AWS Identity and Access Management
User Guide

AWS: Denies Access to AWS Based on the Source IP

This example shows how you might create a policy that denies access to all AWS actions in the account when the request comes from outside the specified IP range. The policy is useful when the IP addresses for your company are within the specified ranges. This policy also grants the permissions necessary to complete this action on the console. To use this policy, replace the red italicized text in the example policy with your own information.

Do not use the aws:SourceIp condition key in a service role. It denies access to an AWS service, such as AWS CloudFormation, even when it makes calls on your behalf. For more information about using the aws:SourceIp condition key, see AWS Global Condition Context Keys.


This policy does not allow any actions. Use this policy in combination with other policies that allow specific actions.

{ "Version": "2012-10-17", "Statement": { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "NotIpAddress": { "aws:SourceIp": [ "", "" ] } } } }