IAM Policy for S3 Read-Only Access
Create an IAM policy granting read-only access to a specific S3 bucket. Includes GetObject, ListBucket, and GetBucketLocation permissions.
Detailed Explanation
S3 Read-Only Access Policy
One of the most commonly needed IAM policies is granting read-only access to an S3 bucket. This policy allows a principal (user, role, or service) to list objects in a bucket and download their contents, without the ability to upload, modify, or delete anything.
Policy JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3ReadOnly",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}
Key Points
- Two resource ARNs are needed: one for the bucket itself (
arn:aws:s3:::my-bucket) for ListBucket, and one with the wildcard suffix (arn:aws:s3:::my-bucket/*) for GetObject operations on objects within the bucket. - GetBucketLocation is included because many AWS SDKs and tools need it to determine the bucket's region before making requests.
- GetObjectVersion is optional — include it only if versioning is enabled on the bucket and you need to read previous versions.
Principle of Least Privilege
Avoid using s3:* or Resource: "*" for read-only access. Scoping to specific buckets and specific actions prevents accidental exposure of other buckets in the account.
Use Case
Granting a web application or CI/CD pipeline read-only access to configuration files, static assets, or data exports stored in S3. Common for read-replicas, analytics data consumers, and backup verification tools.