Principle of Least Privilege The principle of least privilege describes giving a user account or process only the privileges that are essential to perform its intended function. The principle also applies to a user who does work in a normal user account and only uses a privileged or superuser account when the situation absolutely demands it. Examples of privileged access are root access, updating operating systems, performing “sudo” operations, accessing high secret credentials and committing to repositories. You may want to adopt the principle of least privilege if: you need to grant required access rights to different users according to the nature of their job or security clearance levels you want to use different permissions for day-to-day tasks from those required for security-critical (privileged) tasks you want to limit collateral damage when a normal user account gets compromised Your team needs to: define roles for users and grant required privileges, or access rights, for those roles create the least privileged roles or credentials that are required for normal users to perform their day-to-day jobs use the least privileged role or credentials as the default option limit the number of privileged users and accounts use just-in-time (JIT) access provisioning to grant users an on-demand, time-limited privileged role or security token to access the privileged resources make sure session time of the privileged access is set to no more than 12 hours, and/or terminates when the user logs out of their laptop establish an audit trail for the use of privileged access rotate application secrets as needed. For example, regularly or as a part of leavers process Examples For human-readable secrets, you may set up a seperate secrets store for system-critical credentials and restrict the number of people who can access this store according to their roles in the team. If you are using gds-users to log into your AWS accounts, you should assume a read-only role by default, and only assume an admin role as a deliberate action. You should set up the admin account so that the session timeout is less than 12 hours. You should send the audit trail of admin access to the Cyber Security team. Further Guidance NCSC - 10 steps to cyber security NCSC - privileged user management NIST Special Publication 800-53 - AC-6 least privilege