How to allow Amazon S3 access from specific IPs

Question

I am trying this policy to allow users to Put and List object access with a particular IP (56.160.12.114) only and all the rest should have only Get access. But this policy is not working for me:

{
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "IPDeny",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::my-wicked-awesome-bucket/*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": "56.160.12.114/28"
                }
            }
        }
    ]
}

John Rotenstein · Answer 1 · 2018-05-06T23:40:49.367

This policy is saying: Deny access to anyone who is not using this range of IP addresses

That's fine, but you will also need a policy that Allows access, because the default behaviour is Deny. Thus, you are Denying people who are already denied by default.

A better way would be:

Have default Deny access (happens automatically)
Allow access based on IP

Something like this:

{
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::my-wicked-awesome-bucket/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "56.160.12.114/28"
                }
            }
        }
    ]
}

Please note, however, that this is granting s3:* access to any system that is coming from that range of IP addresses (including whatever is connected to that network range). Make sure you're okay with that.

Update:

If you only want to grant the user the ability to Put and List the object, then use:

{
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:PutObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::jstack-b",
                "arn:aws:s3:::jstack-b/*"
            ],
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "56.160.12.114/28"
                }
            }
        }
    ]
}

hi John thanks for the reply. i have attached the given policy and access the bucket with ip 56.160.12.114. but i am able to delete the object. where as i want user should only put and list the object — Rishikesh, May 05 '18 at 19:23
HI John tried above policy but getting error while save the policy — Rishikesh, May 06 '18 at 15:44
Updated. `ListObjects` wasn't happy, so I used `ListBucket` instead, as per [AWS Bucket Policy Error: Policy has invalid action](https://stackoverflow.com/a/47708780/174777) — John Rotenstein, May 06 '18 at 23:41

How to allow Amazon S3 access from specific IPs

1 Answers1