Amazon S3 files access policy based on IP Address
Solution 1
Yes there is, although I have not used this myself.
S3 supports granular control over buckets and objects in them using "Access Policy Language". There is specific whitelist and blacklist IP statements available. You will have to write the APL statements and upload them, however.
http://docs.amazonwebservices.com/AmazonS3/latest/dev/AccessPolicyLanguage.html
Here are 2 condition section examples:
Whitelist
"Condition" : {
"IpAddress" : {
"aws:SourceIp" : ["192.168.176.0/24","192.168.143.0/24"]
}
}
Blacklist
"Condition" : {
"NotIpAddress" : {
"aws:SourceIp" : ["192.168.176.0/24","192.168.143.0/24"]
}
}
Solution 2
Amazon describes this in their S3 docs under "Bucket Policy Examples", at Restricting Access to Specific IP Addresses:
The condition in this statement identifies the 54.240.143.* range of allowed IP addresses, with one exception: 54.240.143.188.
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::examplebucket/*",
"Condition": {
"IpAddress": {"aws:SourceIp": ["54.240.143.0/24", "1.2.3.4/32" ]},
"NotIpAddress": {"aws:SourceIp": "54.240.143.188/32"}
}
}
]
}
You could add something like that in the AWS S3 console. Select your bucket, click the Properties tab, then Permissions. Click "Add bucket policy" and paste it into the popup dialogue's form.
I modified Amazon's example to show how multiple IP ranges can be included in the policy by providing a JSON array instead of a string. The "aws:SourceIp" entry of "1.2.3.4/32" means that the single IP address, 1.2.3.4, is also granted access.
Daniel Cukier
Daniel is a technology innovator, currently exploring web3 projects. Former CTO in Brazilian startups such as Pravaler - a fintech that offers accessible student loans - also founder and CTO at Playax - an audience development platform for music professionals based on BigData - he also worked for two years as CTO at Elo7 – the biggest crafts marketplace in Brazil. Experienced working in different programming languages such as Elixir, Ruby, JavaScript and Java, Daniel helped many startups as venture advisor at Monashees Capital and other accelerator programs in Brazil. He is also PhD in Computer Science at University of São Paulo – IME-USP. His PhD research is about Software Startups Ecosystems and Entrepreneurship. Daniel mastered in Computer Science in University of São Paulo in 2009, with the Thesis Patterns for Introducing New Ideas in the Software Industry. Daniel is a Cloud Computing GDE (Google Developer Expert). Daniel started developing software in Brazil when he was 10, on his TK-3000 Basic 2MB RAM computer. He worked as a consultant and software developer in many companies. In 2001, he worked for an Internet startup in Italy. In 2006 he joined Locaweb, the biggest web hosting company in Brazil and worked there for 5 years as developer and tech lead in infrastructure team. Daniel is an active member in the agile and software development communities, speaker in many conferences such as Elixir Brasil, QCON, Agile Brasil, TDC, DevCamp, Agile Trends and others. Studying other Arts beside software development, like Theatre, musical instruments and compositions, dance and writing, he acted in five musical plays and has a poetry book published. Daniel is a Vipassana meditation student and is very interested in topics related to human consciousness.
Updated on June 06, 2020Comments
-
Daniel Cukier almost 4 years
Is there any way to limit the access of a file stored in Amazon S3 based on the client IP address?
I have a file stored there, which should be access only by specific IP address. How to do this?