A company wants to design access permissions for each component of an AI application that uses Bedrock, allowing only the operations required for business and granting no additional permissions. Which principle describes this approach?