- Newest
- Most votes
- Most comments
To best of my knowledge, you'll need to have IP address ranges to restrict s3 bucket access for users outside AWS. Since you have mentioned so I assume, you'd have already tried using regional ip address ranges for us-west-2, here is the reference, how you can get ip address ranges and how to restrict via resource(bucket) policy. But for users outside AWS< you'll need to have IP address/ranges, otherwise bucket is public and open to all.
Hi, You can modify your S3 bucket policy [1] that places conditions on the requester source IP, and use the advertised AWS IP ranges for us-west-2 region. Kindly refer to the link [2] for public IP's in us-west-2 region.
References: [1] https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-use-case-3 [2] https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.html
I'm just going to copy paste my answer above since the answers are similar:
I know about how to set up the Bucket policy and restrict IAM access, but what confuses me are the IP ranges. One of the public IP address that I tested was 54.185.. which is in Oregon, hosted by AMZ itself, and should be covered in the us-west-2 region (I supposed?). However, it is not covered anywhere in the json file with CIDR format. Another one is 34.216.., which is also not covered. I want to filter IP addresses from public user requests, not just those from AWS services .
By the way, do I suppose to copy-paste all the 500+ IP address ranges for us-west-2 in the file into the policy? What's the best practice here? I'm all new to this, so apologies.
Is this an architecture where you could provide access to the bucket via VPC endpoints? You can then add the condition to limit to the these endpoints. And you could make the bucket private.
Relevant content
- Accepted Answerasked 2 years ago
- asked 2 months ago
- Accepted Answerasked 10 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
I know about how to set up the Bucket policy and restrict IAM access, but what confuses me are the IP ranges. One of the public IP address that I tested was 54.185.. which is in Oregon, hosted by AMZ itself, and should be covered in the us-west-2 region (I supposed?). However, it is not covered anywhere in the json file with CIDR format. Another one is 34.216.., which is also not covered... Note that I want to filter public IP addresses from computer user requests, not just AWS services requests.
Also, do I suppose to copy-paste all the 500+ IP address ranges for us-west-2 in the file into the policy? What's the best practice here? I'm all new to this, so apologies.