Dustin shows you how to
use a Deny in an S3 bucket policy
to require multiple conditions


I want to block all traffic to my Amazon Simple Storage Service (Amazon S3) bucket unless the traffic is from a specific Amazon Virtual Private Cloud (VPC) or a specific external IP address. How can I do that?

Use a bucket policy to specify which VPCs or external IP addresses can access the S3 bucket. For more information on using conditions to specify allowed VPCs or IP addresses, see Restricting Access to a Specific VPC Endpoint and Restricting Access to Specific IP Addresses.

For example, the following bucket policy blocks all traffic to the bucket unless the request is from specified external IP addresses (aws:SourceIp) or VPC endpoints (aws:SourceVpce). A request must be from any one of the allowed IP addresses or VPC endpoints to access the bucket.

Note: This example policy requires a VPC endpoint. A VPC endpoint also allows Amazon Elastic Compute Cloud (Amazon EC2) instances in the VPC to access the bucket from a private IP address.

    "Version": "2012-10-17",
    "Id": "VPCe and SourceIP",
    "Statement": [{
        "Sid": "VPCe and SourceIP",
        "Effect": "Deny",
        "Principal": {
            "AWS": "*"
        "Action": "*",
        "Resource": [
        "Condition": {
            "StringNotLike": {
                "aws:SourceIp": [
                "aws:SourceVpce": [

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-07-26