What IP addresses need to be allow-listed for regional S3 API access?

1

An application needs to be able to upload / download data from Amazon S3, via the regional endpoint (ap-southeast-1). If there's a network firewall, in place, which IP addresses need to be allow-listed?

From the AWS Service Endpoints, would this be just at s3.ap-southeast-1.amazonaws.com and where the IP address ranges would come from https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html?

For example IP ranges could be downloaded and filtered as follows:

curl -O https://ip-ranges.amazonaws.com/ip-ranges.json
jq -r '.prefixes[] | select(.region=="ap-southeast-1") | select(.service=="S3") | .ip_prefix' < ip-ranges.json

Result

18.34.248.0/22
16.12.48.0/21
52.219.32.0/21
18.34.64.0/21
52.219.180.0/22
52.219.40.0/22
52.219.164.0/22
52.219.124.0/22
3.5.146.0/23
52.219.128.0/22
52.219.184.0/21
52.219.132.0/22
3.5.148.0/22
13.213.20.144/28
13.213.20.160/28

Would allow-listing just the above IP address ranges be sufficient?

AWS
asked a year ago275 views
1 Answer
1
Accepted Answer

Yes, that is correct.

profile pictureAWS
EXPERT
kentrad
answered a year ago
profile pictureAWS
EXPERT
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions