Skip to content
All posts
CYBERSECCLOUD

Least privilege without the friction

· 2 min read

Least privilege without the friction

Least privilege is the security principle everyone nods along to and almost nobody sustains. The reason isn't ignorance — it's friction. The moment a tight policy blocks a deploy at 6pm, someone adds "Action": "*" "just to unblock," promises to fix it later, and never does. Six months on, your access model is a museum of temporary decisions.

The fix isn't more discipline. It's making the secure path the easy path.

Start from real usage, not imagination

Hand-authoring minimal policies from the docs is guesswork, and guesswork over-grants. Let the platform tell you what's actually used:

  • AWS IAM Access Analyzer can generate a policy from CloudTrail history — the permissions a role actually exercised, not the ones someone thought it might need.
  • Run unused-access findings on a schedule and treat them like failing tests.

You end up with policies grounded in evidence, which are both tighter and easier to defend.

Make elevation temporary by default

Standing admin access is the real risk — not the occasional need for it. Replace permanent grants with time-bound elevation: request, approve, auto-expire. Whether it's AWS IAM Identity Center, a PIM-style workflow, or a small bot that grants a role for two hours, the point is the same — privilege that decays on its own can't rot.

Put roles in code, review them like code

Access defined in the console is invisible until an audit. Define it as infrastructure:

# A role that can only deploy, only to staging, only from CI.
data "aws_iam_policy_document" "ci_deploy" {
  statement {
    actions   = ["ecs:UpdateService", "ecs:DescribeServices"]
    resources = ["arn:aws:ecs:eu-west-1:*:service/staging/*"]
    condition {
      test     = "StringEquals"
      variable = "aws:PrincipalTag/env"
      values   = ["ci"]
    }
  }
}

Now a permission change is a pull request: diffable, reviewable, revertible. The scope lives next to the reason for it.

The friction budget

Tight access only sticks if the escape hatch is fast. Pair every restriction with a self-service way to get more — temporarily, with approval, logged. If asking for access is slower than working around it, people will work around it, and you've bought a false sense of security at the price of a real one.

Least privilege isn't a one-time hardening project. It's a system that keeps grants honest: generated from usage, expiring by default, and reviewed as code.