Sign in Subscribe
Concepts

Why Use AWS S3 Read-Only Roles with Radius

Andrios Robert

1 min read

The bucket sat there, silent but full. You only needed to read its contents, nothing more. With Radius and AWS S3, locking down permissions to read-only is the cleanest way to keep data safe while giving teams the access they require.

AWS provides the building blocks to control access to S3. Radius makes deploying those building blocks quick and consistent. Together, they give you a fast path to creating S3 read-only roles that are minimal, secure, and easy to maintain.

Why Use AWS S3 Read-Only Roles with Radius

Read-only IAM roles limit risk by removing write or delete permissions. If a credential is compromised, the attacker can’t alter data. Radius manages infrastructure as code, defining IAM policies and roles in a repeatable way across environments. This means every S3 bucket follows the same principle of least privilege.

Defining the Role

Create an IAM policy that grants s3:GetObject and s3:ListBucket. Deny all write-related actions such as s3:PutObject or s3:DeleteObject. In JSON it might look like:

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "s3:GetObject",
 "s3:ListBucket"
 ],
 "Resource": [
 "arn:aws:s3:::your-bucket-name",
 "arn:aws:s3:::your-bucket-name/*"
 ]
 }
 ]
}

Attach this policy to an IAM role. Radius can declare this in configuration files that are applied to AWS through its provisioning engine.

Deploying with Radius

Radius reads the role definition from your config and uses AWS APIs to create or update it. You can version control the config. When requirements change, update the file, run the deploy, and the new permissions propagate.

Testing Permissions

After deployment, test with an S3 client using the role credentials. Verify you can read objects and list the bucket, but cannot write or delete. This ensures the policy matches your intent before production use.

Best Practices

  • Keep policies minimal.
  • Scope resources to specific buckets.
  • Use separate roles for different access levels.
  • Rotate credentials and enforce MFA where possible.

Radius AWS S3 read-only roles keep control tight and predictable. They protect data integrity and reduce the blast radius of any incident.

Secure your data and simplify your workflow. Try building and deploying an AWS S3 read-only role with Radius at hoop.dev and see it live in minutes.

Sign up for more like this.

Enter your email
Subscribe