All posts
August 25, 20222 min read

Secure API Access: Proxy AWS S3 Read-Only Roles

Securing APIs when interacting with AWS services requires deliberate access control. When dealing with AWS S3, implementing a proxy architecture and read-only roles is a straightforward strategy to enhance security. This approach protects sensitive resources while maintaining the functionality your applications need. Let’s break down how to securely proxy API access for AWS S3 resources using roles with read-only permissions. Why Use an API Proxy for AWS S3? Allowing public access to your S3

Free White Paper

Auditor Read-Only Access + VNC Secure Access: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Securing APIs when interacting with AWS services requires deliberate access control. When dealing with AWS S3, implementing a proxy architecture and read-only roles is a straightforward strategy to enhance security. This approach protects sensitive resources while maintaining the functionality your applications need.

Let’s break down how to securely proxy API access for AWS S3 resources using roles with read-only permissions.

Why Use an API Proxy for AWS S3?

Allowing public access to your S3 buckets is an easy way to lose control over your data. Instead, by introducing an API proxy, you can act as a mediator between your application and your AWS account. A proxy lets you strictly define the actions your API can perform, shielding your infrastructure from unnecessary risks, like accidental permission misconfigurations.

By combining this proxy approach with AWS Identity and Access Management (IAM) roles, you can assign fine-grained, read-only permissions for specific buckets—or even specific objects. This ensures that your applications can “see” what they need but nothing else.

Benefits:

  • Enhanced Control: Define exactly what buckets or objects your resource can access.
  • Security by Design: Prevent apps from escalating privileges. Keep them locked into a read-only mode.
  • Centralized Enforcement: Manage permissions for all your S3 operations in one place.

Core Setup Steps for a Secure Proxy

Follow this structured process to implement secure S3 access for APIs with a read-only focus:

1. Define Read-Only IAM Roles

In AWS, create a new IAM role configured with S3 read-only policies.

  • Navigate to the IAM console.
  • Create a new policy specifying s3:GetObject and s3:ListBucket on specific resources:
{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "s3:GetObject",
 "s3:ListBucket"
 ],
 "Resource": [
 "arn:aws:s3:::your-bucket-name",
 "arn:aws:s3:::your-bucket-name/*"
 ]
 }
 ]
}
  • Attach this policy to a new IAM role your API will assume.

2. Implement the API Proxy Layer

Your API proxy acts as the gateway between client requests and AWS S3. Use a lightweight service like AWS Lambda, API Gateway, or any preferred microservice framework, such as Express.js or FastAPI.

Continue reading? Get the full guide.

Auditor Read-Only Access + VNC Secure Access: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

To ensure security and compliance:

  • Assume the Role Securely: Use AWS SDKs to request temporary credentials via the AWS Security Token Service (STS). These credentials limit exposure to your S3 resources.
  • Limit Actions in Code: Let the API only support defined operations, like listing objects or fetching files.

Example: Python (Boto3) implementation for read access.

import boto3
from botocore.exceptions import NoCredentialsError

def get_s3_object(bucket_name, key, assumed_role_arn):
 # Assume the read-only role
 client = boto3.client('sts')
 assumed_role = client.assume_role(
 RoleArn=assumed_role_arn,
 RoleSessionName="ApiAccessProxySession"
 )
 
 credentials = assumed_role['Credentials']
 s3 = boto3.client(
 's3',
 aws_access_key_id=credentials['AccessKeyId'],
 aws_secret_access_key=credentials['SecretAccessKey'],
 aws_session_token=credentials['SessionToken']
 )

 # Fetch the object
 try:
 response = s3.get_object(Bucket=bucket_name, Key=key)
 return response['Body'].read()
 except NoCredentialsError:
 raise Exception("Failed to assume the read-only role.")

3. Apply Principle of Least Privilege (PLP)

Review permissions in your configuration, ensuring the policy provides only what’s needed to perform the required read operations. Generally:

  • Avoid wildcards (*) in bucket or object definitions.
  • Restrict access to a specific application or environment.

Monitoring and Maintenance

Once your proxy is deployed, monitoring your access patterns and security posture is critical for long-term success. Use AWS tools like:

  • AWS CloudTrail: Log API requests going through the proxy for auditing and troubleshooting.
  • S3 Access Logs: Track object-level access at the bucket level.
  • Amazon GuardDuty: Detect anomalies, like unusual S3 access behavior.

Regularly review your IAM policies and S3 configurations for compliance.

See It Live in Minutes with Hoop

Setting up a secure API proxy sounds complex, but tools like Hoop radically simplify this process. With Hoop, configure your API’s access controls while enabling secure, role-based S3 permissions—all without writing boilerplate code.

Try Hoop today and see how easily you can achieve security and scalability for S3 read-only use cases—live in minutes.

Final Thoughts

Using an API proxy with read-only IAM roles ensures precise control over your AWS S3 resources. This method balances accessibility with robust security practices. Start small, ensure compliance, and scale it as your needs grow.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts