Which practice best reduces blast radius by granting only the permissions needed to each component or user?

• A. Self-healing through health checks and automatic restarts
• B. Manual restarts after every failure
• C. Disabling health checks to reduce overhead
• D. Relying on a single replica without redundancy

Answer: (A)

Reducing blast radius comes from giving each component or user only the permissions it actually needs. This is the basic idea of least privilege: use scoped service accounts, RBAC roles that grant only the necessary verbs on specific resources, and network isolation so a compromise in one part of the system can’t easily spread. Self-healing through health checks and automatic restarts improves resilience and availability, but it doesn’t limit what a component can access or what actions it can take. It doesn’t reduce the potential impact of a breach. The other options focus on handling failures or improving redundancy rather than limiting permissions: manual restarts add downtime, disabling health checks increases risk, and relying on a single replica worsens reliability and doesn’t address permissions. So, to minimize blast radius, enforce least privilege with properly scoped roles and access controls.