# Manage Bucket access

If you want to control network accesses on objects in a **Bucket**, you will have to create a **Bucket Policy** using `aws:SourceIp` condition.

{% hint style="info" %}
We use **aws s3** and **aws`s3api`** command line tools from AWSCLIv2 on Linux.

`${S3_ENDPOINT}` and `${S3_PROFILE}` are environment variables.
{% endhint %}

Create a file with the following bucket policy:

{% code lineNumbers="true" %}

```json
{
  "Version": "2012-10-17",
  "Id": "OnlyInternal",
  "Statement": [
    {
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": [
            "10.0.0.0/8",
            "192.168.0.0/16"
          ]
        }
      },
      "Action": "s3:*",
      "Resource": [
        "<bucket>/*",
        "<bucket>"
      ],
      "Effect": "Deny",
      "Principal": "*",
      "Sid": "BlockExternal"
    }
  ]
}
```

{% endcode %}

This will :

* **Deny** all operations from requests where the IP source address doesn't come from networks others that **10.0.0.0/8** and **192.168.0.0/16**

Change **`<bucket>`** by your bucket name.

For a complete documentation about Bucket Policy, please refer to [bucket-policies](https://academy.cegedim.cloud/storage/object-storage/object-storage-features/bucket-policies "mention").

{% hint style="info" %}
cegedim.cloud Object Storage service is a **compatible S3 service**. Some specific AWS features are not supported.
{% endhint %}

## CIDR notation

With the `aws:SourceIp` condition, supports IPV4 addresses or IPV4 address ranges. IPV6 addresses are not supported.

When `aws:SourceIp` is a complete network (e.g. 10.0.0.0), you must specify the subnet mask in **CIDR** (Classless Inter-Domain Routing) format.

Example:

* 10.0.0.0/8
* 192.168.0.0/16
* 10.45.2.0/24

When `aws:SourceIp` is an IP address (e.g. 98.2.3.123), do not specify the subnet mask in CIDR (Classless Inter-Domain Routing) format.

Examples:

* 98.2.3.123
* 192.168.1.23
* 10.45.2.67

Put the the policy on your Bucket:

{% code overflow="wrap" %}

```bash
aws s3api --endpoint=${S3_ENDPOINT} put-bucket-policy --bucket bucket-test --policy file://mypolicy.json --profile ${S3_PROFILE}
```

{% endcode %}

Check if the policy is correctly set:

{% code overflow="wrap" %}

```bash
aws s3api --endpoint-url=${S3_ENDPOINT} get-bucket-policy --bucket bucket-test --profile ${S3_PROFILE}
```

{% endcode %}