AWS · Cloudbeginner
AWS IAM Read-only Policy
A least-privilege IAM policy granting read-only access to S3 and CloudWatch logs — a safe starting point for auditors, dashboards and monitoring roles.
iamawssecuritypolicys3read-only
Preview
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadS3Objects",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-app-data",
"arn:aws:s3:::my-app-data/*"
]
},
{
"Sid": "ReadCloudWatchLogs",
"Effect": "Allow",
"Action": [
"logs:GetLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/my-app/*"
}
]
}AI actions
Documentation
Purpose
Grant read-only visibility into S3 objects and CloudWatch logs without any ability to modify or delete resources.
When to use
Attach to auditor roles, read-only dashboards, monitoring tools, or a support engineer who needs to inspect but never change infrastructure.
Required fields
- Version — the policy language version, always "2012-10-17"
- Statement — one or more permission statements
- Effect — "Allow" or "Deny"
- Action — the API operations the statement covers
- Resource — the ARNs the actions apply to
Optional fields
- Sid — a human-readable statement id
- Condition — key/value constraints (e.g. restrict by IP or region)
Best practices
- Prefer explicit resource ARNs over "*" wherever possible.
- Split unrelated permissions into separate statements with Sids.
- Use Conditions to scope access by region, tag or source IP.
Security considerations
- Read-only still exposes data — S3 GetObject can read sensitive files.
- Avoid "Resource": "*" in production; scope to named buckets/log groups.
- Pair with MFA and least-privilege trust policies on the role itself.