Check for Least Privilege IAM Policies for Function Invocation

Risk Level: High (not acceptable risk)

Rule ID: OCI-Functions-002

Ensure that your Oracle Cloud Infrastructure (OCI) IAM policies controlling access to Functions applications follow the principle of least privilege by granting only the minimum permissions necessary to perform specific tasks. Avoid using overly permissive policies such as manage functions-family, which grants comprehensive permissions for both management operations (create, update, delete) and function invocation. Instead, implement granular access controls by separating concerns: use use fn-invocation for invocation-only access, manage fn-app for application management operations, and manage fn-function for function management operations. Additionally, implement resource-level access controls using policy conditions such as target.app.id or target.function.id to restrict access to specific applications or functions, and leverage network source conditions to further limit access based on network origin.

Security

Implementing least privilege IAM policies for Oracle Cloud Infrastructure (OCI) Functions significantly reduces security risks by ensuring users and services have only the permissions they need to perform their designated tasks. Overly permissive policies, such as granting manage functions-family to broad user groups, create unnecessary security exposure by allowing users to not only invoke functions but also create, modify, and delete function applications and functions themselves. This violates the separation of duties principle and increases the risk of accidental or malicious modifications to critical serverless workloads. By using granular policy verbs (use fn-invocation for invocation, manage fn-function for function management, manage fn-app for application management) and implementing resource-level conditions (target.app.id, target.function.id, request.networkSource.name), organizations can enforce precise access controls that align with the principle of least privilege. This approach minimizes the attack surface, prevents privilege escalation, supports compliance requirements for access control, and enables better audit trails by clearly defining who can perform which operations on specific Functions resources.

Audit

To determine if your OCI IAM policies for Functions follow the principle of least privilege, perform the following operations:

Using OCI Console

Sign in to your Oracle Cloud Infrastructure (OCI) account.
Navigate to Identity & Security console available at https://cloud.oracle.com/identity/.
In the left navigation panel, under Identity, choose Policies to list the IAM policies available in the selected compartment.
Choose the OCI compartment that you want to examine from the Compartment dropdown list on the left side. Review policies in all compartments, including the root compartment.
Click on the name (link) of the IAM policy that you want to examine.
Select the Policy statements section and review each policy statement carefully. Look for the following security issues:
- Policy statements containing manage functions-family that grant broad permissions to user groups. This verb grants full management and invocation permissions to all Functions resources in the specified compartment.
- Policy statements that lack resource-level conditions (such as where target.app.id = '' or where target.function.id = '') when granting use fn-invocation permissions, allowing users to invoke all functions in a compartment rather than specific functions.
- Policy statements that grant manage fn-app or manage fn-function permissions to users who only need to invoke functions, violating the separation of duties principle.
If you identify policy statements with manage functions-family that grant overly broad permissions to user groups, or policy statements with use fn-invocation that lack resource-level restrictions (when specific function access should be enforced), the selected Oracle Cloud Infrastructure (OCI) IAM policy does not follow the principle of least privilege and creates unnecessary security exposure.
Repeat steps no. 5 – 7 for each IAM policy available in the selected compartment.
Repeat steps no. 4 – 8 for each compartment, including the root compartment (tenancy), available within your Oracle Cloud Infrastructure (OCI) account.

Using OCI CLI

Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:
```
oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'
```

The command output should return the requested OCI compartment identifiers (OCIDs):

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run iam policy list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID and name of each IAM policy available in the selected compartment:
```
oci iam policy list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--lifecycle-state 'ACTIVE'
	--query 'data[].{id:id, name:name}'
```

The command output should return the requested IAM policy identifiers and names:

[
	{
		"id": "ocid1.policy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"name": "cc-functions-policy"
	},
	{
		"id": "ocid1.policy.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
		"name": "cc-admin-policy"
	}
]

