All posts
September 10, 20252 min read

Why read-only roles matter for open source models

It was an accident. It was also a reminder that AWS S3 permissions are both powerful and dangerous. When you deal with open source models stored in S3, you can’t afford to guess at IAM policies. The right configuration isn’t a “nice to have”—it’s the wall between safe distribution and uncontrolled leakage. Why read-only roles matter for open source models Open source models—especially large machine learning or AI models—often need to be shared with broad audiences. This means setting up AWS S3

Free White Paper

Snyk Open Source + Read-Only Root Filesystem: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

It was an accident. It was also a reminder that AWS S3 permissions are both powerful and dangerous. When you deal with open source models stored in S3, you can’t afford to guess at IAM policies. The right configuration isn’t a “nice to have”—it’s the wall between safe distribution and uncontrolled leakage.

Why read-only roles matter for open source models
Open source models—especially large machine learning or AI models—often need to be shared with broad audiences. This means setting up AWS S3 access that allows fast, reliable reads, but no writes, no deletes, and no object modifications. A read-only IAM role ensures that anyone with the role can download or list objects, but not alter them. Without it, you risk both model corruption and exposure to malicious uploads.

The core AWS S3 permissions for a true read-only role
A minimum secure read-only IAM policy for S3 should look like this:

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "s3:GetObject",
 "s3:ListBucket"
 ],
 "Resource": [
 "arn:aws:s3:::YOUR_BUCKET_NAME",
 "arn:aws:s3:::YOUR_BUCKET_NAME/*"
 ]
 }
 ]
}

Avoid granting s3:GetObjectVersion or s3:GetBucketAcl unless explicitly required. Reduce the policy scope to the minimum resources needed. Always specify exact bucket ARNs instead of using wildcards unless your architecture demands otherwise.

Key steps for locking it down

Continue reading? Get the full guide.

Snyk Open Source + Read-Only Root Filesystem: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
  1. Create the role with least privilege.
  2. Attach the read-only S3 policy.
  3. Test using AWS CLI to confirm:
aws s3 ls s3://YOUR_BUCKET_NAME
aws s3 cp s3://YOUR_BUCKET_NAME/object .
aws s3 rm s3://YOUR_BUCKET_NAME/object

The first two should work. The last should fail.

  1. Assign the role to users, services, or cross-account access as needed.

Common pitfalls to avoid

  • Adding s3:* in IAM policies.
  • Setting bucket policies to Principal: * without restriction.
  • Forgetting to block public ACLs and public bucket policies in the S3 console.
  • Neglecting CloudTrail logs to monitor access patterns.

Scaling distribution without losing control
When sharing an open source model to a global user base, your AWS S3 read-only role becomes your distribution layer’s guardrail. Combine it with CloudFront for caching, signed URLs for request control, and AWS Organizations SCPs to prevent privilege escalation in child accounts.

Why this matters now
Open source AI models are growing in size and sensitivity. Even if the weights are public, you need predictable, secure delivery without overhead. The smallest misstep in AWS S3 policy design can cascade into downtime or data compromise.

If you want to skip the hours of manual setup and see secure, read-only AWS S3 access to open source models live in minutes, try it with hoop.dev today.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts