Manage Bucket access
If you want to control network accesses on objects in a Bucket, you will have to create a Bucket Policy using aws:SourceIp
condition.
Create a file with the following bucket policy:
{
"Version": "2012-10-17",
"Id": "OnlyInternal",
"Statement": [
{
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"10.0.0.0/8",
"192.168.0.0/16"
]
}
},
"Action": "s3:*",
"Resource": [
"<bucket>/*",
"<bucket>"
],
"Effect": "Deny",
"Principal": "*",
"Sid": "BlockExternal"
}
]
}
This will :
Deny all operations from requests where the IP source address doesn't come from networks others that 10.0.0.0/8 and 192.168.0.0/16
Change <bucket>
by your bucket name.
For a complete documentation about Bucket Policy, please refer to Bucket Policies.
CIDR notation
With the aws:SourceIp
condition, supports IPV4 addresses or IPV4 address ranges. IPV6 addresses are not supported.
When aws:SourceIp
is a complete network (e.g. 10.0.0.0), you must specify the subnet mask in CIDR (Classless Inter-Domain Routing) format.
Example:
10.0.0.0/8
192.168.0.0/16
10.45.2.0/24
When aws:SourceIp
is an IP address (e.g. 98.2.3.123), do not specify the subnet mask in CIDR (Classless Inter-Domain Routing) format.
Examples:
98.2.3.123
192.168.1.23
10.45.2.67
Put the the policy on your Bucket:
aws s3api --endpoint=${S3_ENDPOINT} put-bucket-policy --bucket bucket-test --policy file://mypolicy.json --profile ${S3_PROFILE}
Check if the policy is correctly set:
aws s3api --endpoint-url=${S3_ENDPOINT} get-bucket-policy --bucket bucket-test --profile ${S3_PROFILE}
Last updated