A bucket policy that will deny access to anyone not coming from the specified IP addresses. Used in combination with IAM groups that allow access to S3, the net result will be that users will be allowed the access given to the group they belong to, but only if they are coming from one of the IP address specified in this policy, which is going to be attached to the bucket. Using an “Allow” policy, like in Amazon’s example, would allow anyone coming from those IPs full access, effectively defeating the purpose of group-based policies.

{
  “Version”: “2012-10-17”,
  “Statement”: [
    {
      “Sid”: “”,
      “Effect”: “Deny”,
      “Principal”: “*”,
      “Action”: “s3:*”,
      “Resource”: [
        “arn:aws:s3:::bucket-name”,
        “arn:aws:s3:::bucket-name/*”
      ],
      “Condition”: {
        “NotIpAddress”: {
          “aws:SourceIp”: [
            “XXX.XXX.XXX.XXX/32”,
            “YYY.YYY.YYY.YYY/24”
          ]
        }
      }
    }
  ]
}