Glossary

Least privilege

Least privilege is the principle that a user, role, or process should have only the access it needs to do its job, and no more. Narrow access limits the damage of a mistake or a compromise, and it is what an auditor checks when they sample your access controls.

In code

It shows up as the scope of an IAM grant, a database role, or an API token. The classic violation is a wildcard ('s3:*' instead of 's3:GetObject') added to make something work, which quietly grants far more than the task needed.

SOC 2 CC6.1 in code
For security engineers

Get early access ← All terms