View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions How to restrict my object storage bucket to a single IP Address
Log in to Ask a Question

How to restrict my object storage bucket to a single IP Address

Linode Staff

How do I apply an 'allow my home ip' policy to my object storage bucket to download files, but allow cloud manager to still have access?

1 Reply

Linode Staff

Hey there,

I tested this out on my own test bucket and had some success. Firstly you'll want to change the ACL on the bucket to public. This may seem counterintuitive, however the way the ACLs and policies interact is that if one denies access, it over writes whatever access other one gives. If the ACL blocks access to the entire bucket that'll over rule our policy.

I found this FAQ on s3tools.org that seemed to do the trick: How to restrict access to a bucket to specific IP addresses. I took the policy they had there and modified it to work with my own bucket:

  {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::YOUR BUCKET NAME HERE/*",
            "Condition" : {
                "IpAddress" : {
                    "aws:SourceIp": "YOUR HOME IP HERE/24"
                },
              "NotIpAddress" : {
                    "aws:SourceIp": ""
                }
            }
        }
    ]
}

I want to point out that I'm in no way a developer, and generally these kinds of internal configurations are well out side the scope of our support. But I was super interested in trying to get this to work, so I wanted to share what I found. I only mention it to temper expectations if this doesn't work, we may hit a point were we can't help much more.

A couple of key points about the changes I made,

  • I removed the "Id": "S3PolicyIPRestrict", line, I'm still trying to figure out why this needed to be removed, but I couldn't get it to work with it in there.
  • In the YOUR BUCKET NAME HERE space it should just be the bucket name For instance if my bucket were s3://whatever-bucketThe line should look like arn:aws:s3:::whatever-bucket/*. That /* is important. It's what applies the policy to everything in the bucket, with out breaking the bucket. :)
  • In the YOUR HOME IP HERE obviously your home IP goes there, however I found that it needs to be in CIDR notation, hence the "/24".
  • I left the last line under NotIpAddress blank by using two quotes (") This would be if you had a specific IP address within the range that you entered above that you wanted to exclude from accessing the bucket.

I would recommend following the guide on Bucket Policies with s3cmd to create the json file and enable it with s3cmd.

Another wrinkle you may need to overcome is that your home router can sometimes decide that your computer's IP should be something different today than it was yesterday. You'll want to explore some of the ways to make your home IP static. Most modern routers give you an option to Reserve Address or Static DHCP or something along those lines.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct