How to determine the IP ranges of AWS services for security groups

This post will show you how to determine the IP address ranges of Amazon Web Services (or AWS) services. Knowing the IP address range will enable you to allow/deny access to these AWS services by using (amongst other) security groups. Setting the permitted IP ranges for a security group is an essential part of tightening security.

What are the AWS security groups?

AWS Security groups are virtual firewalls that help to control network traffic. For example, you could have a security group that only allow traffic into the group from a specific IP address. Use Anto’s Public IP tool to determine your current IP. You could also deny traffic to a range of IP addresses.

The problem with using IP addresses

IP addresses change! Imagine a service such as AWS S3. The AWS S3 service is a global service. There are perhaps thousands of S3 servers globally, all waiting for the next request. Today the IP address will be ‘x’ and tomorrow it could be ‘y’. Which one IP or IP range do you add to your security group?

It is for this reason that we want to use the DNS name instead. DNS automatically resolves the latest new IP address. Unfortunately, you cannot use a DNS name with security groups, so you must set an IP address. Thus, we need to look up the IP address and update it when it changes. AWS owns many IP addresses, so you may want to automate the update process. (Anto has a script for that!)

Lookup the current IP address ranges for AWS services

AWS publishes its current IP address ranges for all its services in JSON format. You can reference this JSON file here at https://ip-ranges.amazonaws.com/ip-ranges.json. Alternatively, use the AWS IP ranges tool from Anto, if the JSON file is confusing. Finally, read this helpful document about the AWS IP ranges.

The IP range list provided by AWS is a very comprehensive list, and it includes all the IP addresses for all the AWS services. The services include, but are not limited too S3, EC2, Route53 Health Checks and more. Furthermore, it contains the IP v4 and IP v6 ranges.

Apply the IP range to your security group

Take the following steps to apply your IP address range to your security group:

  1. Navigate to your EC2 dashboard in the AWS management console.
  2. Then click on the ‘security groups’ menu item in the ‘network security’ section.
  3. Select your security group and click on the inbound or outbound tab.
  4. Click on the edit button and then add your IP address range as well as the rule type and port range.

See an example below of editing an inbound IP range. You may need to add multiple rules and edit the outbound rules. The configuration depends on what you are trying to achieve. Read the following doc for more information: using-network-security.

You may also be interested in

About Anto Online

Anto, a seasoned technologist with over two decades of experience, has traversed the tech landscape from Desktop Support Engineer to enterprise application consultant, specializing in AWS serverless technologies. He guides clients in leveraging serverless solutions while passionately exploring cutting-edge cloud concepts beyond his daily work. Anto's dedication to continuous learning, experimentation, and collaboration makes him a true inspiration, igniting others' interest in the transformative power of cloud computing.

View all posts by Anto Online

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.