Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Restrict Function Access by Network Source

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: OCI-Functions-007

Ensure that your Oracle Cloud Infrastructure (OCI) IAM policies controlling access to Functions applications include network source conditions to restrict function invocation and management operations to specific IP addresses or network sources. Network sources are sets of defined IP addresses (public IP ranges or VCN subnet IP ranges) that can be used in IAM policy conditions to enforce network-based access controls. By configuring IAM policies with network source conditions (such as where request.networkSource.name='corpnet'), you can ensure that function invocation and management operations are only allowed from approved IP address ranges defined in the network source. This prevents unauthorized function execution from arbitrary internet locations and reduces the risk of credential theft, unauthorized access, and lateral movement attacks. Network source restrictions should be applied to policies granting use fn-invocation, manage fn-function, and manage fn-app permissions to ensure that both invocation and management operations are subject to network-based access controls.

Security

Restricting Oracle Cloud Infrastructure (OCI) Functions access by network source provides a critical additional layer of defense-in-depth security by ensuring that function invocation and management operations can only be performed from trusted network locations. Even if user credentials are compromised, network source restrictions prevent attackers from invoking or managing functions from unauthorized networks, significantly reducing the risk of credential-based attacks and lateral movement. This is particularly important for serverless functions that may process sensitive data, trigger business-critical workflows, or have access to backend resources such as databases and object storage. Network source restrictions enforce the principle that access to cloud resources should be limited not only by identity (who you are) but also by network location (where you are). By defining approved IP address ranges in network sources and referencing them in IAM policy conditions, organizations can ensure that function access is only permitted from corporate networks, VPN connections, or approved cloud environments, while blocking access attempts from public internet locations or unauthorized networks. This approach aligns with zero trust security principles, supports compliance requirements for network segmentation and access control, and provides clear audit trails showing the network origin of function access requests.

Audit

To determine if your OCI Functions access policies include network source restrictions, perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Identity & Security console available at https://cloud.oracle.com/identity/.

  3. In the left navigation panel, under Identity, choose Network sources to verify that network sources are defined. If no network sources exist, you must create them first before applying network source restrictions to policies.

  4. Review the existing network sources and note the names of network sources that represent approved IP address ranges (such as corpnet, vpn-network, trusted-ips).

  5. In the left navigation panel, under Identity, choose Policies to list the IAM policies available in the selected compartment.

  6. Choose the OCI compartment that you want to examine from the Compartment dropdown list on the left side. Review policies in all compartments, including the root compartment.

  7. Click on the name (link) of the IAM policy that contains Functions-related permissions that you want to examine.

  8. Select the Policy statements section and review each policy statement that grants Functions permissions. Look for the following security issues:

    • Policy statements granting use fn-invocation permissions without network source conditions (missing where request.networkSource.name=''), allowing function invocations from any network location including untrusted internet sources.
    • Policy statements granting manage fn-app or manage fn-function permissions without network source conditions, allowing function management operations from any network location.
    • Policy statements that reference non-existent or incorrectly named network sources in their conditions.

  9. If you identify Functions-related policy statements that grant use fn-invocation, manage fn-app, or manage fn-function permissions without network source restrictions (such as where request.networkSource.name='corpnet'), the selected Oracle Cloud Infrastructure (OCI) IAM policy allows function access from any network location, creating significant security exposure to credential-based attacks and unauthorized access.

  10. Repeat steps no. 7 – 9 for each IAM policy available in the selected compartment.

  11. Repeat steps no. 6 – 10 for each compartment, including the root compartment (tenancy), available within your Oracle Cloud Infrastructure (OCI) account.

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run iam network-sources list command (Windows/macOS/Linux) to list the network sources defined in your tenancy and verify that network sources exist for approved IP address ranges:

    oci iam network-sources list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[].{name:name, id:id}'

  4. The command output should return the names and IDs of defined network sources:

    [
	{
		"id": "ocid1.networksource.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"name": "corpnet"
	},
	{
		"id": "ocid1.networksource.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
		"name": "vpn-network"
	}
]

    Note the network source names for use in policy condition validation.

