Every application we use must have user-granular authorization settings to grant a least privilege policy at all times. Some examples are the following:

1. IAM and KMS: These two tools are widely used within Fluid Attacks. They allow us to ensure that hackers can only access the source code, environments, exploits, and secrets of their assigned projects. We can easily remove access if the need arises without leaking users/passwords. These tools also allow us to keep application production secrets hidden from developers (separation of production-development secrets).

2. Infrastructure: Infrastructure components always grant minimum privileges only to the applications that need to use them. We never give any service full permissions over our entire infrastructure.

3. IAM: It is possible to provide user-level access to the application, which allows us to give talent access only to what they need to perform their tasks. Granting or removing access to applications is simple, and no users/passwords are leaked.
   

Requirements

1. 034. Manage user accounts
   
2. 176. Restrict system objects
   
3. 374. Use of isolation methods in running applications