4

I am trying to allow connection to a bucket from 3 specified ip addresses. When I add them this way:

{
    "Version": "2008-10-17",
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "IPDeny",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::bucket/*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": "ip1",
                    "aws:SourceIp": "ip2",
                    "aws:SourceIp": "ip3"
                }
            }
        }
    ]
}

Upon saving only one line of the three will be kept and so I can only have one IP set. Any idea how can I do it without going to long adding new statements and workarounds?

Kratos
  • 1,064
  • 4
  • 20
  • 39

3 Answers3

19
{
    "Version": "2008-10-17",
    "Id": "testPolicy",
    "Statement": [

        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucketname/subfolder/subfolder2/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "xxx.xxx.xxx.xxx/32",
                        "xxx.xxx.xxx.xxx/32"
                    ]
                }
            }
        }

] }

Kratos
  • 1,064
  • 4
  • 20
  • 39
0

You've to provide IP's in the form of subnet like
wrong: 1.2.3.4
Right: 1.2.3.4/32

Mahadev Patil
  • 109
  • 11
0

It isn't mandatory to apply the routing prefix for the specific IP address. According to the official AWS Documentation,

If you specify an IP address without the associated routing prefix, IAM uses the default prefix value of /32.

I've tested it at my end and it works even after not specifying /32 after the IP address.

Pranit Raje
  • 46
  • 3