Skip to content

Example IP whitelist policy

Use a policy like this if you want to ensure that your bucket can only be accessed from a known IP address.

Only 1.2.3.4/32 (IP/Mask) may access YourBucket

Bash
{
  "Version": "2012-10-17",
  "Id": "IpWhitelist",
  "Statement": [
    {
     "Sid": "IpAllow",
     "Effect": "Deny",
     "Principal": "*"
     "Condition": {
       "NotIpAddress": {
         "aws:SourceIp":"1.2.3.4/32"
       }
     }
     "Resource": [
       "arn:aws:s3:::YourBucket",
       "arn:aws:s3:::YourBucket/*"
     ]
    }
  ]
}
Allow public read but only from the specified IP/CIDR.
Bash
{  
  "Id": "SourceIP",  
  "Version": "2012-10-17",  
  "Statement": [  
    {  
      "Sid": "SourceIP",  
      "Action": "s3:GetObject",  
      "Effect": "Allow",  
      "Resource": [  
        "arn:aws:s3:::YourBucket",  
        "arn:aws:s3:::YourBucket/*"  
      ],  
      "Condition": {  
        "IpAddress": {  
          "aws:SourceIp": [  
            "1.2.3.4/32"  
          ]  
        }  
      },  
      "Principal": "*"  
    }  
  ]  
}