Data protection

IP whitelisting

IP whitelisting is a way of giving access to your data to specific, trusted, and pre-approved IP addresses. This increases the security of your data and ensures safe remote access.

How can I restrict access to my S3 bucket by IP address?

To give access to your S3 bucket to a specific IP address, you need to create a policy for your S3 bucket or edit it if you already have one.

Policy example

The following policy gives access to the following IP address 54.240.143.0/24. With this IP address, you can access the buckets stated in Resource. What you need to do is replace the values in Resource and IpAddress with your own values and create or edit the policy of your bucket.

{
    "Version": "2012-10-17",
    "Id": "S3Allowlisting",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
            ],
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": ["54.240.143.0/24", "53.456.987.0/87"]
                }
            }
        }
    ]
}
Statement key

Since the statement key is an array, you can add multiple statements for different files and folders.

Condition block

The condition block consists of the IpAddress condition and the aws:SourceIp condition key.

The aws:SourceIp condition key is an AWS-wide condition key. Learn more about condition keys.

The values of aws:SourceIp IPv4 use the standard CIDR notation. For more information, check out the IAM JSON policy elements reference.

How can I create or edit the policy of my S3 bucket?

To create or edit as S3 bucket’s policy:

  1. Go to your Amazon S3 console.
  2. Go to the bucket where you want to create a policy.
  3. Select the Permissions tab.
  4. Click Edit next to Bucket policy.
  5. Add or edit the policy as explained here.
  6. Click Save changes.

Signed URLs

Signed URLs contain additional information such as expiration dates that gives you control over access to your data. You can use signed URLs to control multiple access parameters over your data on the cloud.

To make your data more secure, add accessibility restrictions to it including IP whitelisting and an expiration date.

Retrieve the signed URLs from your cloud storage:

You can use a VPN to give remote teams access to your cloud data:

On-prem data storage

SuperAnnotate can help Enterprise users install an on-prem infrastructure on their hardware to use their data stored in local storages. Contact us for more information.


Did this page help you?