AWS · Cloudbeginner

AWS IAM Read-only Policy

A least-privilege IAM policy granting read-only access to S3 and CloudWatch logs — a safe starting point for auditors, dashboards and monitoring roles.

iamawssecuritypolicys3read-only

Preview

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ReadS3Objects",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::my-app-data",
        "arn:aws:s3:::my-app-data/*"
      ]
    },
    {
      "Sid": "ReadCloudWatchLogs",
      "Effect": "Allow",
      "Action": [
        "logs:GetLogEvents",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams"
      ],
      "Resource": "arn:aws:logs:*:*:log-group:/aws/my-app/*"
    }
  ]
}

AI actions

Documentation

Purpose

Grant read-only visibility into S3 objects and CloudWatch logs without any ability to modify or delete resources.

When to use

Attach to auditor roles, read-only dashboards, monitoring tools, or a support engineer who needs to inspect but never change infrastructure.

Required fields

  • Version — the policy language version, always "2012-10-17"
  • Statement — one or more permission statements
  • Effect — "Allow" or "Deny"
  • Action — the API operations the statement covers
  • Resource — the ARNs the actions apply to

Optional fields

  • Sid — a human-readable statement id
  • Condition — key/value constraints (e.g. restrict by IP or region)

Best practices

  • Prefer explicit resource ARNs over "*" wherever possible.
  • Split unrelated permissions into separate statements with Sids.
  • Use Conditions to scope access by region, tag or source IP.

Security considerations

  • Read-only still exposes data — S3 GetObject can read sensitive files.
  • Avoid "Resource": "*" in production; scope to named buckets/log groups.
  • Pair with MFA and least-privilege trust policies on the role itself.