AWS Incident Response: ReadOnly vs ViewOnly access

TL;DR: ViewOnlyAccess: You can see the infrastructure (settings/tags) but not the data (files/records). It is useful for high-level visibility. ReadOnlyAccess: You can see the infrastructure and the data, which is essential for deep investigation, forensic analysis and evidence. It also supports CLI-driven IR which wins hands-down on usability and speed. Imagine you are the Lead Incident Responder for a fintech company. At 2:00 AM, your GuardDuty alerts scream: An unauthorized IP address is listing objects in your "Customer-Tax-Records" S3 bucket. The "ViewOnly" Fail Your junior analyst logs in with ViewOnlyAccess. They can see the bucket exists. They see the encryption is turned on (AES-256). They see the bucket policy. The Problem: They try to check if the sensitive PDF files inside the bucket have been modified or if a Canary file has been tripped. The Result: Access Denied. Because they only have View permissions, they can't see the content of the bucket. They are essentially a det