Here's a simple IAM policy that you can add to any existing IAM Group, User, or Role to ensure that the role is only utilized from a computer that has a Cornell public IP address.
Add this policy as an inline policy attached to any IAM User, Group, or Role.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"128.84.0.0/16",
"128.253.0.0/16",
"132.236.0.0/16",
"192.35.82.0/24",
"192.122.235.0/24",
"192.122.236.0/24"
]
}
}
}
}