All posts
September 10, 20252 min read

Secure Read-Only AWS S3 Access with OpenSSL and IAM Roles

That’s the paradox most teams face when they want secure, read-only AWS S3 access over TLS for critical data. You need bulletproof encryption with OpenSSL and a tight IAM role that protects every object in the bucket from writes or deletes. One mistake in either layer, and you’re exposed. OpenSSL is the workhorse for generating, managing, and verifying your encryption keys. AWS S3 is the backbone for storing your data. But without the correct read-only role configuration, you risk either over-p

Free White Paper

Auditor Read-Only Access + AWS IAM Policies: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

That’s the paradox most teams face when they want secure, read-only AWS S3 access over TLS for critical data. You need bulletproof encryption with OpenSSL and a tight IAM role that protects every object in the bucket from writes or deletes. One mistake in either layer, and you’re exposed.

OpenSSL is the workhorse for generating, managing, and verifying your encryption keys. AWS S3 is the backbone for storing your data. But without the correct read-only role configuration, you risk either over-permissioning or locking yourself out. The goal is targeted security: precise, least-privilege access combined with a strong cryptographic handshake.

Step 1: Generate a Strong Key and Certificate with OpenSSL
Run this from a secure terminal:

openssl genrsa -out s3-role.key 4096
openssl req -new -key s3-role.key -out s3-role.csr
openssl x509 -req -in s3-role.csr -signkey s3-role.key -days 365 -out s3-role.crt

This ensures a hardened private key and a certificate ready for TLS connections to your S3 endpoint or proxy. Always keep the private key offline or in a secure key store.

Step 2: Create a Read-Only IAM Role for S3
In AWS IAM, define a role with a trust policy for your application or user. Attach the AmazonS3ReadOnlyAccess policy or a custom inline policy like this:

Continue reading? Get the full guide.

Auditor Read-Only Access + AWS IAM Policies: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "s3:GetObject",
 "s3:ListBucket"
 ],
 "Resource": [
 "arn:aws:s3:::your-bucket-name",
 "arn:aws:s3:::your-bucket-name/*"
 ]
 }
 ]
}

No write, no delete, no public access. Pure read-only.

Step 3: Enforce TLS for Every Connection
With your OpenSSL-generated certificate, configure your client or service to require HTTPS endpoints for every S3 request. This can be done by setting --endpoint-url with https in AWS CLI or ensuring your SDK is configured to reject unencrypted requests. TLS not only secures the payload but also verifies the server identity.

Step 4: Combine and Test
Apply the IAM role to your instance profile, Lambda, or application. Make a request like:

aws s3 ls s3://your-bucket-name --profile readonly-profile

Verify that listing and object retrieval works, but uploads fail with an access denied error. Check the OpenSSL logs for proper TLS handshake.

Step 5: Monitor and Rotate
Rotate your keys regularly using OpenSSL. Re-deploy updated IAM roles if policies change. Audit CloudTrail logs to ensure no privilege escalation or unexpected access.

When you combine disciplined cryptography with tight AWS permissions, you get a secure channel for reading sensitive data without exposing a single extra bit.

If you want to see this kind of secure integration running in minutes, connect it with hoop.dev. It’s the fastest way to set up, test, and manage secure roles, encrypted keys, and controlled AWS S3 access — live, without the wait.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts