I am having a bit of a hard time understand how can an IAM role be used to limit access to a Amazon EC2 instances.

I am currently looking into Cognito, and I was wondering if it could help me. I want to restrict the access of my EC2 instances (with that I mean contacting the Django Server on there) to only a specific group of people, with dynamic ips. So IP restriction is not an option.

If a user gets authenticated with Cognito and gets temporary credentials, and therefore assumes a specific IAM Role, I want him to be able to talk to that EC2-Django server from within my iOS app. If a request to the server doesn't have the IAM, I want Amazon to automatically block it. Is that possible or I have to do that server side?