Quiz Entry - updated: 2026.07.14
What is the Principle of Least Privilege and how do you apply it in practice?
Grant each component only the minimum permissions it needs — so a compromise can't reach anything beyond that minimum.
* One principle, five concrete least-privilege applications — DB grants, file scope, read-only tokens, narrow IAM, job-based roles. *
Grant only the minimum permissions required for a function — nothing more.
Practical examples:
| Context | Least Privilege Application |
|---|---|
| Database | Web app user can only SELECT/INSERT/UPDATE on specific tables, not DROP |
| File system | App can only read/write its own directories, not /etc |
| API tokens | Scoped to specific operations (read-only vs admin) |
| Cloud IAM | Lambda gets permission for one S3 bucket, not s3:* |
| User roles | Access based on job function, not "everyone is admin" |
Why it matters: If a component is compromised, least privilege limits what the attacker can do. A DB user that can't DROP TABLES can't destroy your data even if SQL injection succeeds.
Go deeper:
OWASP — Least Privilege Principle — OS/DB/cloud-IAM application examples.
Wikipedia — Principle of least privilege — the "minimum necessary access" rule and how it limits blast radius.