AWS updates its IP address ranges periodically and you can subscribe to these updates. Whenever there is a change to the AWS IP address ranges, Amazon send notifications to subscribers of the AmazonIpSpaceChanged topic.
This is important if you have implemented egress control in your VPC that limits access to the AWS service address range.
The ranges are located at ip-ranges.json.
The JSON file gives the region, the ip range(prefix), the network border group and the service name or IPv4 and IPv6 prefixes.
AWS Prefixes
- ip_prefix
- The public IPv4 address range, in CIDR notation. Note that AWS may advertise a prefix in more specific ranges. For example, prefix 96.127.0.0/17 in the file may be advertised as 96.127.0.0/21, 96.127.8.0/21, 96.127.32.0/19, and 96.127.64.0/18.
Example:
"ip_prefix": "198.51.100.2/24"
- ipv6_prefix
- The public IPv6 address range, in CIDR notation. Note that AWS may advertise a prefix in more specific ranges.
Example:
"ipv6_prefix": "2001:db8:1234::/64"
- network_border_group
- The name of the network border group, which is a unique set of Availability Zones or Local Zones from where AWS advertises IP addresses.
Example:
"network_border_group": "us-west-2-lax-1"
- region
- The AWS Region or
GLOBAL
for edge locations. TheCLOUDFRONT
andROUTE53
ranges areGLOBAL
.Valid values:
ap-east-1
|ap-northeast-1
|ap-northeast-2
|ap-northeast-3
|ap-south-1
|ap-southeast-1
|ap-southeast-2
|ca-central-1
|cn-north-1
|cn-northwest-1
|eu-central-1
|eu-north-1
|eu-west-1
|eu-west-2
|eu-west-3
|sa-east-1
|us-east-1
|us-east-2
|us-gov-east-1
|us-gov-west-1
|us-west-1
|us-west-2
|GLOBAL
Example:
"region": "us-east-1"
- service
- The subset of IP address ranges. The addresses listed for
API_GATEWAY
are egress only. SpecifyAMAZON
to get all IP address ranges (meaning that every subset is also in theAMAZON
subset). However, some IP address ranges are only in theAMAZON
subset (meaning that they are not also available in another subset).Type: String
Valid values:
AMAZON
|AMAZON_APPFLOW
|AMAZON_CONNECT
|API_GATEWAY
|CHIME_MEETINGS
|CHIME_VOICECONNECTOR
|CLOUD9
|CLOUDFRONT
|CODEBUILD
|DYNAMODB
|EC2
|EC2_INSTANCE_CONNECT
|GLOBALACCELERATOR
|ROUTE53
|ROUTE53_HEALTHCHECKS
|S3
|WORKSPACES_GATEWAYS
Example:
"service": "AMAZON"
Parsing the File
On Linux use the jq tool to parse the file.
# get IPs for a specific region
$ jq '.prefixes[] | select(.region=="us-east-1")' < ip-ranges.json
# get IPs for a specific service
$jq -r '.prefixes[] | select(.service=="CODEBUILD") | .ip_prefix' < ip-ranges.json
Python
The following python script shows you how to get the IP addresses that are in the AMAZON list but not the EC2 list. Copy the script and save it in a file named get_ips.py.
#!/usr/bin/env python
import requests
ip_ranges = requests.get('https://ip-ranges.amazonaws.com/ip-ranges.json').json()['prefixes']
amazon_ips = [item['ip_prefix'] for item in ip_ranges if item["service"] == "AMAZON"]
ec2_ips = [item['ip_prefix'] for item in ip_ranges if item["service"] == "EC2"]
amazon_ips_less_ec2=[]
for ip in amazon_ips:
if ip not in ec2_ips:
amazon_ips_less_ec2.append(ip)
for ip in amazon_ips_less_ec2: print(str(ip))