All posts
September 9, 20251 min read

The bucket was wide open, but you could only look inside.

Finding AWS S3 read-only roles across sprawling accounts is harder than it should be. Configuration drifts, forgotten IAM policies, and inconsistent tagging turn a simple question—"Who can read what?"—into a slow, painful audit. The bigger the environment, the easier it is for unused permissions to hide in plain sight. That’s why the ability to discover S3 read-only roles on demand isn’t just nice to have—it’s mission-critical for security, compliance, and cost control. AWS gives you tools, but

Free White Paper

Open Policy Agent (OPA) + Read-Only Root Filesystem: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Finding AWS S3 read-only roles across sprawling accounts is harder than it should be. Configuration drifts, forgotten IAM policies, and inconsistent tagging turn a simple question—"Who can read what?"—into a slow, painful audit. The bigger the environment, the easier it is for unused permissions to hide in plain sight. That’s why the ability to discover S3 read-only roles on demand isn’t just nice to have—it’s mission-critical for security, compliance, and cost control.

AWS gives you tools, but not a single, clean view. IAM Role listings show trust policies but not effective access. S3 Access Analyzer can flag cross-account issues, but won’t hand you a filtered, unified list of pure read-only roles. CloudTrail can tell you about past actions, but not latent permissions waiting for use. This gap matters: a misconfigured read-only policy could still leak sensitive data. Over-privileged roles, even without write access, remain an attack surface.

The process to discover S3 read-only roles often requires a layered approach:

Continue reading? Get the full guide.

Open Policy Agent (OPA) + Read-Only Root Filesystem: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
  1. List all IAM roles with aws iam list-roles.
  2. Fetch role policies with aws iam list-attached-role-policies and get-role-policy.
  3. Aggregate and analyze permissions to match s3:Get* and s3:List* actions while excluding any write operations like s3:Put* or s3:Delete*.
  4. Cross-reference resource ARNs in the policies with bucket configurations.
  5. Validate trust relationships to ensure no unexpected external principals can assume the role.

At scale, scripting this becomes brittle. Parsing JSON outputs, filtering across dozens of accounts, and mapping results to actual S3 buckets is slow and error-prone. This is why engineering teams turn to unified permission discovery solutions that condense days of audit work into minutes.

Automating read-only role identification also enables continuous monitoring. Instead of point-in-time checks, you can trigger alerts for any new role gaining read access. That level of visibility helps enforce least privilege and spot policy drift before it’s a problem. In security terms, it’s moving from reactive to proactive.

You don’t have to settle for patchwork scripts and manual audits. You can see every AWS S3 read-only role in your environment—across all accounts—in minutes, with zero setup friction.

Spin it up now at hoop.dev and watch it map your S3 access instantly.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts