How do I implement IP-based export restrictions for my data stored on Amazon S3?

pjz asked:

A little background: Corporate wants to make our downloads unavailable to U.S. export-restricted countries like North Korea, Iran, Syria, etc. Restriction by IP-block is considered good enough. (Yes, I know better, but it’s a CYA matter for the suits)

Is there a way to implement IP-based ACLs on S3 without having to put a server of my own in the path?

Relatedly, this would seem to be a common requirement – is there a standard blacklist of said IP blocks I can incorporate?

My answer:

One way to go about it would be to write a bucket policy to block the IP address ranges you’re interested in. (IP address lists by country can be found all over the Internet; ask Google.)

Another way is to make the entire bucket private, and generate pre-signed URLs for users after they agree to some click-through agreement that they won’t export to $COUNTRY, etc. This is probably reasonable enough (many, many organizations do this) and the URLs are time-limited so they can’t be easily shared.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.