This post will show you how to determine the IP address ranges of Amazon Web Services (or AWS) services. Knowing the IP address range will enable you to allow/deny access to these AWS services by using (amongst other) security groups. Setting the permitted IP ranges for a security group is an essential part of tightening security.
What are the AWS security groups?
AWS Security groups are virtual firewalls that help to control network traffic. As an example, you could have a security group that only allow traffic into the group from a specific IP address. Use Anto’s Public IP tool to determine your current IP. You could also deny traffic to a range of IP addresses.
The problem with using IP addresses
IP addresses change! Imagine a service such as AWS S3. The AWS S3 service is a global service. There are perhaps thousands of S3 servers globally, all waiting for the next request. Today the IP address will be ‘x’ and tomorrow it could be ‘y’. Which one IP or IP range do you add to your security group?
It is for this reason that we want to use the DNS name instead. DNS automatically resolves the latest new IP address. Unfortunately, you cannot use a DNS name with security groups, so you must set an IP address. Thus, we need to look up the IP address and update it when it changes. AWS owns many IP addresses, so you may want to automate the update process. (Anto has a script for that!)
Lookup the current IP address ranges for AWS services
AWS publishes its current IP address ranges for all their services in JSON format. You can reference this JSON file here at https://ip-ranges.amazonaws.com/ip-ranges.json. Alternatively, use the AWS IP ranges tool from Anto, if the JSON file is confusing. Read this helpful document about the AWS IP ranges.
The IP range list provided by AWS is a very comprehensive list, and it includes all the IP addresses for all the AWS services. The services include, but are not limited too S3, EC2, Route53 Health Checks and more. Furthermore, it contains the IP v4 and IP v6 ranges.
Apply the IP range to your security group
Take the following steps to apply your IP address range to your security group:
- Navigate to your EC2 dashboard in the AWS management console.
- Then click on the ‘security groups’ menu item in the ‘network security’ section.
- Select your security group and click on the inbound or outbound tab.
- Click on the edit button and then add your IP address range as well as the rule type and port range.
See an example below of editing an inbound IP range. You may need to add multiple rules and edit the outbound rules. The configuration depends on what you are trying to achieve. Read the following doc for more information: using-network-security.
I hope you liked my post! Click here to see more great posts. Anto will love to hear from you, so feel free to post a comment or like this post. Share this post, and you shall receive millions of years of good Karma. Alternatively, Why not click here to follow me on Twitter?