3

Is there way by which can we enforce the access only from a Particular IP Range for S3 Static Website hosted site ?

Naveen Vijay
  • 390
  • 6
  • 18

1 Answers1

8

Actually, you only need to configure S3 access using bucket policy:

  1. Open you AWS S3 Console
  2. Right click your bucket and choose Properties. You will see bucket properties in right side.
  3. In the Permission section, click Edit Bucket Policy.
  4. Fill with the following policy (adjust the IP address):
{
  "Version": "2012-10-17",
  "Id": "S3PolicyId1",
  "Statement": [
    {
      "Sid": "IPAllow",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::examplebucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "54.240.143.0/24"
        }
      }
    }
  ]
}

See more S3 bucket policy examples in here.

Edward Samuel
  • 791
  • 7
  • 9
  • 2
    Of course, this assumes the objects themselves were not uploaded with `x-amz-acl: public-read` and that no other bucket policy also allows read. Otherwise, this policy will not override that, and the permissions of the objects need to be changed, or the bucket policy will need to be `Deny` instead of `Allow`, and the condition changed to `NotIpAddress`. (Any matching `Allow` will allow, any matching `Deny` will deny, and `Deny` always overrules `Allow`.) In either case, `"aws:SourceIp"` can also specify an array of CIDR values, each value quoted, comma separated, in `[` brackets `]`. – Michael - sqlbot Aug 08 '15 at 02:07
  • 1
    N.B. the S3 web site hosting documentation indicates that everything must be "public" but what this really means is that *some* mechanism other than signature-based authentication must make the objects accessible. This can be the object acl *or* the bucket policy. – Michael - sqlbot Aug 08 '15 at 02:11