The Principle of Least Privilege (PoLP) is a foundational concept in IAM, highlighted in the CSA Security Guidance v4.0 – Domain 12: Identity, Entitlement, and Access Management. It ensures users, systems, and processes are granted only the permissions necessary to perform their tasks — and nothing more.
“Least privilege refers to granting the minimum level of access — or permissions — needed for users or services to perform their required functions, thereby reducing the attack surface and limiting potential damage from misuse or compromise.”
— CSA Security Guidance v4.0, Domain 12
This principle:
Reduces the likelihood of accidental or malicious misuse
Limits damage in the case of credential theft
Supports compliance with least privilege mandates in frameworks like ISO/IEC 27001 and NIST
Incorrect options:
B is related to federation, not least privilege
C involves monitoring and analytics, not permission assignment
D is about defense in depth, which is broader than PoLP
[References:, CSA Security Guidance v4.0 – Domain 12: IAM, CCM v3.0.1 – IAM-01, IAM-05 (Covers least privilege and role-based access control), ]
