All posts
September 8, 20252 min read

How to Create AWS S3 Read-Only Roles Using AWS CLI

When you work with AWS S3, control is everything. A single misconfigured policy can open doors you never meant to unlock. That’s why read-only roles exist — to give secure, controlled access without risking accidental changes or deletions. If you know how to set them up with AWS CLI, you can grant the exact level of access needed and nothing more. Why Use AWS S3 Read-Only Roles Read-only roles keep your buckets safe while still making them useful. They let a user or service read objects, list b

Free White Paper

Read-Only Root Filesystem + AWS IAM Policies: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

When you work with AWS S3, control is everything. A single misconfigured policy can open doors you never meant to unlock. That’s why read-only roles exist — to give secure, controlled access without risking accidental changes or deletions. If you know how to set them up with AWS CLI, you can grant the exact level of access needed and nothing more.

Why Use AWS S3 Read-Only Roles
Read-only roles keep your buckets safe while still making them useful. They let a user or service read objects, list bucket contents, and check basic metadata. They block all forms of write or delete actions. This is critical for log archives, compliance snapshots, backups, and datasets that must remain untouched.

Creating a Read-Only IAM Policy
First, define the IAM policy that allows s3:GetObject and s3:ListBucket. Save this JSON as s3-readonly-policy.json:

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "s3:GetObject",
 "s3:ListBucket"
 ],
 "Resource": [
 "arn:aws:s3:::my-bucket-name",
 "arn:aws:s3:::my-bucket-name/*"
 ]
 }
 ]
}

Create the Policy with AWS CLI

aws iam create-policy \
 --policy-name S3ReadOnlyPolicy \
 --policy-document file://s3-readonly-policy.json

Attach the Policy to a New Role
Create a trust policy for the role. Save it as trust-policy.json:

Continue reading? Get the full guide.

Read-Only Root Filesystem + AWS IAM Policies: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Principal": { "AWS": "arn:aws:iam::ACCOUNT_ID:root"},
 "Action": "sts:AssumeRole"
 }
 ]
}

aws iam create-role \
 --role-name S3ReadOnlyRole \
 --assume-role-policy-document file://trust-policy.json

Assign the policy to the role:

aws iam attach-role-policy \
 --role-name S3ReadOnlyRole \
 --policy-arn arn:aws:iam::ACCOUNT_ID:policy/S3ReadOnlyPolicy

Testing the Read-Only Role
Use AWS CLI’s sts assume-role to get temporary credentials. Then run:

aws s3 ls s3://my-bucket-name --profile readonly-profile

Try uploading or deleting a file. You should see an "Access Denied"error, proving the role is read-only.

Best Practices for AWS CLI S3 Read-Only Roles

  • Use least privilege. Only include buckets and actions that are needed.
  • Separate roles for each environment.
  • Rotate access keys often if using programmatic credentials.
  • Monitor access with CloudTrail logs.

AWS CLI with S3 read-only roles gives you a simple tool for a high-security need. It reduces risk, simplifies compliance, and gives teams safe access without fear of data loss.

If you want to see secure S3 read-only access live within minutes — with zero setup pain — try it on hoop.dev. It’s the fastest way to experience fine-grained AWS permissions in action.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts