Beitrag von Florin Gruber, Juni 2025

How to: S3 Request Conditions

With S3 and therefore also with our Swiss S3 Storage, you have access to the comprehensive capabilities of S3 Request Conditions. S3 Request Conditions can be defined in the S3 (IAM) User Policy and enable additional, granular control over S3 requests.

What are S3 Request Conditions?

S3 Request Conditions allow you to control specific S3 actions or S3 action collections through additional conditions. Request Conditions examine the S3 request itself rather than the called S3 action. With S3 Request Conditions, requests are additionally checked for things like time, UserID, IP address (of the client), User-Agent, Object-Lock-mode, etc.

In our Swiss S3 Storage offering, the following S3 Condition Keys are available:

For these conditions, the operators Equals, NotEquals, Like, NotLike (Like is for wildcards, e.g., "user-*" if usernames should start with "user-") and sometimes additional operators are available.

Examples of S3 Request Conditions

Example of a policy that denies all S3 actions except those coming from allowed IP addresses.

Example
S3 IAM Policy with Request Condition: Deny all, except for specific IP addresses:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "B1-deny-except-SourceIP",
      "Action": "s3:*",
      "Effect": "Deny",
      "Resource": [
        "arn:aws:s3:::EXAMPLEBUCKET",
        "arn:aws:s3:::EXAMPLEBUCKET/*"
      ],
      "Condition": {
        "ForAnyValue:NotIpAddress": {
          "aws:SourceIp": [
            "11.11.11.11/32",
            "22.22.22.22/32"
          ]
        }
      }
    }
  ]
}

The same policy can also be written in reverse, not by denying everything if the IP doesn't match the SourceIP, but by allowing everything only when the SourceIP matches.

Example
S3 IAM Policy: Allow all, but only for permitted IP addresses:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "B1-allow-only-for-SourceIP",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::EXAMPLEBUCKET",
        "arn:aws:s3:::EXAMPLEBUCKET/*"
      ],
      "Condition": {
        "ForAnyValue:IpAddress": {
          "aws:SourceIp": [
            "11.11.11.11/32",
            "22.22.22.22/32"
          ]
        }
      }
    }
  ]
}

Tip: An IP range is defined as follows:

[...]          
          aws:SourceIp": [
            "103.15.250.0/24",
            "12.148.72.0/23"
          ]
[...]

Example
S3 Request Condition: Allow only Governance Mode for objects:

This condition is suitable when an Object Lock enabled bucket has been created, but users should only be able to write objects in Governance Mode despite having Object Lock permissions. We check for NotEquals = COMPLIANCE because we want to allow objects with explicit Object Lock as well as objects with implicit Object Lock (inherited from the bucket).

[...]
      "Action": "s3:*",
      "Effect": "Allow",
      "Condition": {
        "StringNotEqualsIgnoreCase": {
          "s3:object-lock-mode": "COMPLIANCE"
        }
      },
[...]

If you want to generally allow only objects with explicit Object Lock in Governance Mode and neither Compliance nor Null, then the above policy can be adjusted accordingly to StringEqualsIgnoreCase: GOVERNANCE.

Example
S3 Request Conditions: Allow operations only on specific folders:

[...]
      "Action": "s3:*",
      "Effect": "Allow", 
      "Condition": {
        "StringLike": {
          "s3:prefix": "temp/prod/tests/*"
        }
      },
[...]

Operations can also be restricted to specific folders by limiting the "Resource" accordingly. This way, the actions only apply to these resources:

[...]
      "Resource": [
        "arn:aws:s3:::EXAMPLEBUCKET/myfolder/test/*"
      ]
[...]

The Backup ONE Policy Generator

With the Backup ONE S3 Policy Generator, you can easily generate common IAM user policies. Select your bucket name and desired policy. Copy the result (JSON) into your policy editor and assign the policy to the desired user. If you have any questions, please contact us.

Combining S3 Request Conditions and S3 Actions – The Right Policy Defines Security

The policies mentioned above are for demonstration purposes only and allow all S3 actions if the IP matches, which is not recommended in production use. In this article, we looked at S3 Request Conditions. In production, S3 policies should always be combined with appropriate restrictions regarding allowed S3 actions (e.g., PutObject).

Need Help Defining S3 Request Conditions for Dell ECS?

Correct S3 IAM policies following least-privilege principles and maximally restricted permissions on S3 actions significantly increase the security of your S3 environment. We are here to help. Our S3 Storage experts look forward to your contact.

Das könnte Sie interessieren

Weitere Blogbeiträge

Das sind weitere Beiträge, die Sie interessieren könnten.

Zur Blogübersicht