Managing bucket permissions for IP addresses or ranges of IP

When a bucket policy is present in a bucket, any action that is not explicitly allowed is denied by default. You can stipulate which IP addresses or IP ranges have access or permission to perform operations on your buckets by creating a bucket policy with the IpAddress or NotIpAddress conditions.

It is possible to allow actions for a specific IP address or range of IPs using the IpAddress/NotIpAddress condition, and the aws:SourceIp condition key.

Before you start

To complete the actions presented below, you must have:

• A Scaleway account logged into the console
• Owner status or IAM permissions allowing you to perform actions in the intended Organization
• A valid API key
• An Object Storage bucket

In the example below, we allow the 192.0.2.0/24 IP range to perform the s3:ListBucket and s3:GetObject actions.

{
  "Version": "2023-04-17",
  "Id": "MyBucketPolicy",
  "Statement": [
    {
      "Sid": "Grant List and GET to specified IP",
      "Effect": "Allow",
      "Principal": "*",
      "Action": ["s3:ListBucket", "s3:GetObject"],
      "Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/*"],
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "198.51.100.0/24"
        }
      }
    }
  ]
}

Alternatively, you can block certain IP addresses or IP address ranges from performing actions on your bucket using the NotIpAddress condition:

{
  "Version": "2023-04-17",
  "Id": "MyBucketPolicy",
  "Statement": [
    {
      "Sid": "Grant List and GET to everyone except specified IP",
      "Effect": "Allow",
      "Principal": "*",
      "Action": ["s3:ListBucket", "s3:GetObject"],
      "Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/*"],
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": "2001:db8::/32"
        }
      }
    }
  ]
}