NavigationContentFooter
Suggest an edit

Managing bucket permissions for IP addresses or ranges of IP

Reviewed on 18 December 2023Published on 18 May 2021

You can stipulate which IP addresses or IP ranges have access or permission to perform S3 operations on your buckets by creating a bucket policy with the IpAddress or NotIpAddress conditions.

It is possible to Allow actions for a specific IP address or range of IPs, using the IpAddress condition and the aws:SourceIp condition key.

Note

The aws:SourceIp IPv4 and IPv6 values use the standard CIDR notation. For IPv6, we support using the double colon (::) to represent strings of 0.

Before you start

To complete the actions presented below, you must have:

  • A Scaleway account logged into the console
  • Owner status or IAM permissions allowing you to perform actions in the intended Organization
  • A valid API key
  • An Object Storage bucket

In the example below, we allow the 192.0.2.0/24 IP range to perform the s3:ListBucket and s3:GetObject actions.

Note

Replace the example IP addresses before applying your bucket policy or you might lose access to your bucket.

{
  "Version": "2023-04-17",
  "Id": "MyBucketPolicy",
  "Statement": [
    {
      "Sid": "Grant List and GET from my Instances",
      "Effect": "Allow",
      "Principal": "*",
      "Action": ["s3:ListBucket", "s3:GetObject"],
      "Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/*"],
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "198.51.100.0/24"
        }
      }
    }
  ]
}

You can have the same result if you Deny actions for IP addresses specified under the NotIpAddress condition:

{
  "Version": "2023-04-17",
  "Id": "MyBucketPolicy",
  "Statement": [
    {
      "Sid": "Grant List and GET from my Instances",
      "Effect": "Deny",
      "Principal": "*",
      "Action": ["s3:ListBucket", "s3:GetObject"],
      "Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/*"],
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": "198.51.100.0/24"
        }
      }
    }
  ]
}

Alternatively, you can block certain IP addresses or IP address ranges from performing actions on your bucket. You can also use NotIpAddress with the Allow Effect:

{
  "Version": "2023-04-17",
  "Id": "MyBucketPolicy",
  "Statement": [
    {
      "Sid": "Grant List and GET from my Instances",
      "Effect": "Allow",
      "Principal": "*",
      "Action": ["s3:ListBucket", "s3:GetObject"],
      "Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/*"],
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": "2001:db8::/32"
        }
      }
    }
  ]
}

Or the Deny effect paired with the IpAddress condition:

{
  "Version": "2023-04-17",
  "Id": "MyBucketPolicy",
  "Statement": [
    {
      "Sid": "Grant List and GET from my Instances",
      "Effect": "Deny",
      "Principal": "*",
      "Action": ["s3:ListBucket", "s3:GetObject"],
      "Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/*"],
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "2001:db8::/32"
        }
      }
    }
  ]
}
Note

Bucket policies use a JSON-based access policy language. You can find more details on the JSON Policy Grammar documentation page.

Docs APIScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCarreer
© 2023-2024 – Scaleway