  5. Run iam policy list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID and name of each IAM policy available in the selected compartment:

    oci iam policy list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--lifecycle-state 'ACTIVE'
	--query 'data[].{id:id, name:name}'

  6. The command output should return the requested IAM policy identifiers and names:

    [
	{
		"id": "ocid1.policy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"name": "cc-functions-policy"
	},
	{
		"id": "ocid1.policy.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
		"name": "cc-admin-policy"
	}
]

  7. Run iam policy get command (Windows/macOS/Linux) with the ID of the IAM policy that you want to examine as the identifier parameter, to describe the policy statements for the selected policy:

    oci iam policy get
	--policy-id 'ocid1.policy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data.statements'

  8. The command output should return the policy statements for the specified IAM policy:

    [
	"Allow group FunctionsDevelopers to manage fn-app in compartment cc-functions-compartment",
	"Allow group FunctionsInvokers to use fn-invocation in compartment cc-functions-compartment"
]
    Review each policy statement carefully and look for the following security issues:
    • Policy statements granting "use fn-invocation" permissions without network source conditions (missing "where request.networkSource.name=''"), allowing function invocations from any network location.
    • Policy statements granting "manage fn-app" or "manage fn-function" permissions without network source conditions, allowing function management operations from any network location.
    • Policy statements that reference network sources that don't exist in the tenancy.

    If you identify Functions-related policy statements that grant "use fn-invocation", "manage fn-app", or "manage fn-function" permissions without network source restrictions (as shown in the output example above), the selected Oracle Cloud Infrastructure (OCI) IAM policy allows function access from any network location, creating significant security exposure to credential-based attacks and unauthorized access.

  9. Repeat steps no. 7 and 8 to verify the policy statements for other IAM policies available in the selected compartment.

  10. Repeat steps no. 5 – 9 for each compartment, including the root compartment (tenancy), available within your Oracle Cloud Infrastructure (OCI) account.

Remediation / Resolution

To implement network source restrictions for your Oracle Cloud Infrastructure (OCI) Functions access policies, you must create network sources defining approved IP address ranges and update your IAM policies to include network source conditions by performing the following operations:

Important considerations before implementing network source restrictions:
  • Create network sources first: Before updating IAM policies, you must create network sources that define the approved IP address ranges from which function access should be allowed. Network sources can include public IP addresses (e.g., corporate office IP ranges) or VCN subnet IP ranges.
  • Identify approved IP ranges: Work with your network team to identify all legitimate IP address ranges that should be permitted to access OCI Functions. This includes corporate office networks, VPN endpoints, bastion hosts, approved cloud environments, and CI/CD pipeline IP addresses.
  • Test in non-production first: Network source restrictions can immediately block access from unauthorized networks. Test the network source definitions and policy changes in a development or test compartment before applying to production environments.
  • Plan for remote access scenarios: Ensure that VPN or other remote access solutions are in place for users who need to access functions from outside the corporate network.
  • Document approved IP ranges: Maintain clear documentation of which IP ranges are included in each network source and the business justification for each range.
  • Coordinate with users: Notify affected users before implementing network source restrictions, as this will prevent function access from unauthorized networks (including home networks or public Wi-Fi).
  • Monitor for access denials: After implementing network source restrictions, monitor audit logs for access denials that might indicate legitimate users attempting access from unapproved networks.
  • Network sources are tenancy-wide: Network sources can only be created in the tenancy's home region but are available for use in policies across all compartments.

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Identity & Security console available at https://cloud.oracle.com/identity/.

  3. In the left navigation panel, under Identity, choose Network sources to manage network sources.

  4. If a network source for approved IP ranges does not already exist, choose Create network source and perform the following actions:

    1. For Name, provide a unique name for the network source (e.g., "corpnet", "vpn-network", "trusted-ips").
    2. For Description, provide a clear description of what IP ranges this network source represents (e.g., "Corporate office network IP ranges").
    3. For Network source type, select one or both of the following based on your requirements:
      1. Public network - For public IP addresses or CIDR blocks. In the Public source section, choose + Another public source and enter each approved public IP address or CIDR block (e.g., "203.0.113.0/24").
      2. Virtual cloud network - For VCN subnet IP ranges. In the Virtual source section, choose + Another virtual source, select the VCN OCID, and specify the IP ranges within that VCN (e.g., "10.0.1.0/24").
    4. Choose Create network source to create the network source.

  5. Verify that the network source was created successfully and note the network source name for use in policy statements.

  6. In the left navigation panel, under Identity, choose Policies to list the IAM policies.

  7. Choose the OCI compartment that contains the Functions-related policy you want to modify from the Compartment dropdown list on the left side.

  8. Click on the name (link) of the IAM policy that you want to reconfigure (see Audit section part I to identify the right resource).

  9. In the Policy detail page, choose Edit policy statements to modify the policy.

  10. For each Functions-related policy statement identified during the audit that lacks network source restrictions, perform the following actions:

    1. For function invocation policies, add network source conditions to restrict invocations to approved networks. For example, update:
      • Old statement: Allow group FunctionsInvokers to use fn-invocation in compartment cc-functions-compartment
      • New statement: Allow group FunctionsInvokers to use fn-invocation in compartment cc-functions-compartment where request.networkSource.name='corpnet'
    2. For function management policies, add network source conditions to restrict management operations. For example, update:
      • Old statement: Allow group FunctionsDevelopers to manage fn-app in compartment cc-functions-compartment
      • New statement: Allow group FunctionsDevelopers to manage fn-app in compartment cc-functions-compartment where request.networkSource.name='corpnet'
    3. For policies requiring multiple network sources, use ANY conditions to allow access from multiple approved networks:
      • Allow group FunctionsInvokers to use fn-invocation in compartment cc-functions-compartment where ANY {request.networkSource.name='corpnet', request.networkSource.name='vpn-network'}
    4. To edit a statement in the console, click on the statement text, modify it to include the network source condition, and choose Save changes.

