I'm trying to create a policy for an IAM account that will allow an employee to have full read permissions for our S3 (lifecycled to Glacier) buckets, with no unnecessary write abilities as to avoid any kind of damage to our backups.
This version of read needs to include the ability to initiate a file restore (Glacier) and download it.
I've created a policy that allows the full List and Read access level groups, but I get an Access Denied error when I try to initiate a file restore through S3 Browser.
I tried a mixture of trial and error, and guessing at which actions sounded relevant, but had no luck.
What are the minimum actions I should be selecting from the Write/Permission management/Tagging groups to ensure that Glacier files can be retrieved, with no unnecessary write access?
Thanks
