diff --git a/main.tf b/main.tf
index 3d50a9b..afc3262 100644
--- a/main.tf
+++ b/main.tf
@@ -31,6 +31,18 @@ locals {
     # "boc:tf_module_version" = var._module_version
     "boc:created_by" = "terraform"
   }
+  condition_allowed_cidr = {
+    "test":  "NotIpAddress"
+    "variable": "aws:sourceIp"
+    "values": var.allowed_cidr
+  }
+  condition_allowed_endpoints = {
+    "test": "StringNotEquals"
+    "variable": "aws:sourceVpce"
+    "values": var.allowed_endpoints
+  }
+  s3_bucket_conditions_list = list(local.condition_allowed_cidr,local.condition_allowed_endpoints)
+  s3_bucket_conditions = [ for x in local.s3_bucket_conditions_list: x if length(x.values)>0 ]
 }
 
 #---
@@ -117,6 +129,17 @@ data "aws_iam_policy_document" "this" {
       values   = ["false"]
     }
   }
+  statement {
+      dynamic "condition" {
+        for_each = local.s3_bucket_conditions
+        iterator = c
+        content {
+          test = c.value.test
+          variable = c.value.variable
+          values = c.value.values
+      }
+    }
+  }  
 }
 
 #---
diff --git a/variables.tf b/variables.tf
index 7ea57bb..bbc654e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -32,3 +32,16 @@ variable "access_log_bucket" {
   type        = string
   #  default     = null
 }
+
+variable "allowed_cidr" {
+  description = "List of allowed source IPs (NOT from within the VPC)"
+  type = list(string)
+  default = [ ]
+}
+ 
+variable "allowed_endpoints" {
+  description = "List of allowed VPC endpoint IDs"
+  type = list(string)
+  default = [ ]
+}
+