  11. Choose Save changes to apply the updated policy statements with network source restrictions.

  12. Verify that the policy changes work as expected by testing function access from approved networks (should succeed) and from unapproved networks (should be denied).

  13. Repeat steps no. 8 – 12 for other IAM policies that contain Functions-related statements without network source restrictions.

  14. Repeat steps no. 7 – 13 for each compartment, including the root compartment (tenancy), available within your Oracle Cloud Infrastructure (OCI) account.

Using OCI CLI

  1. Run iam network-sources list command (Windows/macOS/Linux) to check if network sources exist for approved IP address ranges:

    oci iam network-sources list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[].name'

  2. If a network source for approved IP ranges does not exist, run iam network-sources create command (Windows/macOS/Linux) to create a network source defining approved IP address ranges:

    oci iam network-sources create
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--name 'corpnet'
	--description 'Corporate office network IP ranges'
	--public-source-list '["203.0.113.0/24", "198.51.100.0/24"]'

  3. The command output should return the created network source configuration:

    {
	"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"defined-tags": {},
	"description": "Corporate office network IP ranges",
	"freeform-tags": {},
	"id": "ocid1.networksource.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"lifecycle-state": "ACTIVE",
	"name": "corpnet",
	"public-source-list": [
		"203.0.113.0/24",
		"198.51.100.0/24"
	],
	"services": [
		"all"
	],
	"time-created": "2025-02-18T10:00:00.123000+00:00",
	"virtual-source-list": []
}

  4. Run iam policy get command (Windows/macOS/Linux) with the ID of the IAM policy that you want to reconfigure (see Audit section part II to identify the right resource) as the identifier parameter, to retrieve the current policy configuration:

    oci iam policy get
	--policy-id 'ocid1.policy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data'

  5. The command output should return the current configuration of the specified policy. Review the statements to identify which ones need network source conditions added.

  6. Create a JSON file (e.g., updated-policy-with-network-source.json) containing the updated policy statements with network source conditions. The file must contain a bare JSON array of policy statement strings (not wrapped in an object). For example:

    [
	"Allow group FunctionsDevelopers to manage fn-app in compartment cc-functions-compartment where request.networkSource.name='corpnet'",
	"Allow group FunctionsDevelopers to manage fn-function in compartment cc-functions-compartment where request.networkSource.name='corpnet'",
	"Allow group FunctionsInvokers to use fn-invocation in compartment cc-functions-compartment where request.networkSource.name='corpnet'",
	"Allow group FunctionsAdmins to manage functions-family in compartment cc-functions-compartment where request.networkSource.name='corpnet'"
]

  7. Run iam policy update command (Windows/macOS/Linux) with the ID of the IAM policy that you want to reconfigure as the identifier parameter and the updated policy statements with network source conditions, to update the policy:

    oci iam policy update
	--policy-id 'ocid1.policy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--statements file://updated-policy-with-network-source.json
	--version-date ''
	--force

  8. The command output should return the updated policy configuration with network source conditions:

    {
	"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"defined-tags": {},
	"description": "Functions access policy with network source restrictions",
	"freeform-tags": {},
	"id": "ocid1.policy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"lifecycle-state": "ACTIVE",
	"name": "cc-functions-policy",
	"statements": [
		"Allow group FunctionsDevelopers to manage fn-app in compartment cc-functions-compartment where request.networkSource.name='corpnet'",
		"Allow group FunctionsDevelopers to manage fn-function in compartment cc-functions-compartment where request.networkSource.name='corpnet'",
		"Allow group FunctionsInvokers to use fn-invocation in compartment cc-functions-compartment where request.networkSource.name='corpnet'",
		"Allow group FunctionsAdmins to manage functions-family in compartment cc-functions-compartment where request.networkSource.name='corpnet'"
	],
	"time-created": "2025-01-10T09:15:00.123000+00:00",
	"version-date": null
}

  9. Verify that the policy changes work as expected by testing function access from approved networks (should succeed) and from unapproved networks (should be denied).

  10. Repeat steps no. 4 – 9 for other IAM policies that contain Functions-related statements without network source restrictions.

References

Publication date Feb 24, 2026

Related OCI-Functions rules