IAM Policy S3 ReadOnly
๐ฆ Overviewโ
This Terraform module provisions an IAM policy that grants read-only access to Amazon S3, designed to enable visibility while preventing modification or deletion of data.
โ Key Featuresโ
- Grants read-only permissions to all S3 buckets
- Allows listing bucket contents and reading object data
- Prevents creation, modification, or deletion of S3 resources
- Supports environment-based tagging and access visibility
- Follows least-privilege security principles
๐ผ Use Casesโ
- Attach to IAM roles used by monitoring agents or data auditors
- Assign to users requiring download access to static assets
- Apply in read-only environments like pre-production or sandbox setups
- Use in tandem with IAM Groups for scoped S3 data access
๐ฅ Input Variablesโ
| Name | Type | Description |
|---|---|---|
| region | string | AWS region for deployment |
| policy_name | string | Name of the IAM policy |
| environment | string | Environment label for tagging (e.g., dev, prod) |
๐ค Outputsโ
| Name | Description |
|---|---|
| policy_arn | ARN of the created IAM read-only S3 policy |
๐ Deployment Readinessโ
- โ Compatible with Terraform 1.0+
- โ Requires AWS Provider 5.x+
- ๐ IAM permissions required:
iam:CreatePolicy,iam:DeletePolicy
๐ ๏ธ Example Usageโ
module "iam_policy_s3_readonly_deployment" {
source = "git::ssh://git@github.com/archiphire/aws-level-1-modules.git//iam/iam-policy-s3-readonly?ref=v1.0.0"
region = "us-east-1"
policy_name = "s3-readonly-policy"
environment = "dev"
}
terraform init
terraform plan
terraform apply
or
tofu init
tofu plan
tofu apply
๐งน Cleanupโ
Terraform Destroy:
terraform destroy
or
tofu destroy
Manual Deletion (for Production):
aws iam delete-policy --policy-arn <policy_arn>
Use aws iam list-policies to retrieve the policy ARN if needed.
๐ก๏ธ Notesโ
This is a Level 1 IAM module focused on secure read-only access to S3 data.
For write or full-access use cases, consider alternate modules with broader permissions.
Recommended for organizations with strict data governance or tiered access models.
๐ Deployment Package Noticeโ
This module is part of the Level 1 AWS License Tier.
To access the full deployment package and source code, subscribe to Archiphire.