Learn how to configure Cloudflare S3 bucket policy with real commands, working JSON code, and step-by-step setup for a secure and efficient AWS configuration. Our AWS Live Support team is always here to help you.
How to Secure AWS Access with a Cloudflare S3 Bucket Policy
Every website owner knows how critical it is to keep storage access secure. Using a Cloudflare S3 bucket policy helps you ensure that only Cloudflare’s proxy IPs can access your Amazon S3 bucket. This means your data stays protected from unauthorized traffic while still delivering your content fast through Cloudflare’s CDN.
Let’s walk through a clean and effective setup process that not only protects your content but also avoids the common pitfalls of overcomplicating S3 permissions.
An Overview
Creating and Configuring AWS S3 Buckets
Before setting up the Cloudflare S3 bucket policy, you’ll first need two buckets, one for your subdomain and another for your apex domain.
Setting up an S3 bucket for your subdomain
Start by creating the first bucket:
1. Log in to your AWS Management Console and select Create an S3 Bucket.
2. Use your subdomain URL (without https://), for example: www.example.com.
3. Next, enable Static Website Hosting. Once configured, keep the public access settings enabled since Cloudflare will manage access later.
Setting up an S3 bucket for your apex domain
Now, create a second bucket:
1. Again, create a new bucket named after your apex domain, such as example.com.
2. Redirect this bucket to the subdomain bucket you created earlier. For the Target Bucket or Domain, enter your subdomain, for example, www.example.com.
This ensures that both https://example.com and https://www.example.com work correctly.
Allowing Cloudflare IPs in Your S3 Bucket Policy
Once the buckets are ready, it’s time to lock them down so that only Cloudflare IPs can access your files. This is where the bucket policy comes into play.
Follow these steps carefully:
1. Open your S3 bucket.
2. Go to Permissions → Bucket Policy.
3. In the policy editor, paste the following code and modify it as needed.
Example: S3 Bucket Policy for Cloudflare IP Whitelisting
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCloudFlareIP",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:getObject",
"Resource": [
"arn:aws:s3:::my-poc-bucket",
"arn:aws:s3:::my-poc-bucket/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"IP1/32",
"IP2/32"
]
}
}
}
]
}Replace my-poc-bucket with your bucket name, and update the IPs using Cloudflare’s current IP list:
- https://www.cloudflare.com/ips-v4
- https://www.cloudflare.com/ips-v6
This configuration ensures that only Cloudflare’s proxy network has permission to access your S3 bucket, blocking all other direct requests.
Secure Your S3 Bucket Now!
Simplifying Permissions and Avoiding Common Errors
It’s better to avoid complicated “Deny” conditions using NotPrincipal or NotIpAddress. As AWS itself notes, these should only be used in rare cases. Keeping your this policy simple and direct reduces mistakes and keeps maintenance easier.
Example of PublicReadGetObject Policy
If you want public read access through Cloudflare’s network only, use the following snippet:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<your-domain>/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
list,
of,
allowed,
ip,
addresses
]
}
}
}
]
}ust replace <your-domain> with your actual domain and insert Cloudflare’s current IP addresses.
Conclusion
Locking down your Amazon S3 bucket with a Cloudflare S3 bucket policy is one of the simplest and most effective ways to secure your assets. It ensures that your data remains shielded behind Cloudflare’s protection layer, yet remains fast and available to visitors.
Always remember to check for the latest Cloudflare IP lists and update them periodically. Once configured correctly, your website will serve content securely and efficiently, backed by the reliability of Cloudflare and AWS.
