Find IP addresses of AWS services and limit access to services - Amazon Virtual Private Cloud

Find IP addresses of AWS services and limit access to services

The `ip-ranges.json` file provided by AWS can be a valuable resource for finding the IP addresses of various AWS services and leveraging that information to enhance your network security and access control. By parsing the detailed data contained within this JSON file, you can precisely identify the IP address ranges associated with specific AWS services and regions.

For example, you can utilize the IP address ranges to configure robust network security policies, setting up granular firewall rules to allow or deny access to certain AWS resources. This information can also be useful for a variety of AWS Network Firewall tasks. This level of control is crucial for protecting your applications and data, ensuring that only authorized traffic can reach the necessary AWS services. Additionally, having this IP intelligence can help you ensure your applications are properly configured to communicate with the right AWS endpoints, improving overall reliability and performance.

Beyond just firewall rules, the `ip-ranges.json` file can also be leveraged to configure sophisticated egress filtering on your network infrastructure. By understanding the destination IP address ranges for different AWS services, you can set up routing policies or leverage advanced network security solutions like to selectively permit or block outbound traffic based on its intended destination. This egress control is essential for mitigating the risk of data leakage and unauthorized access.

It's important to note that the `ip-ranges.json` file is regularly updated, so maintaining an up-to-date local copy is crucial to ensure you have the most accurate and current information. By continuously leveraging the contents of this file, you can efficiently manage network access and security for your AWS-based applications, strengthening your overall cloud security posture.

Filtering the JSON file

You can download a command line tool to help you filter the information to just what you are looking for.

Windows

The AWS Tools for Windows PowerShell includes a cmdlet, Get-AWSPublicIpAddressRange, to parse this JSON file. The following examples demonstrate its use. For more information, see Querying the Public IP Address Ranges for AWS and Get-AWSPublicIpAddressRange.

Example 1. Get the creation date
PS C:\> Get-AWSPublicIpAddressRange -OutputPublicationDate Wednesday, August 22, 2018 9:22:35 PM
Example 2. Get the information for a specific Region
PS C:\> Get-AWSPublicIpAddressRange -Region us-east-1 IpPrefix Region NetworkBorderGroup Service -------- ------ ------- ------- 23.20.0.0/14 us-east-1 us-east-1 AMAZON 50.16.0.0/15 us-east-1 us-east-1 AMAZON 50.19.0.0/16 us-east-1 us-east-1 AMAZON ...
Example 3. Get all IP addresses
PS C:\> (Get-AWSPublicIpAddressRange).IpPrefix 23.20.0.0/14 27.0.0.0/22 43.250.192.0/24 ... 2406:da00:ff00::/64 2600:1fff:6000::/40 2a01:578:3::/64 2600:9000::/28
Example 4. Get all IPv4 addresses
PS C:\> Get-AWSPublicIpAddressRange | where {$_.IpAddressFormat -eq "Ipv4"} | select IpPrefix IpPrefix -------- 23.20.0.0/14 27.0.0.0/22 43.250.192.0/24 ...
Example 5. Get all IPv6 addresses
PS C:\> Get-AWSPublicIpAddressRange | where {$_.IpAddressFormat -eq "Ipv6"} | select IpPrefix IpPrefix -------- 2a05:d07c:2000::/40 2a05:d000:8000::/40 2406:dafe:2000::/40 ...
Example 6. Get all IP addresses for a specific service
PS C:\> Get-AWSPublicIpAddressRange -ServiceKey CODEBUILD | select IpPrefix IpPrefix -------- 52.47.73.72/29 13.55.255.216/29 52.15.247.208/29 ...

Linux

The following example commands use the jq tool to parse a local copy of the JSON file.

Example 1. Get the creation date
$ jq .createDate < ip-ranges.json "2016-02-18-17-22-15"
Example 2. Get the information for a specific Region
$ jq '.prefixes[] | select(.region=="us-east-1")' < ip-ranges.json { "ip_prefix": "23.20.0.0/14", "region": "us-east-1", "network_border_group": "us-east-1", "service": "AMAZON" }, { "ip_prefix": "50.16.0.0/15", "region": "us-east-1", "network_border_group": "us-east-1", "service": "AMAZON" }, { "ip_prefix": "50.19.0.0/16", "region": "us-east-1", "network_border_group": "us-east-1", "service": "AMAZON" }, ...
Example 3. Get all IPv4 addresses
$ jq -r '.prefixes | .[].ip_prefix' < ip-ranges.json 23.20.0.0/14 27.0.0.0/22 43.250.192.0/24 ...
Example 4. Get all IPv6 addresses
$ jq -r '.ipv6_prefixes | .[].ipv6_prefix' < ip-ranges.json 2a05:d07c:2000::/40 2a05:d000:8000::/40 2406:dafe:2000::/40 ...
Example 5. Get all IPv4 addresses for a specific service
$ jq -r '.prefixes[] | select(.service=="CODEBUILD") | .ip_prefix' < ip-ranges.json 52.47.73.72/29 13.55.255.216/29 52.15.247.208/29 ...
Example 6. Get all IPv4 addresses for a specific service in a specific Region
$ jq -r '.prefixes[] | select(.region=="us-east-1") | select(.service=="CODEBUILD") | .ip_prefix' < ip-ranges.json 34.228.4.208/28
Example 7. Get information for a certain network border group
$ jq -r '.prefixes[] | select(.region=="us-west-2") | select(.network_border_group=="us-west-2-lax-1") | .ip_prefix' < ip-ranges.json 70.224.192.0/18 52.95.230.0/24 15.253.0.0/16 ...

Implementing egress control

To allow resources you've created with one AWS service to only access other AWS services, you can use the IP address range information in the ip-ranges.json file to perform egress filtering. Ensure that the security group rules allow outbound traffic to the CIDR blocks in the AMAZON list. There are quotas for security groups. Depending on the number of IP address ranges in each Region, you might need multiple security groups per Region.

Note

Some AWS services are built on EC2 and use EC2 IP address space. If you block traffic to EC2 IP address space, you block traffic to these non-EC2 services as well.