Run iam policy get command (Windows/macOS/Linux) with the ID of the IAM policy that you want to examine as the identifier parameter, to describe the policy statements for the selected policy:
```
oci iam policy get
	--policy-id 'ocid1.policy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data.statements'
```
The command output should return the policy statements for the specified IAM policy:
```
[
	"Allow group FunctionsDevelopers to manage functions-family in compartment cc-functions-compartment",
	"Allow group FunctionsInvokers to use fn-invocation in compartment cc-functions-compartment"
]
```
Review each policy statement carefully and look for the following security issues:
- Policy statements containing "manage functions-family" that grant broad permissions to user groups. This verb grants full management and invocation permissions to all Functions resources in the specified compartment.
- Policy statements with "use fn-invocation" that lack resource-level conditions (such as "where target.app.id = ''" or "where target.function.id = ''") when specific function access should be enforced, allowing users to invoke all functions in a compartment.
- Policy statements that grant "manage fn-app" or "manage fn-function" permissions to users who only need to invoke functions.
If you identify policy statements with "manage functions-family" that grant overly broad permissions, or policy statements with "use fn-invocation" that lack resource-level restrictions when specific function access should be enforced (as shown in the output example above), the selected Oracle Cloud Infrastructure (OCI) IAM policy does not follow the principle of least privilege and creates unnecessary security exposure.
Repeat steps no. 5 and 6 to verify the policy statements for other IAM policies available in the selected compartment.
Repeat steps no. 3 – 7 for each compartment, including the root compartment (tenancy), available within your Oracle Cloud Infrastructure (OCI) account.

Remediation / Resolution

To implement least privilege IAM policies for your Oracle Cloud Infrastructure (OCI) Functions resources, you must update your existing overly permissive policies by performing the following operations:

Important considerations before updating IAM policies:

Plan the new policy structure: Before modifying existing policies, clearly define which user groups need which specific permissions. Separate users into distinct groups based on their roles: function developers (who need management permissions), function invokers (who only need invocation permissions), and administrators (who need full access).

Identify resource-specific access requirements: Determine whether users need access to all functions in a compartment or only specific functions/applications. Collect the OCIDs of specific functions or applications that should be restricted.

Test policy changes in a non-production environment first: IAM policy changes can immediately affect user access. Test new policies with a small group of users in a development or test compartment before applying changes to production.

Document the changes: Maintain clear documentation of policy changes, including the rationale for each permission grant and the expected impact on users.

Communicate with affected users: Notify users before making policy changes that may reduce their access levels, and provide guidance on requesting additional permissions if needed.

Policy changes take effect within 10 seconds: Be prepared for immediate impact once policies are saved.

Using OCI Console

Sign in to your Oracle Cloud Infrastructure (OCI) account.
Navigate to Identity & Security console available at https://cloud.oracle.com/identity/.
In the left navigation panel, under Identity, choose Policies to list the IAM policies available in the selected compartment.
Choose the OCI compartment that contains the policy you want to modify from the Compartment dropdown list on the left side.
Click on the name (link) of the IAM policy that you want to reconfigure (see Audit section part I to identify the right resource).
In the Policy detail page, choose Edit policy statements to modify the policy.
For each overly permissive policy statement identified during the audit, perform the following actions:
1. For users who only need to invoke specific functions, replace overly permissive statements with granular invocation policies. For example, replace:
  - Old statement: Allow group FunctionsInvokers to manage functions-family in compartment cc-functions-compartment
  - New statement: Allow group FunctionsInvokers to use fn-invocation in compartment cc-functions-compartment where target.app.id = 'ocid1.fnapp.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234' Or for multiple specific functions:
  - Allow group FunctionsInvokers to use fn-invocation in compartment cc-functions-compartment where ANY {target.function.id='ocid1.fnfunction.oc1.ap-sydney-1.aaaabbbbccccdddd1111', target.function.id='ocid1.fnfunction.oc1.ap-sydney-1.aaaabbbbccccdddd2222'}
2. For developers who need to manage functions but not invoke them, replace broad permissions with separated management permissions. For example, replace:
  - Old statement: Allow group FunctionsDevelopers to manage functions-family in compartment cc-functions-compartment
  - New statements:
    - Allow group FunctionsDevelopers to manage fn-app in compartment cc-functions-compartment
    - Allow group FunctionsDevelopers to manage fn-function in compartment cc-functions-compartment
3. For additional security, add network source restrictions to limit invocations from specific networks:
  - Allow group FunctionsInvokers to use fn-invocation in compartment cc-functions-compartment where request.networkSource.name='corpnet'
4. To edit a statement in the console, click on the statement text, modify it in the text editor, and choose Save changes.
5. To delete an overly permissive statement and add new granular statements, click the X icon next to the statement to remove it, then choose + Another statement to add new policy statements.
Choose Save changes to apply the updated policy statements.
Verify that the policy changes have the intended effect by testing access with users from the affected groups.
Repeat steps no. 5 – 9 for other IAM policies that contain overly permissive Functions-related statements.
Repeat steps no. 4 – 10 for each compartment, including the root compartment (tenancy), available within your Oracle Cloud Infrastructure (OCI) account.

