Sign in Subscribe
Concepts

Why OpenSSL with AWS S3 Read-Only Roles Matters

Andrios Robert

1 min read

You need secure access to AWS S3, but only in read-only mode. You need to guarantee that data leaves S3 encrypted, verified, and untouched. The right mix of OpenSSL and AWS IAM roles can make this happen without opening dangerous write or delete permissions.

Why OpenSSL with AWS S3 Read-Only Roles Matters
AWS S3 stores critical files for countless systems. When those files are accessed across networks, encryption is the first line of defense. OpenSSL provides powerful tools to encrypt, decrypt, and verify signatures, ensuring that what you pull from S3 is the real data, not a tampered copy. Pairing OpenSSL with AWS S3 read-only roles in IAM prevents data alteration by limiting actions to GetObject and related operations.

Creating the Read-Only IAM Role

  1. In AWS IAM, create a new role.
  2. Assign it to the service or application that will connect to S3.
  3. Attach a policy that includes s3:GetObject, s3:ListBucket but nothing else.
  4. Confirm the role uses least privilege principles.

Example JSON policy:

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": ["s3:GetObject", "s3:ListBucket"],
 "Resource": ["arn:aws:s3:::your-bucket-name", "arn:aws:s3:::your-bucket-name/*"]
 }
 ]
}

Using OpenSSL to Secure Downloads
With the role assigned, your application can pull objects from S3. Use OpenSSL to verify and encrypt these files:

aws s3 cp s3://your-bucket-name/path/to/file.enc file.enc --profile readonly-profile
openssl enc -d -aes256 -in file.enc -out file.txt -k secretpass

This decrypts the file locally after it’s securely transferred over HTTPS from S3. To verify signatures:

openssl dgst -sha256 -verify pubkey.pem -signature file.sig file.txt

Best Practices

  • Rotate IAM credentials regularly.
  • Store private keys securely, never in source code.
  • Use server-side encryption in S3 to complement OpenSSL’s local encryption.
  • Log all read operations for audit trails.

OpenSSL handles the cryptography. AWS S3 read-only roles enforce access boundaries. Together, they create a controlled, encrypted, and auditable pipeline for data retrieval.

Build it fast. Test it faster. See a working configuration at hoop.dev and get it running in minutes.