Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
How do I allow only specific VPC endpoints or IP addresses to access my Amazon S3 bucket?
I want to allow traffic from only specific Amazon Virtual Private Cloud (Amazon VPC) endpoints or IP addresses to my Amazon Simple Storage Service (Amazon S3) bucket.
Resolution
Use a bucket policy to specify the VPC endpoints, private IP addresses, or public IP addresses that can access your S3 bucket.
Warning: The following example bucket policies explicitly deny access to certain requests outside the allowed VPC endpoints or IP addresses. Evaluate your bucket policies to determine whether they affect console-related requests.
If your policy denies access to all S3 actions, then you get locked out of your bucket. Before you save your bucket policy, make sure to review it. If you lock yourself out of your bucket, then see How do I regain access to my Amazon S3 bucket after I accidentally denied everyone access?
Restrict access to specific VPC endpoints
To allow traffic from only the VPC endpoints that you specify, use the aws:SourceVpce key in your bucket policy. The following example bucket policy denies upload permissions to the bucket unless the upload request comes from the vpce-1111111 or vpce-2222222 VPC endpoints:
{ "Id": "VPCe", "Version": "2012-10-17", "Statement": [ { "Sid": "VPCe", "Action": "s3:PutObject", "Effect": "Deny", "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ], "Condition": { "StringNotEquals": { "aws:SourceVpce": [ "vpce-1111111", "vpce-2222222" ] } }, "Principal": "*" } ] }
To use the preceding policy with the aws:sourceVpce condition, attach a VPC gateway endpoint for Amazon S3 to the route table of the Amazon Elastic Compute Cloud (Amazon EC2) instance's subnet. The endpoint must be in the same AWS Region as the bucket.
Restrict access to specific private IP addresses
To allow traffic from only the private IP addresses that you specify, use the aws:VpcSourceIp key in your bucket policy. The following example bucket policy denies upload permissions to the bucket unless the upload request comes from the 10.1.1.1/32 or 172.1.1.1/32 private IP addresses:
{ "Id": "VpcSourceIp", "Version": "2012-10-17", "Statement": [ { "Sid": "VpcSourceIp", "Action": "s3:PutObject", "Effect": "Deny", "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ], "Condition": { "NotIpAddress": { "aws:VpcSourceIp": [ "10.1.1.1/32", "172.1.1.1/32" ] } }, "Principal": "*" } ] }
To use the preceding policy with the aws:VpcSourceIP condition, you must attach a VPC gateway endpoint for Amazon S3 to the route table of the EC2 instance's subnet. The endpoint must be in the same Region as the bucket.
Restrict access to specific public IP addresses
To allow traffic from only the public IP addresses that you specify, use the aws:SourceIp key in your bucket policy. The following example bucket policy denies upload permissions to the bucket unless the upload request comes from the 11.11.11.11/32 or 22.22.22.22/32 public IP addresses:
{ "Id": "SourceIP", "Version": "2012-10-17", "Statement": [ { "Sid": "SourceIP", "Action": "s3:PutObject", "Effect": "Deny", "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ], "Condition": { "NotIpAddress": { "aws:SourceIp": [ "11.11.11.11/32", "22.22.22.22/32" ] } }, "Principal": "*" } ] }
To allow specific AWS Identity and Access Management (IAM) entities in the same AWS account to access the bucket, include the aws:PrincipalArn key in your policy's Condition block:
"Condition": { "ArnNotLike": { "aws:PrincipalArn": [ "arn:aws:iam::123456789012:role/role-name", "arn:aws:iam::123456789012:user/user-name", "arn:aws:iam::123456789012:root" ] } }
To allow users to use VPC endpoints or IP addresses to perform S3 actions on the bucket, explicitly allow user-level permissions. You can modify either an IAM policy or another statement in the bucket policy to allow user-level permissions.
