Here's a simple IAM policy that you can add to any existing IAM Group, User, or Role to ensure that the role is only utilized from a computer that has a Cornell public IP address.
Add this policy as an inline policy attached to any IAM User, Group, or Role. This policy cannot be used alone. The IAM User, Group, or Role must also be granted the privileges you want the user/group/role to have. See also https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"128.84.0.0/16",
"128.253.0.0/16",
"132.236.0.0/16",
"192.35.82.0/24",
"192.122.235.0/24",
"192.122.236.0/24"
]
}
}
}
}