AWS Incident Response: ReadOnly vs ViewOnly access

TL;DR : ViewOnlyAccess : You can see the infrastructure (settings/tags) but not the data (files/records). It is useful for high-level visibility. ReadOnlyAccess : You can see the infrastructure and the data , which is essential for deep investigation , forensic analysis and evidence . It also supports CLI-driven IR which wins hands-down on usability and speed. Imagine you are the Lead Incident Responder for a fintech company. At 2:00 AM, your GuardDuty alerts scream: An unauthorized IP address is listing objects in your "Customer-Tax-Records" S3 bucket . The " ViewOnly " Fail Your junior analyst logs in with ViewOnlyAccess . They can see the bucket exists. They see the encryption is turned on (AES-256). They see the bucket policy. The Problem : They try to check if the sensitive PDF files inside the bucket have been modified or if a Canary file has been tripped. The Result : Access Denied. Because they only have View permissions, they can't see the content of the bucket. They are essen