I'm implementing a bucket policy to allow only specific IP addresses to upload objects and make requests to my S3 bucket. Here's the policy I've set up:
{
"Version": "2012-10-17",
"Id": "my_policy_id",
"Statement": [
{
"Sid": "my_sid",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::testbucket/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "203.0.113.45/32"
}
}
}
]
}
However, when I upload an object from a device using the public ip address placed in the policy, it gives me AccessDenied error. And when checking the AWS s3 access log, I got this log entry that states the PUT request comes from the ip address 15.236.X.X which is probably an AWS server. (e.g. load balancer).
Here is the Log (with sensitive information hidden):
e92b220a3fe2f81face90796921ec9cdfb07349f2e79acb1f53a5aa5ce26 testbucket [08/Nov/2023:13:45:39 +0000] 15.236.X.X arn:aws:iam::[AWS Account ID]:user/[IAM User] REST.PUT.OBJECT foo.txt "PUT /foo.txt HTTP/1.1" 200 - - 0 30 10 "-" "[User-Agent Header] Resource" -[Request Authorization Header] SigV4 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader testbucket.s3.eu-central-1.amazonaws.com TLSv1.2 - -
Is there a way to limit S3 bucket uploads to only allow specific client IP addresses?
I got information about the IP address in log from this page: https://en.ntunhs.net/IPInfo/EN/15/236.htm
Edit1: I didn't set any load-balancer in the entire account.
Edit2: The IP in config is a dummy one, and a lambda function gets triggered when an object is uploaded.