How to restrict access to a bucket to specific IP address

How to restrict access to a bucket to specific IP address

July 1, 2020 / Nirav Shah

Security is one of the many facets of an organization. In our last blog, our AWS expert team had explained “how to restrict Bucket policy with forcefully SSL requests only” so for today we came with a new topic which is “how to restrict the IP address on s3”.

In this blog, we’re going to look at S3 bucket policies. And specifically, how we can restrict IP ranges to our S3 buckets.

Let us take an example if the bucket contains confidential financial information, and you only want that only finance team should have access to its contents, and the IP is 10.0.12.X/24, and X is IP range.

So to do this, we can use a bucket policy.

Get to your bucket policy option and write the policy which is defined below.

{
  "Version": "2012-10-17",
  "Id": "S3PolicyId1",

  "Statement": [

    {
      "Sid": "IPAllow",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::examplebucket/*",
      "Condition": {
         "NotIpAddress": {"aws:SourceIp": "10.0.12.X/24,"}

      }
    }
  ]
}

In this policy, you can see that only a particular IP can access the bucket. So if anyone on the 10.0.12.X IP address range will be able to access this S3 bucket.

However, if you’re on an external IP address, let’s say it’s 54.240.143.188/32.

So, this is an independent, or an individual,IPV4 public address. Maybe this is a hacker who’s been trying to hack your site. You can then specifically go out and block them using the IP address policy for IPV4 and IPV6 “NotIpAddress”.

Example 2

{
  "Id":"PolicyId2",
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"AllowIPmix",
      "Effect":"Allow",
      "Principal":"*",
      "Action":"s3:*",
      "Resource":"arn:aws:s3:::examplebucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "10.0.12.X/24",
            "1054:CB9:1534:6828::/64"
          ]
        },
        "NotIpAddress": {
          "aws:SourceIp": [
             "40.240.144.129/30",
             "2021:Da8:1834:5278:A1CD::/80"
          ]
        }
      }
    }
  ]
}

The example policy would allow access to the example IP addresses 10.0.12.X/24 and 1054:CB9:1534:6828::/64 and would deny access to the addresses 40.240.144.129/30 and 2021:Da8:1834:5278:A1CD::/80.

Great, you finally did it. For details, you can visit this link.

Also Read: How create a AWS S3 bucket policy to grant access to specific IPs?