425617 (8) [Avatar] Offline
Chapter 9 and 10 - authentication service. Can these be restricted to be accessed from a specific ip only?

Not sure if I can achieve it and how, as I can read:

If you instead use a service to call the target service on your behalf, the target service sees the IP address of the calling service rather than the IP address of the originating user. This can happen, for example, if you use AWS CloudFormation to call Amazon EC2 to construct instances for you. There is currently no way to pass the originating IP address through a calling service to the target service for evaluation in an IAM policy. For these types of service API calls, do not use the aws:SourceIp condition key.

Can I just update cognito (unauthenticated) role (or its trust relationships) with?:

"Condition": {"IpAddress": {"aws:SourceIp": [