All posts
ConceptsOctober 16, 20251 min read

Why AWS S3 Read-Only Roles Matter for Open Source Models

Open source models are growing fast, and storing them in AWS S3 is now the norm. But when you open them up to the world, you need strict control. Read-only roles give you that control. They let you share data without the risk of edits, deletions, or overwrites. Done right, they make S3 a secure public library instead of a public dumpster. Why AWS S3 Read-Only Roles Matter for Open Source Models Open source machine learning models often weigh gigabytes. Hosting them on S3 means fast download s

Free White Paper

Snyk Open Source + Read-Only Root Filesystem: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Open source models are growing fast, and storing them in AWS S3 is now the norm. But when you open them up to the world, you need strict control. Read-only roles give you that control. They let you share data without the risk of edits, deletions, or overwrites. Done right, they make S3 a secure public library instead of a public dumpster.

Why AWS S3 Read-Only Roles Matter for Open Source Models

Open source machine learning models often weigh gigabytes. Hosting them on S3 means fast download speeds, high availability, and low friction for users. But without read-only IAM policies, you risk accidental or malicious changes. That’s not just bad for your model—it’s a security hole.

How to Create a Read-Only Role in AWS S3

  1. Open the AWS IAM console.
  2. Create a new role and choose the "AWS Service" or "Trusted entity" type based on your use case.
  3. Attach the AmazonS3ReadOnlyAccess policy. This grants access to GET objects and list buckets, but denies PUT, POST, or DELETE.
  4. Scope down permissions with bucket-specific restrictions if needed:
{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "s3:GetObject",
 "s3:ListBucket"
 ],
 "Resource": [
 "arn:aws:s3:::your-bucket-name",
 "arn:aws:s3:::your-bucket-name/*"
 ]
 }
 ]
}
  1. Test your role. Use the AWS CLI:
aws s3 ls s3://your-bucket-name --profile your-readonly-profile

Ensure that uploads and deletes fail.

Continue reading? Get the full guide.

Snyk Open Source + Read-Only Root Filesystem: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Best Practices for Hosting Open Source Models in S3 with Read-Only Roles

  • Use pre-signed URLs for time-bound access when needed.
  • Keep all model artifacts in a dedicated bucket separate from logs or source code.
  • Enable server-side encryption, even for read-only public models.
  • Monitor access logs to track downloads.

Security and Scalability

Read-only roles safeguard integrity while letting anyone pull your data at scale. They work with CloudFront for global distribution. They preserve the trust your open source project depends on. In regulated industries or with valuable model weights, they are non-negotiable.

Lock down the writes. Open the reads. Keep the model free and untouchable.

See it live in minutes with hoop.dev—spin up secure, read-only AWS S3 hosting for your open source model and share it with the world without risk.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts