Skip to content
More support Sign in
Contact us
  • There are no suggestions because the search field is empty.

How to Restrict Bucket Access by IP Address Using IAM Policies

How to allow or block access to your S3 buckets based on the client's IP address using IAM policy conditions

Overview

Impossible Cloud Storage supports IP-based access restrictions through IAM policy conditions. This security feature allows you to control which IP addresses or networks can access your storage buckets, adding an extra layer of protection for your data.

With IP address conditions, you can:
  • Allow access only from your office network
  • Restrict backup operations to specific servers
  • Block access from unauthorized locations
  • Meet compliance requirements for data access controls

How It Works

IAM policies support the IpAddress and NotIpAddress condition operators, which evaluate the source IP address of incoming requests. When a request is made to your bucket, the system checks if the client's IP address matches the condition specified in the policy.

Step-by-Step: Restrict Bucket Access to Specific IPs

In this example, we'll create a policy that allows access to a bucket only from your company's network.

1. Identify Your IP Address or Network Range

First, determine the IP addresses that should have access. You can specify:

- A single IP address using CIDR /32 notation (e.g., 203.0.113.25/32)
- A network range using CIDR notation (e.g., 203.0.113.0/24 for a /24 subnet)

2. Create the Policy JSON File

Create a file named ip-restricted-policy.json with the following content:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::your-bucket-name",
                "arn:aws:s3:::your-bucket-name/*"
            ],
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "203.0.113.0/24"
                }
            }
        }
    ]
}
Replace:
  • your-bucket-name with your actual bucket name
  • 203.0.113.0/24 with your IP address or network range

3. Apply the Policy via AWS CLI or a Storage Console UI

Use the AWS CLI to attach the policy to your IAM user:
aws iam put-user-policy \
    --user-name "backup-user@example.com" \
    --policy-name "IPRestrictedAccess" \
    --policy-document file://ip-restricted-policy.json \
    --endpoint-url https://iam.impossibleapi.net

4. Verify the Policy

After applying the policy (allow a couple of minutes for propagation), test access from an allowed IP address:
aws s3 ls s3://your-bucket-name --endpoint-url https://eu-central-2.storage.impossibleapi.net
Access from IPs outside your specified range will be denied.

Example: Block Access from Specific IPs

You can also use NotIpAddress to allow access from everywhere *except* certain IP addresses:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::your-bucket-name",
                "arn:aws:s3:::your-bucket-name/*"
            ],
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": "198.51.100.0/24"
                }
            }
        }
    ]
}
This policy allows access from any IP address *except* those in the 198.51.100.0/24 range.

Example: Combine IP Restriction with an Explicit Deny

You can also combine an Allow statement with an explicit Deny:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::your-bucket-name",
                "arn:aws:s3:::your-bucket-name/*"
            ]
        },
        {
            "Effect": "Deny",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::your-bucket-name",
                "arn:aws:s3:::your-bucket-name/*"
            ],
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": "203.0.113.0/24"
                }
            }
        }
    ]
}
This policy explicitly denies any request that does not originate from your trusted network 203.0.113.0/24.

Using IP Conditions with Group Policies

IP address conditions also work with IAM group policies, making it easy to apply consistent access rules across multiple users:
aws iam put-group-policy \
    --group-name "backup-operators" \
    --policy-name "IPRestrictedAccess" \
    --policy-document file://ip-restricted-policy.json \
    --endpoint-url https://iam.impossibleapi.net
All users in the group will inherit the IP-based restrictions.

Best Practices

  1. Always use CIDR notation - Specify your IP addresses with the CIDR suffix (e.g., /32 for a single IP).
  2. Test before deploying - Verify your policy works as expected before applying it to production systems.
  3. Document your allowed IPs - Keep a record of which IP addresses are authorized and why.
 

Troubleshooting

Access denied after applying the policy?
  • Verify your current IP matches the CIDR range in the policy
  • Allow 5-10 minutes for policy changes to propagate
  • Check that the CIDR notation is correct (e.g., 203.0.113.25/32, not 203.0.113.25)

Policy rejected with "Syntax errors"?
  • Validate your JSON using an online JSON validator
  • Ensure the CIDR notation is properly formatted

Links and References