Answer

How do I restrict access to follow least privilege?

Grant only the access each role or service needs, deny by default, and avoid wildcards. SOC 2 (CC6.1) checks logical access, and least privilege is what an auditor samples: can each identity do only what its job requires, and no more.

Scope grants to the task
Give a role or token the specific permissions it needs (the exact actions on the exact resources), not a broad wildcard that happens to include them. The wildcard is convenient now and the finding later.
Deny by default
Start from no access and add what is required, so a gap fails closed. A default-allow with exceptions tends to leak access nobody intended to grant.
Review access when it widens
When a change broadens a grant, that is the moment to check it against least privilege, which is exactly what a review on the diff is for.

infra/iam.tf+1 -1

statement {-  actions = ["s3:*"]+  actions = ["s3:GetObject", "s3:PutObject"]}

heygrcSOC 2 CC6.1

The grant is narrowed from every S3 action to the two the service actually uses.

Get early access ← All answers

How do I restrict access to follow least privilege?

Scope grants to the task

Deny by default

Review access when it widens