Policy Evaluation and Least Privilege

Understanding policy evaluation is essential for system design.

AWS evaluates:

• Explicit Deny (always wins)
• Explicit Allow
• Default Deny

If something is not explicitly allowed, it is denied.

Architectural implications:

• Deny rules are powerful safeguards.
• Over-permissive policies create security risks.
• Poor policy design increases attack surface.

Least Privilege means:

Grant only the permissions required to perform a task.

Example:

Instead of:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}

Use

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}

Why this matters in production:

• Limits blast radius
• Reduces lateral movement
• Improves auditability
• Helps with compliance

As environments scale, small permission mistakes multiply.