Dustin shows you how to
use a Deny in an S3 bucket policy
to require multiple conditions


I want to block all traffic to my Amazon Simple Storage Service (Amazon S3) bucket unless the traffic is from a specific Amazon Virtual Private Cloud (VPC) or a specific external IP address. How can I do that?

Use a bucket policy to specify which VPCs or external IP addresses can access the S3 bucket. For more information on using conditions to specify allowed VPCs or IP addresses, see Example Bucket Policies for VPC Endpoints for Amazon S3 and Restricting Access to Specific IP Addresses.

For example, the following bucket policy blocks all traffic to the bucket unless the request is from specified VPC endpoints (aws:SourceVpce) or external IP addresses (aws:SourceIp). A request must be from any one of the allowed IP addresses or VPC endpoints to access the bucket. To use this policy with the aws:SourceVpce condition, you must have a VPC endpoint for Amazon S3.

Note: To allow users to perform S3 actions on the bucket from the VPC endpoints or IP addresses, you must grant permission to those actions on their AWS Identity and Access Management (IAM) policy, or another statement in the bucket policy.

    "Version": "2012-10-17",
    "Id": "VPCe and SourceIP",
    "Statement": [
            "Sid": "VPCe and SourceIP",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
            "Condition": {
                "StringNotLike": {
                    "aws:sourceVpce": [
                "NotIpAddress": {
                    "aws:SourceIp": [

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-07-26

Updated: 2019-02-28