principleCriticalpending
Principle: Least privilege access control
Viewed 0 times
least-privilegeaccess-controlIAMpermissionssecurityblast-radius
Problem
Granting broad permissions for convenience creates security risks. A compromised component with admin access can damage everything.
Solution
Grant the minimum permissions needed for each component to function:
- App user: SELECT, INSERT, UPDATE on specific tables
- Migration user: ALTER, CREATE (separate credentials)
- Never use the superuser for application connections
- Specific actions on specific resources
Bad: Action: '', Resource: ''
Good: Action: 's3:GetObject', Resource: 'arn:aws:s3:::my-bucket/*'
- Scope to specific operations: read:users, write:orders
- Time-limited: short-lived access tokens + refresh tokens
- Per-service: each service gets its own token
- Run services as non-root
- Read-only file systems where possible
- Tmp directories with noexec flag
- Run as non-root user
- Read-only root filesystem
- Drop all capabilities, add only needed ones
- No privileged mode
- Production access is audited and time-limited
- Break-glass procedure for emergencies
- Separate staging/production credentials
- Database:
- App user: SELECT, INSERT, UPDATE on specific tables
- Migration user: ALTER, CREATE (separate credentials)
- Never use the superuser for application connections
- Cloud IAM:
- Specific actions on specific resources
Bad: Action: '', Resource: ''
Good: Action: 's3:GetObject', Resource: 'arn:aws:s3:::my-bucket/*'
- API tokens:
- Scope to specific operations: read:users, write:orders
- Time-limited: short-lived access tokens + refresh tokens
- Per-service: each service gets its own token
- File system:
- Run services as non-root
- Read-only file systems where possible
- Tmp directories with noexec flag
- Containers:
- Run as non-root user
- Read-only root filesystem
- Drop all capabilities, add only needed ones
- No privileged mode
- Developer access:
- Production access is audited and time-limited
- Break-glass procedure for emergencies
- Separate staging/production credentials
Why
If a component is compromised, the blast radius is limited to what it can access. Broad permissions turn a small breach into a catastrophic one.
Revisions (0)
No revisions yet.