All posts
September 8, 20252 min read

An AWS S3 bucket leaked again, and this time, it was because someone thought "read-only"meant "safe."

A read-only IAM role on Amazon S3 still opens a door. It doesn’t let an attacker overwrite or delete data, but it can let them download every object in your bucket. If that bucket holds sensitive data, a breach is already complete before you even see the first log entry. The biggest mistake is treating read-only permissions as harmless. Why read-only roles are a risk An S3 bucket with public or overly broad read-only access allows any user or compromised role to pull data. Even with no write

Free White Paper

Read-Only Root Filesystem + TOTP (Time-Based One-Time Password): The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

A read-only IAM role on Amazon S3 still opens a door. It doesn’t let an attacker overwrite or delete data, but it can let them download every object in your bucket. If that bucket holds sensitive data, a breach is already complete before you even see the first log entry. The biggest mistake is treating read-only permissions as harmless.

Why read-only roles are a risk

An S3 bucket with public or overly broad read-only access allows any user or compromised role to pull data. Even with no write access, attackers can collect customer information, secrets, code, or internal documents. AWS doesn’t automatically warn you if a read-only role has access to sensitive buckets. CloudTrail logs everything, but without monitoring rules tuned for these actions, you won’t know a breach happened until it’s too late.

Data breach notification gaps

Data breach notification policies usually prepare you for obvious incidents—objects deleted, buckets made public. They often fail when the malicious activity looks like normal behavior. A read-only session GETting thousands of files could look like a normal data export. Without proactive triggers, that activity won’t generate alerts, even as your data flows out unobserved.

Continue reading? Get the full guide.

Read-Only Root Filesystem + TOTP (Time-Based One-Time Password): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Best practices for detecting read-only data leaks

  • Treat read access as sensitive. Audit all IAM roles with s3:GetObject or wildcards like s3:* that include read permissions.
  • Restrict roles to the smallest possible set of objects using bucket policies and IAM conditions.
  • Enable and monitor S3 server access logging or CloudTrail for GetObject events.
  • Build automation to flag unusual read patterns, such as downloads from unfamiliar IP ranges, spikes in access volume, or requests outside business hours.
  • Test your breach notification workflows to ensure read-only exfiltration events trigger the same urgency as write/delete actions.

Real-time breach awareness

When a read-only role is abused, the clock starts. Every minute without detection is a minute of data loss. Automation that pairs AWS CloudTrail logs with anomaly detection can cut response times from hours to seconds. Waiting until your storage metrics spike or a customer reports exposed data is not an option.

Secure, observe, respond

Data breach notification for AWS S3 read-only roles is not about paranoia—it’s about acknowledging that access equals risk. Whether your environment has a single bucket or hundreds, visibility is the difference between a contained incident and a public disclosure.

See how to track, detect, and respond in minutes with hoop.dev. The setup is fast, you can watch it live, and you’ll know exactly when someone’s “read-only” turns into a breach.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts