For the most recent update on ongoing service disruptions affecting the AWS Middle East (UAE) Region (ME-CENTRAL-1), refer to the AWS Health Dashboard. For information on AWS Service migration, see How do I migrate my services to another region?
How do I allow only specific VPC endpoints or IP addresses to access my Amazon S3 bucket?
I want to allow traffic from only specific Amazon Virtual Private Cloud (Amazon VPC) endpoints or IP addresses to my Amazon Simple Storage Service (Amazon S3) bucket.
Resolution
Use a bucket policy to specify the VPC endpoints, private IP addresses, or public IP addresses that can access your S3 bucket.
Warning: The following example bucket policies explicitly deny access to certain requests outside the allowed VPC endpoints or IP addresses. Evaluate your bucket policies to determine whether they affect console-related requests.
If your policy denies access to all S3 actions, then you get locked out of your bucket. Before you save your bucket policy, make sure to review it. If you lock yourself out of your bucket, then see How do I regain access to my Amazon S3 bucket after I accidentally denied everyone access?
Restrict access to specific VPC endpoints
To allow traffic from only the VPC endpoints that you specify, use the aws:SourceVpce key in your bucket policy. The following example bucket policy denies upload permissions to the bucket unless the upload request comes from the vpce-1111111 or vpce-2222222 VPC endpoints:
{ "Id": "VPCe", "Version": "2012-10-17", "Statement": [ { "Sid": "VPCe", "Action": "s3:PutObject", "Effect": "Deny", "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ], "Condition": { "StringNotEquals": { "aws:SourceVpce": [ "vpce-1111111", "vpce-2222222" ] } }, "Principal": "*" } ] }
Note: Replace DOC-EXAMPLE-BUCKET with the name of your bucket.
To use the preceding policy with the aws:sourceVpce condition, create a VPC gateway endpoint for Amazon S3. Attach the gateway endpoint to the route table of the Amazon Elastic Compute Cloud (Amazon EC2) instance's subnet. The endpoint must be in the same AWS Region as the bucket.
Restrict access to specific private IP addresses
To allow traffic from only the private IP addresses that you specify, use the aws:VpcSourceIp key in your bucket policy. The following example bucket policy denies upload permissions to the bucket unless the upload request comes from the 10.1.1.1/32 or 172.1.1.1/32 private IP addresses:
{ "Id": "VpcSourceIp", "Version": "2012-10-17", "Statement": [ { "Sid": "VpcSourceIp", "Action": "s3:PutObject", "Effect": "Deny", "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ], "Condition": { "NotIpAddress": { "aws:VpcSourceIp": [ "10.1.1.1/32", "172.1.1.1/32" ] } }, "Principal": "*" } ] }
Note: Replace DOC-EXAMPLE-BUCKET with the name of your bucket.
To use the preceding policy with the aws:VpcSourceIP condition, create a VPC gateway endpoint for Amazon S3. Attach the gateway endpoint to the route table of the EC2 instance's subnet. The endpoint must be in the same Region as the bucket.
Restrict access to specific public IP addresses or an IP address range
To allow traffic from only the public IP addresses or an IP address range that you specify, use the aws:SourceIp key in your bucket policy. The following example bucket policy denies upload permissions to the bucket unless the upload request comes from the 11.11.11.11/32 or 22.22.22.22/32 public IP addresses:
{ "Id": "SourceIP", "Version": "2012-10-17", "Statement": [ { "Sid": "SourceIP", "Action": "s3:PutObject", "Effect": "Deny", "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ], "Condition": { "NotIpAddress": { "aws:SourceIp": [ "11.11.11.11/32", "22.22.22.22/32" ] } }, "Principal": "*" } ] }
Note: Replace DOC-EXAMPLE-BUCKET with the name of your bucket.
The following example bucket policy denies upload permissions to the bucket unless the upload request comes from the 192.168.0.0/24 or 172.16.0.0/24 IP address ranges.
{ "Id": "SourceIP", "Version": "2012-10-17", "Statement": [ { "Sid": "SourceIP", "Action": "s3:PutObject", "Effect": "Deny", "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ], "Condition": { "NotIpAddress": { "aws:SourceIp": [ "192.168.0.0/24", "172.16.0.0/24" ] } }, "Principal": "*" } ] }
Note: Replace DOC-EXAMPLE-BUCKET with the name of your bucket.
The following Condition block allows specific AWS Identity and Access Management (IAM) entities in the same AWS account to access the bucket with the aws:PrincipalArn key:
"Condition": { "ArnNotLike": { "aws:PrincipalArn": [ "arn:aws:iam::123456789012:role/role-name", "arn:aws:iam::123456789012:user/user-name", "arn:aws:iam::123456789012:root" ] } }
Note: To allow users to use VPC endpoints or IP addresses to perform S3 actions on the bucket, explicitly allow user-level permissions. You can modify either an IAM policy or another statement in the bucket policy to allow user-level permissions.
Restrict access for all S3 buckets
To restrict access to all S3 buckets in your account, configure a Service Control Policy (SCP) through AWS Organizations.
- Topics
- Storage
- Language
- English
How can we restrict access to all our buckets (thousands across the organization) to only allow access from our internal ip ranges (many that span the globe)? We would like to do it at an organization level without having to specify every bucket....
Relevant content
- asked 8 months ago
