Search barSidebar navigationMain contentFooter
Scaleway DocumentationStorageObject StorageAPI/CLI
manage bucket permissions IP
Update content

Managing bucket permissions for IP addresses or ranges of IP

Reviewed on 28 December 2021Published on 18 May 2021

You can stipulate which IP addresses or IP ranges have access or permission to perform S3 operations on your buckets by creating a bucket policy with the IpAddress or NotIpAddress conditions.

It is possible to Allow actions for a specific IP address or range of IPs, using the IpAddress condition and the aws:SourceIp condition key.

Note:

The aws:SourceIp IPv4 and IPv6 values use the standard CIDR notation. For IPv6, we support using the double colon (::) to represent strings of 0.

Requirements:

In the example below, we allow the 192.0.2.0/24 IP range to perform the s3:ListBucket and s3:GetObject actions.

Note:

Replace the example IP addresses before applying your bucket policy or you might lose access to your bucket.

{
  "Version": "2012-10-17",
  "Id": "MyBucketPolicy",
  "Statement": [
    {
      "Sid": "Grant List and GET from my Instances",
      "Effect": "Allow",
      "Principal": "*",
      "Action": ["s3:ListBucket", "s3:GetObject"],
      "Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/*"],
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "198.51.100.0/24"
        }
      }
    }
  ]
}

You can have the same result if you Deny actions for IP addresses specified under the NotIpAddress condition:

{
  "Version": "2012-10-17",
  "Id": "MyBucketPolicy",
  "Statement": [
    {
      "Sid": "Grant List and GET from my Instances",
      "Effect": "Deny",
      "Principal": "*",
      "Action": ["s3:ListBucket", "s3:GetObject"],
      "Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/*"],
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": "198.51.100.0/24"
        }
      }
    }
  ]
}

Alternatively, you can block certain IP addresses or IP address ranges from performing actions on your bucket. You can also use NotIpAddress with the Allow Effect:

{
  "Version": "2012-10-17",
  "Id": "MyBucketPolicy",
  "Statement": [
    {
      "Sid": "Grant List and GET from my Instances",
      "Effect": "Allow",
      "Principal": "*",
      "Action": ["s3:ListBucket", "s3:GetObject"],
      "Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/*"],
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": "2001:db8::/32"
        }
      }
    }
  ]
}

Or the Deny effect paired with the IpAddress condition:

{
  "Version": "2012-10-17",
  "Id": "MyBucketPolicy",
  "Statement": [
    {
      "Sid": "Grant List and GET from my Instances",
      "Effect": "Deny",
      "Principal": "*",
      "Action": ["s3:ListBucket", "s3:GetObject"],
      "Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/*"],
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "2001:db8::/32"
        }
      }
    }
  ]
}
Note:

Bucket policies use a JSON-based access policy language. You can find more details on the JSON Policy Grammar documentation page.