How to Discover and Audit Read-Only AWS S3 Roles Before Attackers Do
AWS S3 is powerful because it stores and serves data at any scale. It’s dangerous because permissions are complex, and discoverability of read-only roles isn’t always straightforward. Attackers look for anonymously readable buckets and overly permissive IAM policies. If you can’t identify exactly who has access to your objects, you’re already behind.
The first step is mapping all S3 roles and policies. Search for any s3:GetObject permission across IAM users, groups, and roles. This includes trust relationships, role chaining, and external identities. Don’t forget access points, bucket policies, and ACLs—these can grant public read access even if you think they are locked down.
Use IAM policy analysis tools to filter for Effect: Allow tied to read actions. Then cross-reference those identities against AWS CloudTrail logs to confirm if and how they are used. This reveals not only the defined permissions but also the active access patterns.
Next, shift to monitoring. Enable S3 Access Logs or integrate directly with AWS CloudTrail to track object retrieval in real time. Look for unknown principals, high-frequency reads, and activity from unexpected geographic regions. Combine this with AWS Config rules to continuously flag buckets that drift from your baseline security posture.
For environments with multiple accounts, implement AWS Organizations service control policies to prevent read-only exposure by default. Explicitly allow only the roles you intend, and enforce least privilege through version-controlled IAM policy definitions.
The faster you can discover and audit read-only S3 roles, the lower your exposure window. Build a workflow where every new bucket and every identity is instantly evaluated for discoverable read access. Automate the checks so manual reviews are the exception, not the rule.
If you need to see exactly how this works, with live visibility into S3 permissions and role discoverability across every account you manage, you can try it now at hoop.dev and watch it happen in minutes.