How can I restrict access to AWS resources based on the AWS Region, source IP address, or Amazon VPC?

Short description

You can use AWS Identity and Access Management (IAM) identity-based policies and Amazon Simple Storage Service (Amazon S3) bucket policies to deny or control access to AWS resources. You can deny or control access to AWS resources based on conditions such as the AWS Region, source IP, or VPC that the resource is being accessed from.

Resolution

Deny access to AWS resources based on the requested AWS Region

Create an identity-based policy with the IAM aws:RequestedRegion condition key that denies access to all actions outside the specified Regions.

For an example IAM policy and more information, see Deny access based on the requested Region.

Deny access to AWS resources based on the source IP address

Create an identity-based policy with the IAM aws:SourceIp and aws:ViaAWSService condition keys that denies access to all actions outside the specified IP address range. Only public IP addresses or public IP ranges are supported.

Note: The aws:SourceIp condition key is always included in the request, except for requests that uses an Amazon VPC endpoint.

For an example IAM policy and more information, see Deny access based on the source IP address range.

Control access from Amazon VPC with Amazon S3 bucket policies

Create an Amazon S3 bucket policy with the IAM aws:SourceVpce condition key to restrict access to buckets from specific Amazon VPC endpoints. You can also create an Amazon S3 bucket policy with the IAM aws:SourceVpc condition key to restrict access to buckets from specific Amazon VPCs.

For example IAM policies and more information, see Controlling access from VPC endpoints with bucket policies.

Note: The aws:SourceVpc or aws:SourceVpce condition key is only included if the requester uses a VPC endpoint to make the request.

Related information

AWS service endpoints

AWS global condition context keys

VPC endpoints