How do I create an S3 bucket policy to allow specific IPs only?

Create a bucket policy with an Allow statement using the aws:SourceIp condition key: {"Condition": {"IpAddress": {"aws:SourceIp": ["203.0.113.0/32", "198.51.100.0/24"]}}}. This grants access only from the listed IP addresses or CIDR ranges while implicitly denying all others (assuming no other Allow policies exist).

What is the difference between Allow and Deny in S3 bucket policies for IP restrictions?

Using Allow with aws:SourceIp grants access only to listed IPs (implicit deny for others). Using Deny with aws:NotIpAddress explicitly blocks all IPs not in the list — this is more explicit and overrides any other Allow statements, making it a stricter approach. Both achieve IP-based access control but with different policy logic.

Can I use CIDR ranges in S3 bucket IP policies?

Yes, S3 bucket policies support both individual IP addresses (e.g., 203.0.113.5/32) and CIDR ranges (e.g., 10.0.0.0/8 for all 10.x.x.x addresses). Use CIDR notation to allow entire subnets, which is useful for corporate office networks or AWS VPC ranges.

Will IP-based S3 policies work for programmatic access?

Yes, IP-based policies apply to all requests including CLI, SDK, and API calls. If you configure CLI access from an EC2 instance or Lambda function, the aws:SourceIp will be the private IP (which may not match public IP restrictions). In such cases, use VPC endpoints and aws:SourceVpc conditions instead.

Create AWS S3 Bucket Policy To Grant Access To Specific IPs

June 6, 2020 / Nirav Shah

Introduction

In this, we are going to learn about how to grant access to the bucket to specific tips to secure our bucket
So if the bucket is public no one can access the bucket if they are out of the allowed IP range
Eg: if there are multiple projects in a single account and are storing their static data in individual buckets so it is not a good practice that the server can access all the S3 buckets. If for any reason the server gets compromised the person/hacker will get the access of all the bucket so to stop this we can implement a bucket policy by which the specific Public IP or the Private IP only can access the data of the bucket programmatically.

Pre-requirements

Server public IP
Server private IP
Amazon S3 bucket

To create the policy and attach it to the bucket steps are as follow

- Step 1: Select the bucket in which you want to apply the policy .
- Step 2:In our case, we have created a new bucket name bucket-policy-access.
- Step 3:Select permission on the top menu.
- Step 4:Select Block Public Access and check that Block all public access is turned on.
- Step :Now click on bucket policy.
- Step 6:Add the following policy to the editor
  Please replace the bucket-name and bucket-name & private-ip-oftheserver/32 as shown in the image below
- ```
	{
	  "Version": "2012-10-17",
	  "Id": "S3PolicyId1",
	  "Statement": [
	    {
	      "Sid": "IPAllow",
	      "Effect": "Allow",
	      "Principal": "*",
	      "Action": "s3:*",
	      "Resource": "arn:aws:s3:::bucket-name/*",
	      "Condition": {
	        "IpAddress": {
	          "aws:SourceIp": [
	            "public-ip-oftheserver/32",
	            "private-ip-oftheserver/32"
	          ]
	        }
	      }
	    }
	  ]
	}
```
- Step 7:If it shows the “The block public access settings turned on for this bucket prevent granting public access.” then your policy is applied correctly.
- Step 8:Now to verify the upload an object and try to access it via browser if it shows the below output policy is working.

AWS S3 bucket policy granting access to specific IP addresses - step 7

Also Read: Backup WordPress site to AWS S3 bucket

FAQs:

What is the size limit of S3 bucket policies?
Can an S3 bucket have multiple policies?
What does this S3 bucket policy do?

Spread Love By Sharing:

Nirav Shah

Nirav Shah is the Director of Eternal Web Pvt Ltd, an AWS Advanced Consulting Partner and certified Odoo Partner based in the UK. With over a decade of experience in cloud computing, digital transformation, and ERP implementation, Nirav helps enterprises adopt the right technology to solve complex business challenges. He specialises in AWS infrastructure, Odoo ERP, and web development solutions for businesses across the UK and beyond.