Global outage event

If you're experiencing issues with your AWS services, then please refer to the AWS Health Dashboard. You can find the overall status of ongoing outages, the health of AWS services, and the latest updates from AWS engineers.

How do I restrict access to AWS resources based on the AWS Region, source IP address, or Amazon VPC?

2 minute read

I want to restrict access to AWS resources based on the AWS Region, source IP address, or Amazon Virtual Private Cloud (Amazon VPC).

Short description

Use AWS Identity and Access Management (IAM) identity-based policies and Amazon Simple Storage Service (Amazon S3) bucket policies to control access to AWS resources. Based on the AWS Region, source IP, or Amazon VPC that the resource is accessed from, you can control access to AWS resources.

Resolution

Deny access to AWS resources based on the requested AWS Region

Create an identity-based policy with the aws:RequestedRegion condition key that denies access to all actions outside the specified Regions.

For more information, see AWS: Denies access to AWS based on the requested Region.

Deny access to AWS resources based on the source IP address

Create an identity-based policy with the aws:SourceIp and aws:ViaAWSService condition keys that deny access to all actions outside the specified IP address range. Only public IP addresses or public IP ranges are supported.

Note: The aws:SourceIp condition key is included in requests, except requests that use an Amazon VPC endpoint.

For an example IAM policy and more information, see AWS: Denies access to AWS based on the source IP.

Control access from Amazon VPC with Amazon S3 bucket policies

Create an Amazon S3 bucket policy with the aws:SourceVpce condition key to restrict access to buckets from specific Amazon VPC endpoints. You can also create an Amazon S3 bucket policy with the aws:SourceVpc condition key to restrict access to buckets from specific Amazon VPCs.

For more information, see Controlling access from VPC endpoints with bucket policies.

Note: The aws:SourceVpc or aws:SourceVpce condition key is included only if the requester uses a VPC endpoint to make the request.

Related information

AWS service endpoints

AWS global condition context keys

VPC endpoints

Topics: Security, Identity, & Compliance
Tags: AWS Identity and Access Management
Language: English

AWS OFFICIALUpdated 3 months ago

1 Comment

This article was reviewed and updated on 2026-02-10.

EXPERT

AWS Official

replied 2 months ago

Relevant content

How to expose an IP address or host name from a peered VPC to the public but restrict access to a few ip addresses?
Csaba
asked 2 years ago
How safe is a proxy with resource policy based to restrict access to backend?
IndieGameDeveloperFromParallel...
asked 2 years ago
How to configure IP restriction's for IAM users?
Umesh-aws
asked a year ago
How do I restrict senders for SES SMTP by source IP address?
Allen
asked 2 years ago
S3 policy allow Source VPC or IP
AWS-User-4689408
asked 4 years ago
How do I restrict traffic to and from Amazon VPC resources?
AWS OFFICIALUpdated 8 months ago
How do I restrict access to Amazon VPC resources on my Site-to-Site VPN?
AWS OFFICIALUpdated 2 years ago
Why is my static website on Amazon S3 still accessible from public IP addresses even though I restricted access to a specific Amazon VPC?
AWS OFFICIALUpdated 3 years ago
How do I allow only specific VPC endpoints or IP addresses to access my Amazon S3 bucket?
AWS OFFICIALUpdated 5 months ago
Private connectivity to Amazon EKS cluster API endpoints using VPC Lattice
EXPERT
Huides, Alexandra
published 10 months ago