Which option is NOT a design principle for data security?

The critical aspect of data security is that it encompasses various layers and strategies to protect sensitive information. Among the design principles, providing permissions through AWS Identity and Access Management (IAM) roles is indeed a fundamental practice. However, stating that one should "only" provide permissions this way limits the broader context of security design principles.

Using encryption for data at rest and in transit ensures that data remains confidential and secure, regardless of its state. This is a widely accepted practice for protecting information from unauthorized access.

Limiting access with AWS IAM roles is crucial, as it helps enforce the principle of least privilege, ensuring that users and services have only the permissions necessary to perform their tasks, reducing potential attack surfaces.

Implementing monitoring and logging for data access is essential to maintain oversight and accountability, allowing organizations to detect and respond to unauthorized access or other suspicious activities.

Hence, while using IAM roles is important, emphasizing that it should be the exclusive means of permissioning does not align with the flexible, multi-faceted approach required for comprehensive data security. Additional methods may include attribute-based access control and service control policies, which complement IAM roles to enhance security.