S3 Viewer
Open Viewer

Built so security teams sign off.

S3 Viewer is designed to be the kind of tool that doesn't add new attack surface. Credentials are encrypted at rest with RSA-4096. Object contents stream through, never persisted. No per-person IAM users to rotate at off-boarding. MIT-licensed and self-hostable inside your own VPC.

  • RSA-4096 encrypted credentials — decrypted only in memory
  • Zero object retention — nothing persisted on our side
  • MIT-licensed and self-hostable inside your VPC
Open ViewerStar on GitHub
Why teams pick S3 Viewer

A tool you can hand to your security review.

RSA-4096 encrypted credentials

Access keys are encrypted at rest with RSA-4096 (PKCS1_OAEP, SHA-256). Decrypted only in memory to sign requests, then discarded. They never reach the browser, never appear in logs, never return in API responses.

Zero object retention

Files stream from your bucket to the browser via short-lived presigned URLs. No object cache, no object database, no object storage. Cross-cloud copies stream source-to-destination, not into anything we keep.

No IAM users to rotate

Workspace members aren't IAM users — they're sessions tied to your single workspace credential. Off-boarding is a session revoke. Nothing permanent for attackers to lift, nothing for you to forget about.

Revoke without key rotation

Pulling a user's access ends their session immediately. No AWS keys to cycle, no policies to edit, no other teammates affected, no applications broken.

Self-host on your VPC

MIT-licensed. Self-host with PostgreSQL, your own OpenSSL keys, and HTTPS — credentials never have to leave your network.

Open and auditable

The full source is on GitHub. Read the encryption code, the request signing path, and the access checks for yourself before you trust it.

How it works

Three steps to your bucket.

No agents to install, no infrastructure to manage. Paste credentials and you're browsing.

  1. 01

    Connect with least-privilege keys

    Use an IAM policy scoped to the buckets and operations you actually need — typically s3:ListBucket, s3:GetObject, s3:PutObject, and s3:DeleteObject on specific bucket ARNs. If your token can't ListBuckets, pin an allowed-buckets whitelist when you connect.

  2. 02

    Invite the team — no IAM users to mint

    Each member gets their own login and role per bucket. Off-boarding is a one-click revoke; you don't rotate any AWS keys because they never had any.

  3. 03

    Self-host if compliance demands it

    Drop the open-source build inside your VPC. Credentials, sessions, and request signing all stay on your infrastructure. No third party in the request path.

FAQ

Common questions.

Direct answers we wish we'd had when picking a viewer.

Where are my AWS credentials stored?

Encrypted at rest with RSA-4096 (PKCS1_OAEP, SHA-256). The keys are decrypted in memory only when signing an S3 request, then discarded. They never reach the browser, never appear in any API response, and never enter any log. On the self-hosted build, you control the encryption key entirely.

Do you store the contents of my S3 objects?

No. Files stream from your bucket through the server to your browser using short-lived presigned URLs. There is no object cache, no object database, and no object storage on our side. Cross-cloud copies stream byte-for-byte from source to destination — not into anything we keep.

How is this safer than minting IAM users for every teammate?

Per-person IAM users are permanent artifacts: keys to rotate, console access to manage, off-boarding to remember. Workspace members aren't IAM users — they're sessions tied to your single workspace credential. Revoking them ends their session immediately; no AWS keys to cycle, no policies to update, nothing for an attacker to lift from a stale config.

Can I run S3 Viewer entirely inside my own infrastructure?

Yes. The repo is open source under the MIT license. Self-host it behind your VPN or inside your VPC and credentials, sessions, and traffic never leave your network. The encryption key is yours to manage.

How do I off-board someone who's leaving?

Click revoke on their workspace membership. Their session ends on the next request and they can no longer authenticate. You don't have to rotate any AWS or R2 keys — they never held any. Other teammates and applications keep working.

What IAM policy should I use?

A least-privilege policy scoped to the buckets you want to expose, typically with s3:GetObject, s3:PutObject, s3:DeleteObject, and s3:ListBucket. For listing inside a specific prefix only, add a Condition on s3:prefix. The IAM-permissions how-to has a full example policy.

Is the source code open?

Yes. S3 Viewer is MIT-licensed and the source is on GitHub. Audit the encryption code, the request signing path, and the access checks for yourself. Fork it, contribute, or self-host without paying anyone.
Related guides

Step-by-step how-tos.

Granular permissions

The IAM s3:prefix Condition that everyone misses, plus when workspace roles are simpler than IAM.

Invite a teammate

Skip per-person IAM users for human collaboration. Email invite, per-bucket role, one-click revoke.

Delete a file

Versioning, delete markers, MFA Delete — and how to actually purge instead of soft-deleting.

Keep exploring

Other use cases

Multi-cloud

AWS S3, Cloudflare R2, MinIO, B2, and Wasabi — same sidebar, same search, cross-cloud copy when you need it.

Sharing without AWS

Email-invite clients and execs to a clean browser view of one bucket — revocable in one click, no IAM.

Team workspaces

Per-bucket roles, no per-person IAM, and one-click off-boarding without rotating any keys.