Body
Overview
Amazon S3 buckets can be used to host data that must remain accessible to specific external services (e.g., academic collaborators, public research platforms) while avoiding unrestricted public access. This document outlines a recommended approach for restricting S3 bucket access to specific IP address ranges.
When This Approach Is Appropriate
Use an S3 bucket policy to restrict access to specific IP ranges when:
- Data must be readable without AWS credentials (e.g., by third‑party services).
- Access should be limited to:
- Known external service IP ranges (e.g., UCSC Genome Browser)
- Northwestern University networks (e.g., VPN, campus IP addresses)
- Traditional IAM-based access (roles/users) is not feasible.
This approach is not recommended for:
- Sensitive or regulated data (Level 2 or higher, PHI, HIPAA, FERPA, etc.)
- Write access (uploads, deletes)
- Scenarios where audience IPs cannot be reliably enumerated
Example Use Case
A research group hosts genomic track files in S3 that must be readable by:
- UCSC Genome Browser backend services
- Northwestern researchers accessing data over VPN
At the same time, the bucket must not be accessible to the general public.
Sample Bucket Policy
The following policy allows object-level read access only when requests originate from approved IP ranges belonging to UCSC’s Genome Browser tool (128.114.119.0/24) and Northwestern’s public IP blocks.
|
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PrincipalGetObjectIfIpAddress",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<BUCKETNAME>/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"128.114.119.0/24",
"129.105.0.0/16",
"165.124.0.0/16"
]
}
}
}
]
}
|
Key Notes
- Principal: "*" is acceptable only because access is constrained by IP.
- Replace <BUCKETNAME> with the actual bucket name.
- IP ranges must be reviewed periodically for accuracy.
IMPORTANT: This policy does not allow bucket listing (s3:ListBucket). It allows read access only to objects whose exact key or URL is already known.
Add s3:ListBucket only if users or applications need to browse, enumerate, or discover objects in the bucket.
Validation Checklist
After the policy is applied, verify:
- External services (e.g., UCSC Genome Browser) function as expected
- Access works from Northwestern VPN
- Access fails from non-approved public networks
- No write or delete permissions are unintentionally granted
Implementation Support Model
Researchers may:
- Apply the policy themselves if comfortable with AWS S3
- Request assistance from Northwestern IT
Northwestern IT is available to:
- Review proposed bucket policies
- Help with implementation
- Validate access and troubleshoot issues
References (AWS Documentation)
Recommended Next Steps
If you believe this approach suits your use case:
- Identify required external service IP ranges
- Determine whether Northwestern VPN access is needed
- Apply an S3 bucket access policy based on the above example
- Open a service desk ticket for Northwestern IT if needed