By using AWS re:Post, you agree to the Terms of Use

Condition to limit S3 access from AWS network only


I need to provide an assess to my S3 to partners companies which has their own AWS accounts

I'd like to limit access to my S3 bucket by AWS network only.

The reason is to prevent anyone from downloading resources directly to on premises servers. Because according to my understanding, when partner will be downloading data from my S3 to EC2 (for example) in their AWS account in the same region this data transfer would not be charged. The region could be limited by s3:LocationConstraint condition.

So my question is which policy condition should be used to limit by AWS network?

  • Hmm... It seams like I can't use s3:LocationConstraint for GetObject. It is written in documentation: "Not all conditions make sense for all actions. For example, it makes sense to include an s3:LocationConstraint condition on a policy that grants the s3:CreateBucket Amazon S3 permission. However, it does not make sense to include this condition on a policy that grants the s3:GetObject permission."

    Is there any other way to limit readings from specific region?

3 Answers

You can try the aws:SourceVpc condition of IAM Policy document. Check the details from the documentation! :)

answered 6 months ago
  • Good idea! Thank you however it requires that the in-VPC service on the other side. Non-VPC Lambda for example, will not be able to access the data. In the meanwhile, pretty good workaround! Thank you.



Yes you can do that, Please follow the AWS Support Blog

Thank You GK

answered 6 months ago
  • Thank you for your comment. Unfortunately either of suggested restrictions doesn't solves the issue.

    1. VPC endpoint service with our partners will cause per GB charge.
    2. Not all partners are ready to setup a NAT with static IP. Again because of per GB price.

    In our case we are talking about hundreds of terabytes per month so we are really sensitive in this questions.

    As it is written here

    You pay for all bandwidth into and out of Amazon S3, except for the following:

    ... Data transferred from an Amazon S3 bucket to any AWS service(s) within the same AWS Region as the S3 bucket (including to a different account in the same AWS Region) ....

    So my question is how to put exactly this statement into policy condition.


You could write a bucket policy that uses the SourceIP condition and limits it to EC2 CIDR address for your region.

curl > ip-ranges.json
jq -r '.prefixes[] | select(.region=="us-east-1") | select(.service=="EC2") | .ip_prefix' < ip-ranges.json
profile picture
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions