All posts
October 12, 20251 min read

Configuring a GPG AWS S3 Read-Only Role for Secure Data Sharing

Configuring a GPG AWS S3 read-only role is the fastest way to share encrypted data without risking unwanted writes or deletes. It lets you grant trusted users or systems secure access to files in S3, while keeping every object immutable from their perspective. Why use GPG with AWS S3 read-only roles When dealing with sensitive files, S3’s role-based access control is not enough on its own. GPG encryption protects data at rest and in transit, ensuring even if your S3 read-only IAM role credent

Free White Paper

Read-Only Root Filesystem + AWS Config Rules: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Configuring a GPG AWS S3 read-only role is the fastest way to share encrypted data without risking unwanted writes or deletes. It lets you grant trusted users or systems secure access to files in S3, while keeping every object immutable from their perspective.

Why use GPG with AWS S3 read-only roles

When dealing with sensitive files, S3’s role-based access control is not enough on its own. GPG encryption protects data at rest and in transit, ensuring even if your S3 read-only IAM role credentials leak, the data inside remains unreadable without the right key. Combine GPG encryption with a tightly scoped AWS IAM role that grants only s3:GetObject permissions to a specific bucket or prefix.

How to set up an AWS S3 read-only IAM role

  1. In the AWS console, create a new IAM role with trusted entities matching your environment (AWS services or external accounts).
  2. Attach a custom policy that allows:
{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [ "s3:GetObject"],
 "Resource": "arn:aws:s3:::your-bucket-name/*"
 }
 ]
}
  1. Do not include write actions like PutObject or DeleteObject. Keep the trust and permission scopes minimal.
  2. Assume the role with AWS CLI or SDK when pulling data.

Encrypting and decrypting with GPG

Before uploading files to S3, encrypt them locally with:

Continue reading? Get the full guide.

Read-Only Root Filesystem + AWS Config Rules: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
gpg --encrypt --recipient recipient@example.com file.txt
aws s3 cp file.txt.gpg s3://your-bucket-name/

Anyone with the read-only role can download the object:

aws s3 cp s3://your-bucket-name/file.txt.gpg .
gpg --decrypt file.txt.gpg > file.txt

Security best practices

  • Rotate IAM role credentials regularly, even for read-only roles.
  • Store private GPG keys in secure key management systems, never in code repos.
  • Use bucket policies to limit access to specific IP ranges or VPC endpoints.
  • Enable S3 server access logging to monitor usage.

GPG AWS S3 read-only roles create a controlled lane for sensitive file sharing across teams, pipelines, and accounts. They minimize the blast radius of a breach and align with least privilege principles.

Lock your data, share it without fear, and keep control. See it live with a working example at hoop.dev in minutes.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts