All posts
August 25, 20222 min read

Bastion Host Replacement with AWS S3 Read-Only Roles

When managing access to AWS S3, maintaining security without excessive complexity is a priority. Bastion hosts have long been used as a bridge for secure access into VPC-restricted resources. However, they come with their own set of challenges: managing configuration, patching, high availability, and scaling can add unwanted overhead to your infrastructure. A modern approach to replace bastion hosts—particularly for read-only access to AWS S3—is by leveraging roles and fine-grained permissions,

Free White Paper

Read-Only Root Filesystem + AWS IAM Policies: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

When managing access to AWS S3, maintaining security without excessive complexity is a priority. Bastion hosts have long been used as a bridge for secure access into VPC-restricted resources. However, they come with their own set of challenges: managing configuration, patching, high availability, and scaling can add unwanted overhead to your infrastructure. A modern approach to replace bastion hosts—particularly for read-only access to AWS S3—is by leveraging roles and fine-grained permissions, simplifying your access control model.

Let’s explore how AWS S3 read-only roles reduce complexity and enhance security while providing the same functionality as traditional bastion hosts.

Why Replace Bastion Hosts?

Bastion hosts have been the go-to solution for secure administrative access to private resources, but they introduce multiple pain points:

  • Management Burden: Frequent updates and scaling requirements can make maintenance cumbersome.
  • Potential Vulnerabilities: Bastion hosts become a single point of failure if poorly managed or unpatched.
  • Overhead: Costs rise when these hosts are always running, especially in production environments.

Replacing them with role-based access doesn't just eliminate operational overhead—it provides a more seamless and secure way to interact with AWS S3.

Using AWS S3 Read-Only Roles as a Bastion Host Alternative

Key Benefits of Using Roles

  1. Granular Access Control
    AWS IAM policies let you define narrow, scoped permissions. A 'read-only' role for S3 ensures data remains secure while limiting what users or applications can access.
  2. No Infrastructure to Maintain
    Roles eliminate the need for running, monitoring, or patching any EC2 instances. Say goodbye to the operational complexity of maintaining bastion hosts.
  3. Scalability
    IAM roles scale automatically with your organization. New users or services requiring access don’t need extra infrastructure—just attach the appropriate permissions.
  4. Audit and Compliance-Friendly
    AWS CloudTrail logs every role assumption and API call, making access auditing straightforward. This is a critical improvement over legacy bastion host setups, where SSH log management can be error-prone.

Setting Up a Read-Only Role for AWS S3

Here’s a quick step-by-step process for creating a read-only role:

Continue reading? Get the full guide.

Read-Only Root Filesystem + AWS IAM Policies: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
  1. Go to the IAM Management Console in AWS.
  2. Create an IAM Role and choose "AWS Service"as the trusted entity with EC2 or Lambda (if you're assigning it to a workload).
  3. Attach the AmazonS3ReadOnlyAccess policy to the role.
  4. For finer control, edit the policy to specify target buckets or prefixes:
{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": "s3:GetObject",
 "Resource": "arn:aws:s3:::your-target-bucket/*"
 }
 ]
}

Assign this role to users, services, or any application that needs read-only S3 access. This setup completely removes the need for SSH tunneling or bastion host management.

Enhancing Security Without Sacrificing Simplicity

IAM roles aren’t just an operational improvement—they make your system inherently more secure. Unlike bastion hosts, roles support:

  • Temporary Credentials: Minimize the attack surface by using short-lived credentials rather than static passwords or SSH keys.
  • Explicit Trust Relationships: Only pre-approved users, systems, or workloads can assume a specific IAM role.
  • Network-Limited Access: Pair IAM roles with VPC Endpoint policies to ensure data stays inside your private network.

These enhancements make IAM an ideal replacement for accessing AWS S3 securely and efficiently.

Demo: Simplify Access Management with Hoop.dev

Rolling your own implementation of S3 read-only roles is possible, but it often involves manual configuration and time investment. A better solution is hoop.dev, a platform designed to handle secure cloud access with the least friction. In minutes, you can set up a read-only IAM role to interact with S3—without the need for a bastion host.

Experience how quickly you can optimize cloud security and reduce complexity. Try Hoop.dev live today and see how effortless secure access to AWS resources can be.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts