AWS updates its IP address ranges periodically and you can subscribe to these updates. Whenever there is a change to the AWS IP address ranges, Amazon send notifications to subscribers of the AmazonIpSpaceChanged topic.
This is important if you have implemented egress control in your VPC that limits access to the AWS service address range.
The ranges are located at ip-ranges.json.
The JSON file gives the region, the ip range(prefix), the network border group and the service name or IPv4 and IPv6 prefixes.
GLOBALfor edge locations. The
API_GATEWAYare egress only. Specify
AMAZONto get all IP address ranges (meaning that every subset is also in the
AMAZONsubset). However, some IP address ranges are only in the
AMAZONsubset (meaning that they are not also available in another subset).
On Linux use the jq tool to parse the file.
# get IPs for a specific region
$ jq '.prefixes | select(.region=="us-east-1")' < ip-ranges.json # get IPs for a specific service $jq -r '.prefixes | select(.service=="CODEBUILD") | .ip_prefix' < ip-ranges.json
The following python script shows you how to get the IP addresses that are in the AMAZON list but not the EC2 list. Copy the script and save it in a file named get_ips.py.
ip_ranges = requests.get('https://ip-ranges.amazonaws.com/ip-ranges.json').json()['prefixes']
amazon_ips = [item['ip_prefix'] for item in ip_ranges if item["service"] == "AMAZON"]
ec2_ips = [item['ip_prefix'] for item in ip_ranges if item["service"] == "EC2"]
for ip in amazon_ips:
if ip not in ec2_ips:
for ip in amazon_ips_less_ec2: print(str(ip))