Here's a simple IAM policy that you can add to any existing IAM Group, User, or Role to ensure that the role is only utilized from a computer that has a Cornell public IP address.
{ "Version": "2012-10-17", "Statement": { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "NotIpAddress": { "aws:SourceIp": [ "128.84.0.0/16", "128.253.0.0/16", "132.236.0.0/16", "192.35.82.0/24", "192.122.235.0/24", "192.122.236.0/24" ] } } } }