How to Manage Bucket Permissions for IP addresses or Ranges of IP

How to limit access by IP addresses or ranges of IP

You can stipulate which IP addresses or IP ranges have access or permission to perform S3 operations on your buckets by creating a Bucket Policy with the IpAddress or NotIpAddress conditions.

It is possible to Allow actions for a specific IP address or range of IP, using the IpAddress condition and the aws:SourceIp condition key.

Note: The aws:SourceIp IPv4 and IPv6 values use the standard CIDR notation. For IPv6, we support using double colon (::) to represent strings of 0.

Requirements

In the example below, we allow the 192.0.2.0/24 IP range to perform the s3:ListBucket and s3:GetObject actions.

Important: Replace the example IP addresses before applying your bucket policy or you might lose access to your bucket.

{
  "Version": "2012-10-17",
  "Id": "MyBucketPolicy",
  "Statement": [
    {
      "Sid": "Grant List and GET from my instances",
      "Effect": "Allow",
      "Principal": "*",
      "Action": ["s3:ListBucket", "s3:GetObject"],
      "Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/*"],
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "198.51.100.0/24"
        }
      }
    }
  ]
}

You can have the same result if you Deny actions for IP addresses specified under the NotIpAddress condition.

{
  "Version": "2012-10-17",
  "Id": "MyBucketPolicy",
  "Statement": [
    {
      "Sid": "Grant List and GET from my instances",
      "Effect": "Deny",
      "Principal": "*",
      "Action": ["s3:ListBucket", "s3:GetObject"],
      "Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/*"],
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": "198.51.100.0/24"
        }
      }
    }
  ]
}

Alternatively, you can block certain IP addresses or IP address ranges from performing actions on your bucket. You can also use NotIpAddress with the Allow Effect.

{
  "Version": "2012-10-17",
  "Id": "MyBucketPolicy",
  "Statement": [
    {
      "Sid": "Grant List and GET from my instances",
      "Effect": "Allow",
      "Principal": "*",
      "Action": ["s3:ListBucket", "s3:GetObject"],
      "Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/*"],
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": "2001:db8::/32"
        }
      }
    }
  ]
}

Or the Deny effect paired with the IpAddress condition.

{
  "Version": "2012-10-17",
  "Id": "MyBucketPolicy",
  "Statement": [
    {
      "Sid": "Grant List and GET from my instances",
      "Effect": "Deny",
      "Principal": "*",
      "Action": ["s3:ListBucket", "s3:GetObject"],
      "Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/*"],
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "2001:db8::/32"
        }
      }
    }
  ]
}

Note: Bucket policies use a JSON-based access policy language. You can find more details on the S3 Object Storage - JSON Policy Grammar documentation page.

Discover the Cloud That Makes Sense