AWS updates its IP address ranges periodically and you can subscribe to these updates. Whenever there is a change to the AWS IP address ranges, Amazon send notifications to subscribers of the AmazonIpSpaceChanged topic.
This is important if you have implemented egress control in your VPC that limits access to the AWS service address range.
The ranges are located at ip-ranges.json.
The JSON file gives the region, the ip range(prefix), the network border group and the service name or IPv4 and IPv6 prefixes.
Example: "ip_prefix": "198.51.100.2/24"
Example: "ipv6_prefix": "2001:db8:1234::/64"
Example: "network_border_group": "us-west-2-lax-1"
GLOBAL
for edge locations. The CLOUDFRONT
and ROUTE53
ranges are GLOBAL
.
Valid values: ap-east-1
| ap-northeast-1
| ap-northeast-2
| ap-northeast-3
| ap-south-1
| ap-southeast-1
| ap-southeast-2
| ca-central-1
| cn-north-1
| cn-northwest-1
| eu-central-1
| eu-north-1
| eu-west-1
| eu-west-2
| eu-west-3
| sa-east-1
| us-east-1
| us-east-2
| us-gov-east-1
| us-gov-west-1
| us-west-1
| us-west-2
| GLOBAL
Example: "region": "us-east-1"
API_GATEWAY
are egress only. Specify AMAZON
to get all IP address ranges (meaning that every subset is also in the AMAZON
subset). However, some IP address ranges are only in the AMAZON
subset (meaning that they are not also available in another subset).
Type: String
Valid values: AMAZON
| AMAZON_APPFLOW
| AMAZON_CONNECT
| API_GATEWAY
| CHIME_MEETINGS
| CHIME_VOICECONNECTOR
| CLOUD9
| CLOUDFRONT
| CODEBUILD
| DYNAMODB
| EC2
| EC2_INSTANCE_CONNECT
| GLOBALACCELERATOR
| ROUTE53
| ROUTE53_HEALTHCHECKS
| S3
| WORKSPACES_GATEWAYS
Example: "service": "AMAZON"
On Linux use the jq tool to parse the file.
# get IPs for a specific region
$ jq '.prefixes[] | select(.region=="us-east-1")' < ip-ranges.json
# get IPs for a specific service
$jq -r '.prefixes[] | select(.service=="CODEBUILD") | .ip_prefix' < ip-ranges.json
The following python script shows you how to get the IP addresses that are in the AMAZON list but not the EC2 list. Copy the script and save it in a file named get_ips.py.
#!/usr/bin/env python
import requests
ip_ranges = requests.get('https://ip-ranges.amazonaws.com/ip-ranges.json').json()['prefixes']
amazon_ips = [item['ip_prefix'] for item in ip_ranges if item["service"] == "AMAZON"]
ec2_ips = [item['ip_prefix'] for item in ip_ranges if item["service"] == "EC2"]
amazon_ips_less_ec2=[]
for ip in amazon_ips:
if ip not in ec2_ips:
amazon_ips_less_ec2.append(ip)
for ip in amazon_ips_less_ec2: print(str(ip))