How can I specify which VPCs or IP addresses can access my Amazon S3 bucket?

Last updated: 2019-04-22

I want to block all traffic to my Amazon Simple Storage Service (Amazon S3) bucket unless the traffic is from a specific Amazon Virtual Private Cloud (VPC) or certain external IP addresses. Or, I'm using a bucket to host a static website and I want the website to be accessible only from specific VPCs or IP addresses. How can I do that? 

Resolution

Use a bucket policy to specify which VPCs or external IP addresses can access the S3 bucket.

For example, the following bucket policy blocks traffic to the bucket unless the request is from specified VPC endpoints (aws:SourceVpce) or external IP addresses (aws:SourceIp). Note the following:

  • To use this policy with the aws:SourceVpce condition, you must have a VPC endpoint for Amazon S3.
  • To allow users to perform S3 actions on the bucket from the VPC endpoints or IP addresses, you must explicitly grant those user-level permissions. You can grant user-level permissions on either an AWS Identity and Access Management (IAM) policy or another statement in the bucket policy.
{
  "Version": "2012-10-17",
  "Id": "VPCe and SourceIP",
  "Statement": [{
    "Sid": "VPCe and SourceIP",
    "Effect": "Deny",
    "Principal": "*",
    "Action": "s3:*",
    "Resource": [
      "arn:aws:s3:::awsexamplebucket",
      "arn:aws:s3:::awsexamplebucket/*"
    ],
    "Condition": {
      "StringNotLike": {
        "aws:sourceVpce": [
          "vpce-1111111",
          "vpce-2222222"
        ]
      },
      "NotIpAddress": {
        "aws:SourceIp": [
          "11.11.11.11/32",
          "22.22.22.22/32"
        ]
      }
    }
  }]
}

Did this article help you?

Anything we could improve?


Need more help?