Which ACL rule aligns with the principle of least privilege?

Least privilege means granting only the minimum access a user or system needs to perform its function. In an ACL, that means allowing access to only the specific resource required and denying everything else. Permitting access to a single internal webserver exemplifies this: the user can reach only that server and nothing more, which minimizes exposure and potential risk. Allowing access to all internal webservers would give more permissions than necessary, undermining the principle. Denying everything by default is a strong security approach and often works with least privilege, but on its own it doesn't specify which resources should be allowed—you still need to explicitly permit only the required resource. Blocking all external traffic addresses external exposure but doesn’t directly reflect fine-grained internal access control. So, permitting access to only one internal webserver best aligns with least privilege.