deny and allow access to s3 bucket

 https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html

{ "Id":"PolicyId2", "Version":"2012-10-17", "Statement":[ { "Sid":"AllowIPmix", "Effect":"Allow", "Principal":"*", "Action":"s3:*", "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ], "Condition": { "IpAddress": { "aws:SourceIp": [ "54.240.143.0/24", "2001:DB8:1234:5678::/64" ] }, "NotIpAddress": { "aws:SourceIp": [ "54.240.143.128/30", "2001:DB8:1234:5678:ABCD::/80" ] } } } ] }

https://s3tools.org/kb/item10.htm

How to restrict access to a bucket to specific IP addresses

To secure our files on Amazon S3, we can restrict access to a S3 bucket to specific IP addresses. The following bucket policy grants permissions to any user to perform any S3 action on objects in the specified bucket. However, the request must originate from the range of IP addresses specified in the condition. The condition in this statement identifies 192.168.143.* range of allowed IP addresses with one exception, 192.168.143.188. {     "Version": "2012-10-17",     "Id": "S3PolicyIPRestrict",     "Statement": [         {             "Sid": "IPAllow",             "Effect": "Allow",             "Principal": {                 "AWS": "*"             },             "Action": "s3:*",             "Resource": "arn:aws:s3:::bucket/*",             "Condition" : {                 "IpAddress" : {                     "aws:SourceIp": "192.168.143.0/24"                 },                 "NotIpAddress" : {                     "aws:SourceIp": "192.168.143.188/32"                 }             }         }     ] } The IPAddress and NotIpAddress values specified in the condition uses CIDR notation described in RFC 2632. For more information, go to http://www.rfc-editor.org/rfc/rfc4632.txt