A company wants to design access permissions for each component of an AI application that uses Bedrock, allowing only the operations required for business and granting no additional permissions. Which principle describes this approach?
Identify the principle of granting only the minimum required permissions.
Shared responsibility model
This is incorrect. The shared responsibility model is a framework in which security responsibilities are divided between AWS and the customer. It is not the principle of restricting permissions to the minimum required.
Principle of least privilege
This is correct. The principle of least privilege is the idea of granting each user or component only the minimum permissions required for their business tasks and no unnecessary permissions. It minimizes the blast radius if a component is compromised.
Multi-factor authentication (MFA)
This is incorrect. MFA is a mechanism that strengthens identity verification by requiring additional confirmation factors beyond a password. It is an authentication strengthening measure, not the principle of restricting granted permissions to the minimum required.
Zero trust
This is incorrect. Zero trust is a security approach (architectural policy) of never trusting even inside the perimeter and verifying on every access. Although it is a closely related area, the principle that specifically refers to the permission design of 'allowing only the operations required for business and granting no additional permissions' is the principle of least privilege.
The principle of least privilege works as follows:
- Grant each user/component only the minimum permissions required for business tasks.
- By granting no unnecessary permissions, the scope of potential misuse is minimized when a breach occurs.
- Implemented in AWS using IAM roles and policies.
MFA (strengthening identity verification) and the shared responsibility model (dividing responsibilities) are separate concepts.