0x00 TL;DR

This document records how to set up the S3 bucket policy so that it can only be accessed by the specified IP.
Set the bucket policy to deny the operation except for the specified IP.

0x01 Policy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
{
  "Version": "2012-10-17",
  "Id": "S3PolicyId1",
  "Statement": [
    {
      "Sid": "IPAllow",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws-cn:s3:::testtonghua/*",
        "arn:aws-cn:s3:::testtonghua"
      ],
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": "54.222.177.177/32"
        }
      }
    }
  ]
}

If you use this policy, you can access the S3 bucket only if the IP is 54.222.177.177.

Note: Please confirm that the specified IP is a static IP,If you use dynamic IP, there is a risk that the S3 bucket will not be accessible when the IP is changed.if unfortunately, you need to contact the AWS Support revocation policy.

0x02 Reference