Curriculum Overview: Mastering the Principle of Least Privilege (PoLP) in AWS

This curriculum provides a comprehensive pathway to understanding and implementing the Principle of Least Privilege (PoLP) within the AWS ecosystem. As a cornerstone of the AWS Well-Architected Framework's Security Pillar, PoLP ensures that users and services have only the minimum permissions necessary to perform their tasks.

---

Prerequisites

Before starting this module, students should have a baseline understanding of the following:

• Basic Cloud Concepts: Understanding of shared responsibility and cloud service models (IaaS, PaaS).
• General Security Concepts: Familiarity with Authentication (Who are you?) vs. Authorization (What can you do?).
• AWS Global Infrastructure: Basic knowledge of AWS Regions and Availability Zones.
• JSON Basics: Ability to read simple JSON structures, as AWS IAM policies are written in JSON.

---

Module Breakdown

---

Learning Objectives per Module

Module 1: Foundations of PoLP

• Define the Principle of Least Privilege and its role in reducing the "Blast Radius" of a security breach.
• Explain the difference between data at rest, data in transit, and data in use.

Module 2: IAM Identity Management

• Identify tasks that only the Root User can perform and why it should be locked away.
• Differentiate between Users, Groups, and Roles to scale permission management.
• Implement Multi-Factor Authentication (MFA) as a secondary layer of protection.

Module 3: Policy Engineering

• Construct JSON policies that restrict access to specific AWS resources (e.g., a single S3 bucket).
• Evaluate the trade-offs between AWS Managed Policies (convenience) and Customer Managed Policies (granularity).

Module 4: Auditing & Governance

• Use AWS CloudTrail to audit who made what changes and when.
• Perform a "Permission Review" to identify and prune unused credentials or over-privileged accounts.

---

Visual Anchors

The PoLP Decision Flow

The Concept of Blast Radius

---

Success Metrics

To demonstrate mastery of this curriculum, the learner must:

1. Zero Root Usage: Demonstrate a workflow where the Root Account is never used for daily administrative tasks.
2. Granular S3 Access: Create a policy that allows a user to GetObject (Read) but prevents DeleteObject (Delete) on a production bucket.
3. Audit Proficiency: Successfully identify an unauthorized login attempt using AWS CloudTrail logs.
4. Group-Based Scaling: Transition a system from individual user-based policies to group-based policies without interrupting service.

---

Real-World Application

[!IMPORTANT] The "Set and Forget" Trap Security is not a one-time setup. Real-world environments change. A developer who needed database access six months ago may no longer be on that project. Following PoLP means consistently reviewing permissions to ensure access is revoked when no longer required.

• Compliance: Many frameworks (HIPAA, PCI-DSS, GDPR) legally require the implementation of least privilege to protect sensitive data.
• Operational Excellence: By limiting what a user can do, you prevent accidental deletions of critical infrastructure (e.g., accidentally deleting a production database instead of a test one).
• Security Breach Mitigation: If an employee's credentials are stolen, the attacker can only do what that employee was authorized to do. If they had PoLP access, the damage is contained.

---

Implementation Examples

Example 1: The Auditor vs. The Developer

Example 2: IAM Policy Logic

To prevent an attacker from deleting data, a PoLP policy would look like this in JSON:

$$\text{Policy} = \begin{cases} \text{Effect: Allow}, & \text{Action: s3:Get*} \\ \text{Effect: Deny}, & \text{Action: s3:Delete*} \end{cases}$$

[!TIP] Always start with a "Deny All" mindset. Only add "Allow" statements for specific actions and specific resources. If you don't need to delete it, don't have the permission to do so.