diff --git a/.github/workflows/docker-bake.yml b/.github/workflows/docker-bake.yml
index c6c2fe3..7e472d4 100644
--- a/.github/workflows/docker-bake.yml
+++ b/.github/workflows/docker-bake.yml
@@ -1,5 +1,8 @@
 name: docker bake
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index 47973be..5367fcf 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -1,5 +1,8 @@
 name: rust tests
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
diff --git a/.github/workflows/secure_workflows.yml b/.github/workflows/secure_workflows.yml
index 47b2a00..8a1c472 100644
--- a/.github/workflows/secure_workflows.yml
+++ b/.github/workflows/secure_workflows.yml
@@ -26,8 +26,6 @@ jobs:
     name: Harden Security
     if: github.repository_owner == 'aws-samples'
     runs-on: ubuntu-latest
-    permissions:
-      contents: read  # checkout code and subsequently GitHub action workflows
     steps:
       - name: Checkout code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0