Policy to restrict IAM AWS API requests to a specific set of IP addresses.

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Deny",
        "Action": "*",
        "Resource": "*",
        "Condition": {
            "NotIpAddress": {
                "aws:SourceIp": [
                    "10.13.0.0/16",
                    "72.55.175.70/32",
                    "10.100.0.0/16"
                ]
            }
        }
    }
}

After applying this policy others may need to be applied or in case all in one required, something like this can be used:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Deny",
        "Action": "*",
        "Resource": "*",
        "Condition": {
            "NotIpAddress": {
                "aws:SourceIp": [
                    "10.13.0.0/16",
                    "72.55.175.70/32",
                    "10.100.0.0/16"
                ]
            }
        }
    }, {
        "Effect": "Allow",
        "Action": "*",
        "Resource": "*"
    }]
}

The expected error when policy is applied is similar to:

Error loading state: AccessDenied: Access Denied
status code: 403, request id: 5A14AE35A2D7CD1B, host id: ROyNOfAiBNojw7VTJ6tLsZeBjQ5YHILbjfubWg/D8R/C+4HORHGqcIw5ByyTr/HyOP3TWK8Ogbs=