OCI Functions best practices

Best practice rules for OCI Functions

• Attach Function Applications to Network Security Groups (NSGs)

  Ensure that Oracle Cloud Infrastructure (OCI) Functions applications are attached to Network Security Groups (NSGs) to implement granular ingress and egress network access controls.

• Check for Least Privilege IAM Policies for Function Invocation

  Ensure that IAM policies controlling access to OCI Functions follow the principle of least privilege by granting only the minimum permissions necessary.

• Check for Private Subnet Deployment for Function Applications

  Ensure that Oracle Cloud Infrastructure (OCI) Functions applications are deployed in private subnets to minimize exposure to the public internet.

• Check for Resource-Level Access Controls in Function IAM Policies

  Ensure that IAM policies implement resource-level access controls for OCI Functions using specific application or function OCIDs in policy conditions.

• Check for Separation of Function Management and Invocation Permissions

  Ensure that IAM policies separate function management permissions from function invocation permissions to enforce the principle of separation of duties.

• Check for Service Gateway Configuration for Private Function Access

  Ensure that Virtual Cloud Networks (VCNs) containing OCI Functions applications have a service gateway configured to enable private communication with Oracle Services Network.

• Restrict Function Access by Network Source

  Ensure that function invocation and management requests are restricted to specific IP addresses or network sources to prevent unauthorized access from untrusted networks.