IAM Policy Restricting S3 Access by IP Address
Create an IAM policy that allows S3 access only from specific IP addresses or CIDR ranges. Uses the aws:SourceIp condition for network-level restrictions.
Advanced Patterns
Detailed Explanation
IP-Restricted S3 Access
For compliance or security requirements, you may need to ensure that S3 data can only be accessed from specific networks — such as your corporate VPN, office IP ranges, or specific servers.
Policy JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3FromSpecificIPs",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::sensitive-data-bucket",
"arn:aws:s3:::sensitive-data-bucket/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"203.0.113.0/24",
"198.51.100.0/24"
]
}
}
}
]
}
How the IpAddress Condition Works
aws:SourceIpevaluates the IP address of the API caller.- Supports CIDR notation (
/24,/32, etc.) and individual IPs. - Multiple CIDR ranges can be specified as an array — any match allows access.
Important Caveats
- VPC endpoints: Requests through S3 VPC endpoints do not have a source IP — use
aws:SourceVpceoraws:SourceVpcinstead. - Lambda and other services: Requests from AWS services use internal IPs that are not predictable. For service-to-service access, use VPC conditions or service-linked roles instead of IP conditions.
- IPv6: If clients use IPv6, include IPv6 CIDR ranges in the condition.
Deny-Based Alternative
A more robust approach uses a Deny statement that blocks everything except the allowed IPs:
{
"Effect": "Deny",
"Action": "s3:*",
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": ["203.0.113.0/24"]
}
}
}
This "deny unless" pattern is stronger because explicit Deny always overrides Allow.
Use Case
Restricting access to sensitive data buckets to corporate network ranges, VPN exit points, or specific server IP addresses for regulatory compliance (HIPAA, PCI DSS, SOC 2).