The Principle of Least Privilege, Mechanically Enforced
Least privilege only works when wrong-doing requires effort. Make broad permissions hard to grant, narrow ones easy.
Why least privilege rots
Least privilege as cultural norm fades when shipping pressure rises. Engineers grant wildcard permissions because that is what works.
Mechanical enforcement keeps the norm alive without depending on memory.
Three mechanical enforcements
- 1. Permission boundaries. Cap what a role can ever grant; engineers self-serve below the cap.
- 2. Auto-generated policies. Access Analyzer; tooling generates the minimum policy from observed usage.
- 3. PR-required IAM changes. Tarmiq policies as code; reviewers see scope of change before merge.
The PR-driven workflow
IAM as code in repo. Every grant is a PR. Reviewers see who, what, why before merge. Audit trail automatic.
Removes the ‘just give me admin to ship this’ conversation by making admin-grant a multi-step approval.
Quarterly true-up
Quarterly: walk top-50 most-privileged roles. Anything not used in 90 days → downscope or remove.
The discipline catches what enforcement misses (granted but never used).
Antipatterns
- Console-only IAM grants. No audit trail; no review.
- Wildcard policies as “temporary.” Permanent within 60 days.
- No quarterly true-up. Drift wins.
What to do this week
Three moves. (1) Pick one production system to apply this pattern to first. (2) Measure the security signal before/after. (3) Document the gap and write a follow-up ticket so the program stays alive between quarterly reviews.