Least privilege without the friction
· 2 min read

Least privilege is the security principle everyone nods along to and almost nobody sustains. The reason isn't ignorance — it's friction. The moment a tight policy blocks a deploy at 6pm, someone adds "Action": "*" "just to unblock," promises to fix it later, and never does. Six months on, your access model is a museum of temporary decisions.
The fix isn't more discipline. It's making the secure path the easy path.
Start from real usage, not imagination
Hand-authoring minimal policies from the docs is guesswork, and guesswork over-grants. Let the platform tell you what's actually used:
- AWS IAM Access Analyzer can generate a policy from CloudTrail history — the permissions a role actually exercised, not the ones someone thought it might need.
- Run unused-access findings on a schedule and treat them like failing tests.
You end up with policies grounded in evidence, which are both tighter and easier to defend.
Make elevation temporary by default
Standing admin access is the real risk — not the occasional need for it. Replace permanent grants with time-bound elevation: request, approve, auto-expire. Whether it's AWS IAM Identity Center, a PIM-style workflow, or a small bot that grants a role for two hours, the point is the same — privilege that decays on its own can't rot.
Put roles in code, review them like code
Access defined in the console is invisible until an audit. Define it as infrastructure:
# A role that can only deploy, only to staging, only from CI.
data "aws_iam_policy_document" "ci_deploy" {
statement {
actions = ["ecs:UpdateService", "ecs:DescribeServices"]
resources = ["arn:aws:ecs:eu-west-1:*:service/staging/*"]
condition {
test = "StringEquals"
variable = "aws:PrincipalTag/env"
values = ["ci"]
}
}
}
Now a permission change is a pull request: diffable, reviewable, revertible. The scope lives next to the reason for it.
The friction budget
Tight access only sticks if the escape hatch is fast. Pair every restriction with a self-service way to get more — temporarily, with approval, logged. If asking for access is slower than working around it, people will work around it, and you've bought a false sense of security at the price of a real one.
Least privilege isn't a one-time hardening project. It's a system that keeps grants honest: generated from usage, expiring by default, and reviewed as code.
Related reading

Kubernetes migrations without downtime: a project manager's runbook
Most 'big bang' platform migrations don't fail on the technology — they fail on coordination. Here's the runbook I use to move a live system to Kubernetes one slice at a time, with a rollback at every step.
· 1 min read

Compliance as Code: turning ISO 27001 controls into CI checks
Audit season shouldn't be archaeology. Here's how I turn a handful of ISO 27001 controls into automated checks that run on every pull request — so evidence is a by-product of shipping, not a fire drill.
· 1 min read

Designing an ISO 27001 ISMS that engineers respect
Compliance fails when it reads like paperwork. Here's how I frame an information security management system as a product engineers actually use.
· 1 min read