A little background: Corporate wants to make our downloads unavailable to U.S. export-restricted countries like North Korea, Iran, Syria, etc. Restriction by IP-block is considered good enough. (Yes, I know better, but it's a CYA matter for the suits)
Is there a way to implement IP-based ACLs on S3 without having to put a server of my own in the path?
Relatedly, this would seem to be a common requirement - is there a standard blacklist of said IP blocks I can incorporate?
One way to go about it would be to write a bucket policy to block the IP address ranges you're interested in. (IP address lists by country can be found all over the Internet; ask Google.)
Another way is to make the entire bucket private, and generate pre-signed URLs for users after they agree to some click-through agreement that they won't export to $COUNTRY, etc. This is probably reasonable enough (many, many organizations do this) and the URLs are time-limited so they can't be easily shared.