Managing bucket permissions for IP addresses or ranges of IP

You can stipulate which IP addresses or IP ranges have access or permission to perform operations on your buckets by creating a bucket policy with the IpAddress or NotIpAddress conditions.

It is possible to Allow actions for a specific IP address or range of IPs, using the IpAddress condition and the aws:SourceIp condition key.

Before you startLink to this anchor

To complete the actions presented below, you must have:

• A Scaleway account logged into the console
• Owner status or IAM permissions allowing you to perform actions in the intended Organization
• A valid API key
• An Object Storage bucket

In the example below, we allow the 192.0.2.0/24 IP range to perform the s3:ListBucket and s3:GetObject actions.

{
  "Version": "2023-04-17",
  "Id": "MyBucketPolicy",
  "Statement": [
    {
      "Sid": "Grant List and GET from my Instances",
      "Effect": "Allow",
      "Principal": "*",
      "Action": ["s3:ListBucket", "s3:GetObject"],
      "Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/*"],
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "198.51.100.0/24"
        }
      }
    }
  ]
}

Alternatively, you can block certain IP addresses or IP address ranges from performing actions on your bucket:

{
  "Version": "2023-04-17",
  "Id": "MyBucketPolicy",
  "Statement": [
    {
      "Sid": "Grant List and GET from my Instances",
      "Effect": "Deny",
      "Principal": "*",
      "Action": ["s3:ListBucket", "s3:GetObject"],
      "Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/*"],
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "2001:db8::/32"
        }
      }
    }
  ]
}