Using OCI CLI

Run iam policy get command (Windows/macOS/Linux) with the ID of the IAM policy that you want to reconfigure (see Audit section part II to identify the right resource) as the identifier parameter, to retrieve the current policy configuration:
```
oci iam policy get
	--policy-id 'ocid1.policy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data'
```
The command output should return the current configuration of the specified policy, including all policy statements. Review the statements to identify which ones need to be replaced with least privilege alternatives.

Create a JSON file (e.g., updated-policy-statements.json) containing the updated policy statements that follow the principle of least privilege. The file must contain a bare JSON array of policy statement strings (not wrapped in an object). For example:

[
	"Allow group FunctionsDevelopers to manage fn-app in compartment cc-functions-compartment",
	"Allow group FunctionsDevelopers to manage fn-function in compartment cc-functions-compartment",
	"Allow group FunctionsInvokers to use fn-invocation in compartment cc-functions-compartment where target.app.id = 'ocid1.fnapp.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'",
	"Allow group FunctionsAdmins to manage functions-family in compartment cc-functions-compartment"
]

Run iam policy update command (Windows/macOS/Linux) with the ID of the IAM policy that you want to reconfigure as the identifier parameter and the updated policy statements from the JSON file, to update the policy with least privilege statements:
```
oci iam policy update
	--policy-id 'ocid1.policy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--statements file://updated-policy-statements.json
	--version-date ''
	--force
```

The command output should return the updated policy configuration:

{
	"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"defined-tags": {},
	"description": "Functions access policy with least privilege",
	"freeform-tags": {},
	"id": "ocid1.policy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"lifecycle-state": "ACTIVE",
	"name": "cc-functions-policy",
	"statements": [
		"Allow group FunctionsDevelopers to manage fn-app in compartment cc-functions-compartment",
		"Allow group FunctionsDevelopers to manage fn-function in compartment cc-functions-compartment",
		"Allow group FunctionsInvokers to use fn-invocation in compartment cc-functions-compartment where target.app.id = 'ocid1.fnapp.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'",
		"Allow group FunctionsAdmins to manage functions-family in compartment cc-functions-compartment"
	],
	"time-created": "2025-01-10T09:15:00.123000+00:00",
	"version-date": null
}

Verify that the policy changes have the intended effect by testing access with users from the affected groups.
Repeat steps no. 1 – 6 for other IAM policies that contain overly permissive Functions-related statements.

References

Oracle Cloud Infrastructure Documentation
Controlling Access to Invoke and Manage Functions
Creating Policies to Control Access to Network and Function-Related Resources
Getting Started with Policies
Managing Policies
Policy Syntax
How Policies Work

Oracle Cloud Infrastructure CLI Documentation
compartment list
policy list
policy get
policy update

Publication date Feb 24, 2026

Audit

Using OCI Console

Using OCI CLI

Remediation / Resolution

Using OCI Console

Using OCI CLI

References

Related OCI-Functions rules