How do I restrict access to AWS resources based on the AWS Region, source IP address, or Amazon VPC?

Short description

Use IAWS Identity and Access Management (IAM) identity-based policies and Amazon Simple Storage Service (Amazon S3) bucket policies to deny or control access to AWS resources. Based the AWS Region, source IP, or VPC that the resource is accessed from, you can control access to AWS resources.

Resolution

Deny access to AWS resources based on the requested AWS Region

Create an identity-based policy with the IAM aws:RequestedRegion condition key that denies access to all actions outside the specified Regions.

For more information, see AWS: Denies access to AWS based on the requested Region.

Deny access to AWS resources based on the source IP address

Create an identity-based policy with the IAM aws:SourceIp and aws:ViaAWSService condition keys that denies access to all actions outside the specified IP address range. Only public IP addresses or public IP ranges are supported.

Note: The aws:SourceIp condition key is always included in the request, except for requests that uses an Amazon VPC endpoint.

For an example IAM policy and more information, see AWS: Denies access to AWS based on the source IP.

Control access from Amazon VPC with Amazon S3 bucket policies

Create an Amazon S3 bucket policy with the IAM aws:SourceVpce condition key to restrict access to buckets from specific Amazon VPC endpoints. You can also create an Amazon S3 bucket policy with the IAM aws:SourceVpc condition key to restrict access to buckets from specific Amazon VPCs.

For more information, see Controlling access from VPC endpoints with bucket policies.

Note: The aws:SourceVpc or aws:SourceVpce condition key is only included if the requester uses a VPC endpoint to make the request.

Related information

AWS service endpoints

AWS global condition context keys

VPC endpoints