The Principle
Least privilege means every identity gets exactly the permissions it needs to do its job and nothing more. A function that only reads a bucket should not be able to delete it.
Why It Matters
If an attacker steals a credential, they inherit whatever that identity can do. Broad permissions turn a small leak into a full breach, while narrow permissions contain the damage.
- A scoped identity limits how far an attacker can move.
- It also limits accidental mistakes by trusted users.
Getting There in Practice
Teams often start with broad access and tighten it later. A safer path is to start narrow and add permissions only when a real failure proves they are needed.
- Scope by action, such as read only instead of full control.
- Scope by resource, such as one bucket instead of all buckets.
- Review unused permissions and remove what is never exercised.
Avoid Wildcards
A policy that allows all actions on all resources is the opposite of least privilege. Replace broad wildcards with named actions and specific resource identifiers.
Key idea
Least privilege grants only the actions and resources a workload genuinely needs, so a stolen credential or a mistake causes far less harm than broad access would.