I want users to upload and download objects

Hi all, I apologize for my bad English, I will try to explain as good as I can.

I am setting a policy to my bucket where i want to allow my users to upload or download the objects from my application through specific IPS.
Below is the policy which i am setting

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "", "Action": ["s3:PutObject", "s3:GetObject" ], "Resource": ["arn:aws:s3:::bucket_name/",
"arn:aws:s3:::bucket_name"
],
"Condition":{
"IpAddress":{
"aws:SourceIp": [
"IP1",
"IP2",
"IP3"
]
},

     "NotIpAddress":{
         "aws:SourceIp": ""
                 }
            }
    }
]

}

But its allowing from all other ips also to put or get the object. How to restrict users to upload and download from specific IPS
Although this might be a silly question as I am a beginner, I would really appreciate any input on this.

4 Replies

We have a section of our documentation that explains how to limit traffic by IP address. While it looks like your policy is close to that, without proper formatting and a complete version of the policy, it's hard to say if there is a syntax issue causing it to fail.

Additionally, you may want to make sure that the policy is properly applied. This explains how to apply the policy and how to see the policy after application to make sure it worked.

Hi CassandraD

Thanks for the reply. Yes i have followed these instructions and set the policy but still it wasn't working.
Sorry for the format issues. Below is the policy which i am setting

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "", "Action": ["s3:PutObject", "s3:GetObject" ], "Resource": ["arn:aws:s3:::entrar1/",
"arn:aws:s3:::entrar1"
],
"Condition":{
"IpAddress":{
"aws:SourceIp": [
"IP1"
"IP2"
"IP3"
]
},
"NotIpAddress":{
"aws:SourceIp": ""
}
}
}
]
}

Hi all, can anyone help me with this please

I was able filter connections to my bucket with the exception of specific IPs using the following bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Deny",
        "Principal": "*",
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::<bucket-name>/*",
        "Condition": {
          "NotIpAddress": {
            "aws:SourceIp": ["<specific-ip-1>/32","<specific-ip-2>/32"]
          }
        }
      }
    ]
   }

In my .json file, I changed the Effect section to Deny and the Condition to NotIpAddress. This is mentioned as a possibility in the Allow or Deny Access from a Specific IP Address section of the Bucket Policy guide.

You can find other posts about Object Storage bucket policies on the Community Questions site that might also be helpful below:

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct