All posts
September 15, 20251 min read

The bucket was open, but no one could write to it. That was the point.

When you set up AWS S3 read-only roles with granular database roles, you take control of how data is accessed, viewed, and protected. The goal is precise: allow inspection without risk of modification. Give the exact permissions needed, nothing more. AWS S3 read-only roles are built using IAM policies tuned to block writes, deletes, and changes while still granting full visibility to objects. You define them at the role level and attach them to the users, applications, or systems that need them

Free White Paper

Open Policy Agent (OPA) + End-to-End Encryption: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

When you set up AWS S3 read-only roles with granular database roles, you take control of how data is accessed, viewed, and protected. The goal is precise: allow inspection without risk of modification. Give the exact permissions needed, nothing more.

AWS S3 read-only roles are built using IAM policies tuned to block writes, deletes, and changes while still granting full visibility to objects. You define them at the role level and attach them to the users, applications, or systems that need them. To make it granular, you combine these permissions with database roles that narrow reads to specific schemas, tables, or views. The overlap between AWS IAM and your database permission model creates a layered security control that’s both strict and predictable.

Granularity matters. Without it, read-only can turn into shadow admin rights. In S3, you manage access using policy statements like "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::bucket-name/*". For more precision, you filter permissions to specific prefixes or object tags. In databases—whether Postgres, MySQL, or Redshift—you grant SELECT on targeted tables instead of entire databases. Tying both systems together ensures that a role scoped to a marketing dataset can’t see finance data, even if both live in the same storage account.

Continue reading? Get the full guide.

Open Policy Agent (OPA) + End-to-End Encryption: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Auditing comes next. Enable CloudTrail for S3 access logs so you can see every read request. In your database, turn on query logging to track exactly what data was fetched. When these audit trails are matched against known role definitions, policy drift becomes obvious and fixable.

AWS S3 read-only roles with granular database permissions are not only a best practice, they’re the safest way to balance transparency with security. They limit surface area, reduce human error, and make compliance easier—without slowing teams down.

Want to see granular read-only access working across S3 and real databases—without a week of setup? Spin it up in minutes at hoop.dev and experience it live.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts