S3 Bucket Policy to only allow access from VPC endpoint and external IP of your office/datacenter firewall - blocks public Internet access completely (unless your source IP matches):
{
"Version": "2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
{
"Sid": "Access-to-specific-VPCE-and-IP",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"142.53.7.219\/32"
]
},
"StringNotEquals": {
"aws:sourceVpce": "vpce-0c3ddb65"
}
},
"Principal": "*"
}
]
}IAM policy that allows the recipient access to a specific bucket. Works for Cloudberry Explorer and may be useful for other similar tools and backup software. Replace ${bucket-name} with the actual name of the bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*",
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::${bucket-name}",
"Effect": "Allow"
},
{
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::${bucket-name}\/*",
"Effect": "Allow"
}
]
}Copyright 2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at http://aws.amazon.com/apache2.0/