# Enforcing IP Restrictions

This guide shows you how to restrict access to a bucket using IAM policies that only allow access from specific IP addresses or IP ranges.

## Use Case[​](#use-case "Direct link to Use Case")

Grant read-only access to an S3 bucket—but only from trusted IPs such as a corporate VPN or known static address.

## Example Policy[​](#example-policy "Direct link to Example Policy")

The following policy allows listing and reading from the `images` bucket only if the request comes from the IP address `1.2.3.4` or the CIDR block `203.0.113.0/24`.

```
{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Sid": "IpRestrictedReads1",

      "Effect": "Allow",

      "Action": ["s3:GetObject", "s3:ListBucket"],

      "Resource": ["arn:aws:s3:::images", "arn:aws:s3:::images/*"],

      "Condition": {

        "IpAddress": {

          "aws:SourceIp": "1.2.3.4"

        }

      }

    },

    {

      "Sid": "IpRestrictedReads2",

      "Effect": "Allow",

      "Action": ["s3:GetObject", "s3:ListBucket"],

      "Resource": ["arn:aws:s3:::images", "arn:aws:s3:::images/*"],

      "Condition": {

        "IpAddress": {

          "aws:SourceIp": "203.0.113.0/24"

        }

      }

    }

  ]

}
```

## Explanation[​](#explanation "Direct link to Explanation")

| Field       | Description                                                                         |
| ----------- | ----------------------------------------------------------------------------------- |
| `Action`    | Grants `s3:GetObject` (for reading objects) and `s3:ListBucket` (for listing keys). |
| `Resource`  | Targets both the bucket and the objects within it.                                  |
| `Condition` | Restricts access to the specified IPs using `IpAddress`.                            |

To deny access from all other IPs, you can use `NotIpAddress` instead.