What does least privilege mean in practice (IAM/roles)?

Deep dive

Least privilege should be enforced at every layer:

• IAM roles scoped to actions and specific resources.
• Separate roles for humans and services; separate prod/stage accounts.
• Short-lived credentials (OIDC, STS) instead of long-lived keys.
• Continuous audit: remove unused permissions and detect privilege creep.

Examples

Minimal S3 read-only policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject"],
      "Resource": ["arn:aws:s3:::reports-prod/*"]
    }
  ]
}

Common pitfalls

• Wildcards like Action:* or Resource:* for convenience.
• Shared admin accounts and secrets.
• Not rotating or expiring permissions.

Interview follow-ups

• How do you handle break-glass access?
• How do you review permissions over time?
• What tools help detect privilege creep?