How can I specify the VPC endpoints or IP addresses that can access my Amazon S3 bucket?

Last updated: 2021-02-10

I want to block any traffic that isn't coming from a specific Amazon Virtual Private Cloud (VPC) endpoint or certain external IP addresses. Or, I'm using an Amazon Simple Storage Service (Amazon S3) bucket to host a static website. The website must be accessible from specific VPC endpoints or IP addresses. How can I do that?

Resolution

Use a bucket policy to specify which VPC endpoints or external IP addresses can access the S3 bucket.

Note: An external IP address is a public IP address that can be from within a VPC or outside of a VPC. For example, an external IP address can be an Amazon Elastic Compute Cloud (Amazon EC2) instance's Elastic IP address. Or, the external IP address can be the IP address of a VPC's NAT gateway or proxy server.

The following example bucket policy blocks traffic to the bucket unless the request is from specified VPC endpoints (aws:sourceVpce):

{
  "Id": "VPCe",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VPCe",
      "Action": "s3:*",
      "Effect": "Deny",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
      ],
      "Condition": {
        "StringNotEquals": {
          "aws:SourceVpce": [
            "vpce-1111111",
            "vpce-2222222"
          ]
        }
      },
      "Principal": "*"
    }
  ]
}

Note the following:

The following example bucket policy blocks traffic to the bucket unless the request is from specified external IP addresses ( aws:SourceIp):

{
  "Id": "SourceIP",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "SourceIP",
      "Action": "s3:*",
      "Effect": "Deny",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
      ],
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": [
            "11.11.11.11/32",
            "22.22.22.22/32"
          ]
        }
      },
      "Principal": "*"
    }
  ]
}

Warning: These example bucket policies explicitly deny access to any requests outside the allowed VPC endpoints or IP addresses. Even the user that entered the bucket policy can be denied access to the bucket if the user doesn't meet the conditions. You must review the bucket policy carefully before you save it. If you get accidentally locked out, see I accidentally denied everyone access to my Amazon S3 bucket. How do I regain access?

If you must allow specific users (within the same AWS account) access to the bucket, then include the following statement within the Condition block:

  • AROAEXAMPLEID is the role ID of an IAM role that you want to allow
  • AIDAEXAMPLEID is the user ID of an IAM user that you want to allow
  • 111111111111 is the AWS account ID of the bucket, which represents the account's root credentials

For example:

"StringNotLike": {
"aws:userId": [
"AROAEXAMPLEID:*",
"AIDAEXAMPLEID",
"111111111111"
]
}

For more information on granting access to specific IAM roles, see How to restrict Amazon S3 bucket access to a specific IAM role.


Did this article help?


Do you need billing or technical support?