What it is: Security principle: grant only the permissions needed for the task—nothing more.

What it’s for:

• Reduce damage if credentials are compromised.
• Improve security posture.

How to apply:

• Scope by action (read vs write).
• Scope by resource (specific bucket/table/ARN).
• Add conditions (IP, MFA, tags).

Hard words:

• *principle* /ˈprɪnsəpəl/: nguyên tắc
• *compromised* /ˈkɑːmprəmaɪzd/: bị lộ/bị chiếm
• *posture* /ˈpɑːstʃər/: trạng thái (mức độ an toàn)