Restrict AWS Access to a Specific IP Address Using Conditional Access

Overview

This article walks through restricting AWS access to one or more approved IP addresses 
using Conditional Access in Microsoft Entra ID. When users authenticate to AWS through IAM Identity Center with Entra ID as the identity provider, Conditional Access policies are evaluated at sign-in time, making it possible to block access from any IP not on your approved list before a SAML assertion is ever issued to AWS.

The approach uses two components working together: 

• Named Locations:  A saved list of trusted IP addresses or CIDR ranges defined in 
  Entra ID. 
• Conditional Access policy:  A policy that blocks AWS sign-ins originating from 
  any IP not on the trusted list. 

Please Note:  This configuration requires AWS IAM Identity Center to be integrated with Microsoft Entra ID via SAML SSO and SCIM provisioning. If that integration is not yet in place, complete it first before proceeding. Refer to the AWS IAM Identity Center SSO KB article for setup instructions. 

Prerequisites

Before proceeding, confirm the following are in place:

• Microsoft Entra ID P1 or P2 license - required for Conditional Access.
• Conditional Access Administrator role or higher in Microsoft Entra ID.
• AWS IAM Identity Center enterprise app registered in your Entra ID tenant with 
  SAML SSO configured, and SCIM provisioning active. 
• Security Defaults Disabled in Entra ID - Security Defaults and Conditional Access cannot run simultaneously.
• Known static IP address -  the public IP address or CIDR range of each approved location.
• Break-glass admin account -  must be excluded from this policy to prevent administrative lockout.

Important:  If your approved IP address is dynamic, this approach will not work reliably. You must use a static IP before implementing IP-based Conditional Access.

Step 1: Create a Named Location for Your Trusted IP(s)

A Named Location defines the trusted IP addresses that Entra ID will reference as a condition in the policy.

1. Sign in to the Microsoft Entra admin center at entra.microsoft.com
2. Navigate to Protection > Conditional Access > Named locations.
3. Select + IP ranges locations.
4. Name the location. For example: Trusted - Corporate Office
5. Check the Mark as trusted location checkbox.
6. Click + and enter your approved IP address or CIDR range. 

7.  Click Create.

Step 2: Create the Conditional Access Policy

Create a policy that blocks AWS access from any location not on your trusted list.

1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
2. Select + New policy.
3. Name the policy. For example, Block AWS - Outside Trusted IPs

Assignments: Users

1. Under Assignments > Users, select All users.
2. Under Exclude, add your break-glass admin account and any automation or service accounts that authenticate from dynamic IPs.

Please Note:  AWS automation workflows and CI/CD pipelines that authenticate through IAM Identity Center will also be subject to this policy. Identify and exclude any service principals or accounts used for programmatic access before 
enabling enforcement.

Assignments: Target Resources

1. Under Target Resources, select Cloud apps > Select apps.
2. Search for and select AWS IAM Identity Center.

Conditions: Locations

1. Under Conditions > Locations, set Configure to Yes.
2. Under Include, select Any location.
3. Under Exclude, select Selected locations, then choose the Named Location you created in Step 1.

Tip: This configuration reads: Apply this policy to sign-ins from any location except the trusted named location. Any AWS sign-in originating outside the trusted IP will be blocked before a SAML assertion is issued to IAM Identity Center.

Access Controls: Grant

1. Under Access Controls > Grant, select Block access.
2. Click Select to confirm.

Enable Policy

1. Set Enable policy to Report-only.
2. Click Create.

Important: Do not set this policy to On immediately. A block policy applied to All users that is misconfigured will lock all users out of AWS instantly. Always validate in Report-only mode first.

Step 3: Validate the Policy

Before enabling enforcement, confirm the policy is evaluating sign-ins correctly.

1. In the Entra admin center, navigate to Identity > Monitoring & health > Sign-in logs. 
2. Filter by the AWS IAM Identity Center application.
3. Open a sign-in from a user on your trusted IP and confirm the Conditional Access 
tab shows Would succeed. 
4. If available, review a sign-in from an untrusted IP and confirm it shows Would fail 
with the location condition listed as the reason. 
5. Pay close attention to any accounts used for automated AWS workflows — confirm 
they are either excluded or authenticating from a trusted IP. 

Tip:  Use the What If tool under Protection > Conditional Access to simulate how a specific user signing in from a specific IP would be evaluated without waiting for a real sign-in event.

Step 4: Enable the Policy

1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
2. Select the policy created in Step 2.
3. Change Enable policy from Report-only to On.
4. Click Save.

From this point forward, any AWS IAM Identity Center sign-in attempt from an IP address 
not included in your Named Location will be blocked. Entra ID will not issue a SAML 
assertion to IAM Identity Center, and the user will not be able to access the AWS access 
portal. 

Active AWS console sessions at the time of policy enablement will not be 
immediately terminated. The block takes effect on the next sign-in or token 
refresh. AWS session duration is controlled by IAM Identity Center session 
settings and typically expires within 1–12 hours.

Summary

The following table summarizes the full configuration process.