Source IP

Source IP #

Increase security by denying all operations on your bucket “bucket-name.example.org” if the request doesn’t originate from a specific IP address.

Determine your IP address:

❯ curl ifconfig.me
12.34.56.78

The policy applies to everyone ("Principal":"*") and uses a Condition to enforce the rules. In this case, anyone who’s not from 12.34.56.78 is denied. Authenticating in general still remains a requirement. The bucket (and its contents) are not available otherwise.

To achieve this, use the following policy:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Action":"s3:*",
      "Condition":{
        "NotIpAddress":{
          "aws:SourceIp":[
            "12.34.56.78/32"
          ]
        }
      },
      "Effect":"Deny",
      "Principal":"*",
      "Resource":[
        "arn:aws:s3:::bucket-name.example.org",
        "arn:aws:s3:::bucket-name.example.org/*"
      ],
      "Sid":"SourceIP"
    }
  ]
}

Please note: The advantage of this policy lies in the fact that if your key and secret are leaked, access remains tied to the IP address. Consequently, an attacker would be unable to access your bucket. However, implementing this policy also carries the risk of potentially locking yourself out.