IP access restriction on S3

Hi,

Answering to your question, yes you can restrict access to S3 bucket to specific IP address or range using a bucket policy.

The following example bucket policy allows traffic to the bucket when the request is from specified IP address or range ( aws:SourceIp):

{
"Id": "SourceIP",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSourceIP",
"Principal": "",
"Action": "s3:",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET-NAME",
"arn:aws:s3:::BUCKET-NAME/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"11.11.11.11/32",
"22.22.22.22/24"
]
}
}
}
]
}

Note: Above policy allows s3 full access to all users from the specified IP address or range, but it doesn't deny all access from outside the IP address or range. If a IAM user/role from the same account is authenticated and has s3 access via IAM policy, this policy still allows the IAM to access the bucket from outside the specified IP address or range.

For example policy that denies permissions to any user to perform any S3 operations on objects in the specified S3 bucket unless the request originates from the IP address or range specified in the condition, please refer following documents.

[+] https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-use-case-3
[+] https://aws.amazon.com/premiumsupport/knowledge-center/block-s3-traffic-vpc-ip/

Regards,
Pavithra