Least Privilege Access

Architecture

Build a layered access control strategy using the access-policy module:

• Service Policies for application roles with minimal required permissions
• Permission Boundaries to cap maximum privileges for delegated administration
• SCPs for organization-wide guardrails

When to Use

This pattern is ideal when you need:

• To comply with security frameworks (SOC 2, ISO 27001, PCI-DSS)
• Fine-grained control over what each service or user can access
• Defense in depth through multiple policy layers
• Audit trails showing explicit access grants

Considerations

• Start with deny-all, then explicitly allow required actions
• Review and audit policies regularly
• Use resource restrictions whenever possible
• Test policies in non-production environments first