Is there any way to limit the access of a file stored in Amazon S3 based on the client IP address?
I have a file stored there, which should be access only by specific IP address. How to do this?
Asked
Active
Viewed 4.4k times
2 Answers
43
Yes there is, although I have not used this myself.
S3 supports granular control over buckets and objects in them using "Access Policy Language". There is specific whitelist and blacklist IP statements available. You will have to write the APL statements and upload them, however.
http://docs.amazonwebservices.com/AmazonS3/latest/dev/AccessPolicyLanguage.html
Here are 2 condition section examples:
Whitelist
"Condition" : {
"IpAddress" : {
"aws:SourceIp" : ["192.168.176.0/24","192.168.143.0/24"]
}
}
Blacklist
"Condition" : {
"NotIpAddress" : {
"aws:SourceIp" : ["192.168.176.0/24","192.168.143.0/24"]
}
}
-
I did not find in the documentation policies specific for IP. Could you provide the JSON example for it? – Daniel Cukier Jul 12 '12 at 18:03
-
I amended my answer with examples of the IP condition. – gview Jul 12 '12 at 18:09
-
It is not working... I tried, resource can be accessed anyway: { "Version": "2008-10-17", "Id": "S3PolicyId1", "Statement": [ { "Sid": "IPAllow", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "s3:*", "Resource": "arn:aws:s3:::byBucketName", "Condition": { "NotIpAddress": { "aws:SourceIp": "0.0.0.0/0" }, "IpAddress": { "aws:SourceIp": "192.168.143.188/32" } } } ] } – Daniel Cukier Jul 12 '12 at 19:15
-
1You don't need to combine the whitelist + blacklist afaik. It's not like a firewall chain. Just whitelist since that is what I assume you're after. – gview Jul 12 '12 at 19:38
-
also be aware that ec2 to s3 routes over the internet, so if you want to only allow access from your ec2 host then you need to list the host's public IP, not private 10. on amazon's network – Landon Kuhn Jun 24 '13 at 21:13
-
what's the purpose of the `/24` or `/32` in the IP address? – tim peterson Sep 20 '13 at 02:01
-
1@timpeterson That is indicating how many of the 32 bits in the IP address provided should be considered to be the subnet mask. In these cases, as these rules are matching the first 3 octets of the address (i.e.. 192.168.176) the system is going to use only the network portion of an address (the first 24 bits) to determine whether to allow or disallow a client. This might help as well: http://www.ripe.net/internet-coordination/press-centre/understanding-ip-addressing – gview Sep 20 '13 at 17:08
26
Amazon describes this in their S3 docs under "Bucket Policy Examples", at Restricting Access to Specific IP Addresses:
The condition in this statement identifies the 54.240.143.* range of allowed IP addresses, with one exception: 54.240.143.188.
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::examplebucket/*",
"Condition": {
"IpAddress": {"aws:SourceIp": ["54.240.143.0/24", "1.2.3.4/32" ]},
"NotIpAddress": {"aws:SourceIp": "54.240.143.188/32"}
}
}
]
}
You could add something like that in the AWS S3 console. Select your bucket, click the Properties tab, then Permissions. Click "Add bucket policy" and paste it into the popup dialogue's form.
I modified Amazon's example to show how multiple IP ranges can be included in the policy by providing a JSON array instead of a string. The "aws:SourceIp" entry of "1.2.3.4/32" means that the single IP address, 1.2.3.4, is also granted access.
Community
- 1
- 1
O'Shaughnessy Evans
- 369
- 3
- 5