Cloudhard

IAM: what does “least privilege” mean and why does it matter?

Answer

Least privilege means giving only the minimum permissions needed to do the job (no more). It limits blast radius: if a key or service is compromised, the attacker can do less damage.

{
  "Effect": "Allow",
  "Action": ["s3:GetObject"],
  "Resource": ["arn:aws:s3:::my-bucket/*"]
}

Advanced answer

Deep dive

Expanding on the short answer — what usually matters in practice:

Context (tags): iam, security, least-privilege
Lifecycle: what happens at runtime (render/build, request/response, background jobs).
Caching: where cache lives, cache keys, how to invalidate without chaos.
Security: authn/authz, secrets, attack surface (SSRF/CSRF).
Explain the "why", not just the "what" (intuition + consequences).
Trade-offs: what you gain/lose (time, memory, complexity, risk).
Edge cases: empty inputs, large inputs, invalid inputs, concurrency.

Examples

Here’s an additional example (building on the short answer):

{
  "Effect": "Allow",
  "Action": ["s3:GetObject"],
  "Resource": ["arn:aws:s3:::my-bucket/*"]
}

Common pitfalls

Too generic: no concrete trade-offs or examples.
Mixing average-case and worst-case (e.g., complexity).
Ignoring constraints: memory, concurrency, network/disk costs.

Interview follow-ups

When would you choose an alternative and why?
What production issues show up and how do you diagnose them?
How would you test edge cases?