All posts
August 25, 20222 min read

Remote Access Proxy AWS S3 Read-Only Roles

Securing access to sensitive AWS S3 data is a priority when designing systems that involve remote connectivity. Enforcing least-privilege access with granular permissions ensures your data stays inaccessible to unauthorized users. This post explores the concept of using a remote access proxy with read-only roles for AWS S3, focusing on practical steps to implement this configuration safely and effectively. Why Use a Remote Access Proxy with AWS S3? Access management can get complicated, espec

Free White Paper

Auditor Read-Only Access + Database Access Proxy: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Securing access to sensitive AWS S3 data is a priority when designing systems that involve remote connectivity. Enforcing least-privilege access with granular permissions ensures your data stays inaccessible to unauthorized users. This post explores the concept of using a remote access proxy with read-only roles for AWS S3, focusing on practical steps to implement this configuration safely and effectively.

Why Use a Remote Access Proxy with AWS S3?

Access management can get complicated, especially in cloud setups. By introducing a remote access proxy, you add a layer of control over who accesses your S3 resources. Pairing this with a read-only AWS Identity and Access Management (IAM) role ensures these users can retrieve information without making modifications.

Using this pattern, you minimize security risks while maintaining productivity. Teams can observe data parameters, logs, or reference configurations without worrying about accidental deletions or data corruption.

Key Benefits of This Setup

Restricted Permissions

The read-only role strictly limits what a user can do—retrieving objects from S3 without modifying, uploading, or deleting anything. This ensures compliance with best practices for least privilege.

Centralized Control

The proxy acts as a single entry point for all interactions. This centralization simplifies monitoring and provides a robust way to enforce policies like IP allowlisting or time-boxed access.

Reduced Confusion

End users won’t need direct access to S3 via APIs or AWS credentials. The proxy abstracts these underlying complexities, reducing the cognitive load on engineering teams.

Setting Up Remote Access Proxy for AWS S3 Read-Only Roles

Here’s a step-by-step process to craft this architecture:

Continue reading? Get the full guide.

Auditor Read-Only Access + Database Access Proxy: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Step 1: Create an S3 Read-Only IAM Role

Write an IAM policy for S3 read-only actions. For example:

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "s3:GetObject",
 "s3:ListBucket"
 ],
 "Resource": [
 "arn:aws:s3:::YourBucketName",
 "arn:aws:s3:::YourBucketName/*"
 ]
 }
 ]
}

Attach this policy to a new IAM role. If using AWS AssumeRole, configure trust relationships to include your proxy server’s role.

Step 2: Configure the Proxy

Set up a proxy service capable of authenticating with AWS and forwarding user requests. Popular choices for this include HAProxy, Nginx with a custom auth module, or an AWS Lambda-based intermediary.

Key configuration steps:

  1. Use AWS SDKs (like boto3 for Python) to assume the read-only role.
  2. Implement access token validation mechanisms to authorize legitimate users.
  3. Log all incoming requests and their corresponding AWS actions for auditing purposes.

Example snippet:

import boto3

session = boto3.Session()

sts_client = session.client('sts')
assume_role_response = sts_client.assume_role(
 RoleArn="arn:aws:iam::123456789012:role/ReadOnlyS3Role",
 RoleSessionName="remote-access-session"
)
credentials = assume_role_response['Credentials']

s3_client = boto3.client(
 's3',
 aws_access_key_id=credentials['AccessKeyId'],
 aws_secret_access_key=credentials['SecretAccessKey'],
 aws_session_token=credentials['SessionToken']
)

Step 3: Restrict Access with Network and Authentication Rules

Use network firewalls or a Virtual Private Cloud (VPC) endpoint to confine the proxy’s ability to access S3. Combine this with strong authentication and optional Multi-Factor Authentication (MFA) for users.

Step 4: Test Access

Verify that users served via the proxy can only retrieve S3 objects. Try unsafe actions like PutObject or DeleteObject to confirm they are blocked. Monitoring CloudTrail logs can also help validate proper request flow.

Best Practices

  1. Rotate Credentials Regularly
    Even though the access is limited to read-only data, rotating keys periodically reduces exposure to potential key leakage.
  2. Leverage Temporary Credentials
    Use AWS AssumeRole’s session tokens for temporary, time-limited access instead of long-lived static IAM credentials.
  3. Audit Everything
    Continuously capture logs for every interaction with your proxy and S3 bucket. Automate alerts for any unauthorized access attempts.
  4. Token Expiry Management
    Ensure the proxy invalidates user tokens after a reasonable timeframe to keep the window of potential misuse as small as possible.

See It Live with Zero Hassle

The complexity of configuring secure access can feel overwhelming, but it doesn’t have to be. With Hoop, you can set up a remote access proxy for secure, read-only S3 access in minutes—no need for custom scripts or hours of troubleshooting. Try Hoop.Dev now and ensure your data stays protected without compromising usability.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts