diff --git a/README.md b/README.md
index 57774ecf..b53203a4 100644
--- a/README.md
+++ b/README.md
@@ -305,6 +305,7 @@ Available targets:
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
 | <a name="input_object_lock_configuration"></a> [object\_lock\_configuration](#input\_object\_lock\_configuration) | A configuration for S3 object locking. With S3 Object Lock, you can store objects using a `write once, read many` (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. | <pre>object({<br>    mode  = string # Valid values are GOVERNANCE and COMPLIANCE.<br>    days  = number<br>    years = number<br>  })</pre> | `null` | no |
 | <a name="input_privileged_principal_actions"></a> [privileged\_principal\_actions](#input\_privileged\_principal\_actions) | List of actions to permit `privileged_principal_arns` to perform on bucket and bucket prefixes (see `privileged_principal_arns`) | `list(string)` | `[]` | no |
+| <a name="input_source_ip_allow_list"></a> [source\_ip\_allow\_list](#input_source\_ip\_allow\_list) | List of IP addresses to allow to perform all actions to the bucket | `list(string)` | `[]` | no |
 | <a name="input_privileged_principal_arns"></a> [privileged\_principal\_arns](#input\_privileged\_principal\_arns) | List of maps. Each map has a key, an IAM Principal ARN, whose associated value is<br>a list of S3 path prefixes to grant `privileged_principal_actions` permissions for that principal,<br>in addition to the bucket itself, which is automatically included. Prefixes should not begin with '/'. | `list(map(list(string)))` | `[]` | no |
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
 | <a name="input_replication_rules"></a> [replication\_rules](#input\_replication\_rules) | DEPRECATED (use `s3_replication_rules`): Specifies the replication rules for S3 bucket replication if enabled. You must also set s3\_replication\_enabled to true. | `list(any)` | `null` | no |
diff --git a/main.tf b/main.tf
index cc899c8f..a34770b9 100644
--- a/main.tf
+++ b/main.tf
@@ -469,6 +469,28 @@ data "aws_iam_policy_document" "bucket_policy" {
       }
     }
   }
+
+  dynamic "statement" {
+    for_each = length(var.source_ip_allow_list) > 0 ? [1] : []
+
+    content {
+      sid       = "AllowIPPrincipals"
+      effect    = "Deny"
+      actions   = ["s3:*"]
+      resources = [local.bucket_arn, "${local.bucket_arn}/*"]
+      principals {
+        identifiers = ["*"]
+        type        = "*"
+      }
+      condition {
+        test     = "NotIpAddress"
+        variable = "aws:SourceIp"
+        values   = var.source_ip_allow_list
+      }
+    }
+
+  }
+
 }
 
 data "aws_iam_policy_document" "aggregated_policy" {
diff --git a/variables.tf b/variables.tf
index f9511615..bad11017 100644
--- a/variables.tf
+++ b/variables.tf
@@ -411,6 +411,13 @@ variable "privileged_principal_actions" {
   nullable    = false
 }
 
+variable "source_ip_allow_list" {
+    type        = list(string)
+    default     = []
+    description = "List of IP addresses to allow to perform all actions to the bucket"
+    nullable    = false
+}
+
 variable "transfer_acceleration_enabled" {
   type        = bool
   default     = false