I know I can restrict read access to my s3 ressources through http by using "aws:SourceIp" in the bucket policy. But since I'm serving several clients I'd end up with a list of IP-addresses. Since theres no way of adding comments in the bucket policies json, I feel this is undocumented and hard to maintain for others when clients change. Is there a more elegant and self explainig way of maintaining this ? My first thought was to create a DNS-Zone with clients and use the names in the policy. Is something like this feasable or best practice ?
if you have multiple clients and you can identify them, imho the best practice is to use (pre)signed url.
it means you can have a separate service (web, lambda, api, whatever) which based in the client authentication and authorisation will return a signed temporary url for the client
you are right, policies are not really feasible place to maintain and document complex or dynamic elements.
though if you want to stick to pure s3 and policies, you can deploy/update the policies using the Cloudformation, where using yaml you can comment or parametrize almost any values