All posts
September 14, 20251 min read

How to Create a Secure AWS S3 Read-Only IAM Role Step-by-Step

The bucket was wide open, and no one knew who was looking inside. That’s how security holes start. AWS S3 buckets are simple to create, but without precise IAM roles, they can also become a liability. The safest way to give access—when all someone needs to do is look—is a read-only role. This post walks step-by-step into creating a Cloud IAM AWS S3 read-only role that stands up to scrutiny, passes audits, and doesn’t break workflows. AWS Identity and Access Management (IAM) lets you define exa

Free White Paper

AWS IAM Policies + Read-Only Root Filesystem: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

The bucket was wide open, and no one knew who was looking inside.

That’s how security holes start. AWS S3 buckets are simple to create, but without precise IAM roles, they can also become a liability. The safest way to give access—when all someone needs to do is look—is a read-only role. This post walks step-by-step into creating a Cloud IAM AWS S3 read-only role that stands up to scrutiny, passes audits, and doesn’t break workflows.

AWS Identity and Access Management (IAM) lets you define exactly what each identity can do. For an S3 read-only role, you want the least privilege principle fully enforced. That means the role can only list and get objects—nothing more. Over-permissive policies are the silent killers of cloud security. Lock them down.

Step 1: Create the IAM Role

  • In the AWS console, open the IAM service.
  • Click "Roles"→ "Create role."
  • Choose the trusted entity (often another AWS service or account).
  • Continue to permissions.

Step 2: Attach Read-Only Policy
AWS provides a managed policy called AmazonS3ReadOnlyAccess. It allows only s3:Get* and s3:List* actions across all buckets and objects. Attach it to the role. Managed policies save time. They’re maintained by AWS and align with security best practices.

Continue reading? Get the full guide.

AWS IAM Policies + Read-Only Root Filesystem: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Step 3: Scope with Resource Restrictions
Though managed policies work, the best approach is sometimes a custom one. Restrict to specific buckets:

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "s3:GetObject",
 "s3:ListBucket"
 ],
 "Resource": [
 "arn:aws:s3:::my-secure-bucket",
 "arn:aws:s3:::my-secure-bucket/*"
 ]
 }
 ]
}

This limits access to the single bucket you want. No one can list or get objects from anywhere else.

Step 4: Test the Role
Use the AWS CLI to assume the role and attempt access. Confirm that listing and reading objects works, while uploads or deletes fail. This is where you catch mistakes before they hit production.

AWS S3 read-only roles are essential for safe collaboration. They reduce risk, simplify audits, and make access control predictable. Whether you manage dozens of buckets or thousands, IAM policies that enforce least privilege are the backbone of a secure cloud.

You can build, test, and see this kind of policy working live, in minutes, using hoop.dev. Stop hoping your permissions are right. Make them exact, test them instantly, and keep your buckets safe.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts