as the principle of least privilege.
- Delete AWS Lambda functions that are no longer needed. CloudWatch, which gives you information on actively used functions, can help with cleanup. By version-controlling code, admins can restore from there. And don't forgot to invoke the context.done() function when your function is done running; this will clean up any resources that the function used. If you don't call it, the function may run longer and could incur additional charges.
- Use a function-naming convention that works for you. Ideally, the name should indicate the type of operation performed, the data manipulated and the system to which the function belongs. For example, use a naming convention such as <application code><general function type><data type> to produce function names like "custNewUpload." This name indicates that the function is part of a customer management system and processes new files that are uploaded to the application.
- Use CloudWatch to monitor AWS Lambda function invocations and executions. With CloudWatch, admins can track request duration, request count and execution error count. They can also view Lambda CloudWatch metrics through the AWS Management Console, CloudWatch or the AWS command line. CloudWatch can also help debug code -- insert log statements into the function, run the function and then review output in the CloudWatch log file.
About the author:
Dan Sullivan holds a master of science degree and is an author, systems architect and consultant with more than 20 years of IT experience. He has had engagements in advanced analytics, systems architecture, database design, enterprise security and business intelligence. He has worked in a broad range of industries, including financial services, manufacturing, pharmaceuticals, software development, government, retail and education. Dan has written extensively about topics that range from data warehousing, cloud computing and advanced analytics to security management, collaboration and text mining.