All posts
September 5, 20252 min read

Command Whitelisting for AWS S3 Read-Only Roles

An S3 bucket leaked. Not yours—yet. But if you run AWS, you know it could happen. Command whitelisting for AWS S3 read-only roles is a simple, brutal way to cut that risk down to almost nothing. No sprawling policies. No “just in case” permissions. No hidden write access waiting to blow up. You only allow the exact S3 actions you trust. Everything else dies at the door. The heart of it is in IAM policy design. S3 read-only access is easy to get wrong because “read” can mean more than you think

Free White Paper

Read-Only Root Filesystem + AWS IAM Policies: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

An S3 bucket leaked. Not yours—yet. But if you run AWS, you know it could happen.

Command whitelisting for AWS S3 read-only roles is a simple, brutal way to cut that risk down to almost nothing. No sprawling policies. No “just in case” permissions. No hidden write access waiting to blow up. You only allow the exact S3 actions you trust. Everything else dies at the door.

The heart of it is in IAM policy design. S3 read-only access is easy to get wrong because “read” can mean more than you think. Even ListBucket without context can expose more than you’d expect. The safest setup is whitelisting individual commands like GetObject, ListBucket, and HeadObject only for the target bucket and specific prefixes. This prevents PutObject, DeleteObject, or access to other buckets from sneaking in through vague wildcards.

Here’s the pattern you want:

Continue reading? Get the full guide.

Read-Only Root Filesystem + AWS IAM Policies: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
  • Define a role with the minimum set of S3 read-only actions.
  • Scope every resource ARN down to the bucket and path needed.
  • Block every action not explicitly given.
  • Add explicit deny rules for anything dangerous if your org allows inheritance from other policies.

AWS gives you the condition keys you need to lock it tight. Examples:

  • s3:prefix and s3:delimiter to narrow list operations.
  • aws:userid to link access directly to a role or user.
  • aws:SourceIp for network constraints if that fits your environment.

The key is to avoid policy sprawl. Start from zero, add exact allowed commands, and stop. This is the core of command whitelisting—security reduced to its purest form.

Another step is making these roles observable and testable. If you don’t validate them, you can’t trust them. Simulate in AWS IAM Policy Simulator, but also run real-world tests. Attempt every blocked action you can think of. If it passes, your whitelist isn’t real.

The result? A read-only AWS S3 role that truly is read-only. No hidden mutation paths. Fewer ways for data to leak or get destroyed. And no reliance on hope or “best practices” that crumble under pressure.

You could spend weeks building this from scratch. Or you could see it run in minutes. hoop.dev lets you create, test, and lock down IAM policies and S3 roles with surgical precision. The same principle applies—start with nothing, allow only what you need, block the rest—and hoop.dev makes that real, fast. See it live. Tighten it now before the next leak has your name on it.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts