Restricting Access to S3 to a Specific IP Address

Amazon docs for Restricting Access to Specific IP Addresses shows how the bucket policy can be used to restrict to a range of IP addresses. I modified it to restrict access to one specific IP.

  "Version": "2012-10-17",
  "Id": "S3PolicyId1",
  "Statement": [
      "Sid": "IPAllow",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "*",
      "Condition": {
         "IpAddress": {"aws:SourceIp": ""},
         "NotIpAddress": {"aws:SourceIp": ""} 

The bucket name is and the IP address is This IP is pointing to this site: Note that bucket name is different from the actual site that will access the S3 content.

Select the bucket and go to the Permissions tab >> Bucket Policy

bucket policy editor

Enter the bucket policy JSON in the text area:

permissions tab

You can now save the bucket policy.

bucket policy

Restricting Access to a Specific HTTP Referrer

Why not restrict access to a specific HTTP referrer? Something like this:

  "Id":"http referer policy example",
      "Sid":"Allow get requests originating from and",

will not work. Because, it can be circumvented by using cURL command. You can use anything as the referrer with the cURL command. Testing your bucket policy changes immediately will not work. The changes to the bucket policy will take some time to take effect. Relax, play with your dogs and test it later.


Bucket Policy Examples

Related Articles