Making requests to Amazon S3 over IPv6
Amazon Simple Storage Service (Amazon S3) supports the ability to access S3 buckets using the Internet Protocol version 6 (IPv6), in addition to
the IPv4 protocol. Amazon S3 dual-stack endpoints support requests to S3 buckets over IPv6
and IPv4. There are no additional charges for accessing Amazon S3 over IPv6. For more
information about pricing, see Amazon S3
Pricing
Topics
Getting started making requests over IPv6
To make a request to an S3 bucket over IPv6, you need to use a dual-stack endpoint. The next section describes how to make requests over IPv6 by using dual-stack endpoints.
The following are some things you should know before trying to access a bucket over IPv6:
-
The client and the network accessing the bucket must be enabled to use IPv6.
-
Both virtual hosted-style and path style requests are supported for IPv6 access. For more information, see Amazon S3 dual-stack endpoints.
-
If you use source IP address filtering in your AWS Identity and Access Management (IAM) user or bucket policies, you need to update the policies to include IPv6 address ranges. For more information, see Using IPv6 addresses in IAM policies.
-
When using IPv6, server access log files output IP addresses in an IPv6 format. You need to update existing tools, scripts, and software that you use to parse Amazon S3 log files so that they can parse the IPv6 formatted
Remote IP
addresses. For more information, see Logging requests with server access logging .Note
If you experience issues related to the presence of IPv6 addresses in log files, contact AWS Support
.
Making requests over IPv6 by using dual-stack endpoints
You make requests with Amazon S3 API calls over IPv6 by using dual-stack endpoints. The Amazon S3 API operations work the same way whether you're accessing Amazon S3 over IPv6 or over IPv4. Performance should be the same too.
When using the REST API, you access a dual-stack endpoint directly. For more information, see Dual-stack endpoints.
When using the AWS Command Line Interface (AWS CLI) and AWS SDKs, you can use a parameter or flag to change to a dual-stack endpoint. You can also specify the dual-stack endpoint directly as an override of the Amazon S3 endpoint in the config file.
You can use a dual-stack endpoint to access a bucket over IPv6 from any of the following:
-
The AWS CLI, see Using dual-stack endpoints from the AWS CLI.
-
The AWS SDKs, see Using dual-stack endpoints from the AWS SDKs.
-
The REST API, see Making requests to dual-stack endpoints by using the REST API.
Features not available over IPv6
The following feature is currently not supported when accessing an S3 bucket over IPv6: Static website hosting from an S3 bucket.
Using IPv6 addresses in IAM policies
Before trying to access a bucket using IPv6, you must ensure that any IAM user or S3 bucket polices that are used for IP address filtering are updated to include IPv6 address ranges. IP address filtering policies that are not updated to handle IPv6 addresses may result in clients incorrectly losing or gaining access to the bucket when they start using IPv6. For more information about managing access permissions with IAM, see Identity and Access Management for Amazon S3 .
IAM policies that filter IP addresses use IP Address
Condition Operators. The following bucket policy identifies the 54.240.143.* range
of allowed IPv4 addresses by using IP address condition operators. Any IP addresses
outside of this range will be denied access to the bucket (examplebucket
). Since
all IPv6 addresses are outside of the allowed range, this policy prevents IPv6
addresses from being able to access examplebucket
.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "IPAllow", "Effect": "Allow", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::
examplebucket
/*", "Condition": { "IpAddress": {"aws:SourceIp": "54.240.143.0/24"} } } ] }
You can modify the bucket policy's Condition
element to allow both
IPv4 (54.240.143.0/24
) and IPv6 (2001:DB8:1234:5678::/64
)
address ranges as shown in the following example. You can use the same type of
Condition
block shown in the example to update both your IAM user and bucket
policies.
"Condition": { "IpAddress": { "aws:SourceIp": [ "54.240.143.0/24", "2001:DB8:1234:5678::/64" ] } }
Before using IPv6 you must update all relevant IAM user and bucket policies that use IP address filtering. We do not recommend using IP address filterig in bucket policies.
You can review your IAM user policies using the IAM console at https://console.aws.amazon.com/iam/
Testing IP address compatibility
If you are using use Linux/Unix or Mac OS X, you can test whether you can access a dual-stack
endpoint over IPv6 by using the curl
command as shown in the following
example:
curl -v http://s3.dualstack.us-west-2.amazonaws.com/
You get back information similar to the following example. If you are connected over IPv6 the connected IP address will be an IPv6 address.
* About to connect() to s3-us-west-2.amazonaws.com port 80 (#0) * Trying
IPv6 address
... connected * Connected to s3.dualstack.us-west-2.amazonaws.com (IPv6 address
) port 80 (#0) > GET / HTTP/1.1 > User-Agent: curl/7.18.1 (x86_64-unknown-linux-gnu) libcurl/7.18.1 OpenSSL/1.0.1t zlib/1.2.3 > Host: s3.dualstack.us-west-2.amazonaws.com
If you are using Microsoft Windows 7 or Windows 10, you can test whether you can access a dual-stack endpoint over IPv6 or IPv4
by using the ping
command as shown in the following example.
ping ipv6.s3.dualstack.us-west-2.amazonaws.com