- Newest
- Most votes
- Most comments
A description is available at AWS IP address ranges which states
service
The subset of IP address ranges. The addresses listed for API_GATEWAY are egress only. Specify AMAZON to get all IP address ranges (meaning that every subset is also in the AMAZON subset). However, some IP address ranges are only in the AMAZON subset (meaning that they are not also available in another subset).
AMAZON will return all IP address ranges. Documentation does not state that whether IP ranges for different services may or may not overlap.
Are you able to share your use-case for using ip-ranges.json?
If this is for VPC, the AWS-managed prefix lists may be useful. For access to AWS services within a VPC without internet connectivity, AWS PrivateLink should help
If you are using it for third-party firewall ingress/egress control from/to AWS resources, CheckPoint has native support via Updatable Objects. For other firewalls such as Fortigate/Palo Alto, the aws-ipranges-api can help keep the ip prefixes up to date.
Relevant content
- Accepted Answer
- asked a year ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated a year ago
I guess this could be a use case "You can also allow or deny traffic to or from specific types of AWS resources."
The use case is similar to Gary mentioned, for known PaaS services like S3, Dynamo DB that is being used, we will allow traffic, for EC2 and such we would have separate rules individually. But if EC2 and S3 have the same cidr that becomes difficult, and we are segmenting PaaS individually as well so if S3 and Dynamo DB have same cidr that is also an issue
Got it. Assuming this is in a VPC, you can block egress to internet and use AWS PrivateLink for access to specific AWS services as per https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-aws-services.html. I have updated my original post
We are reading flow logs and generating firewall rules based on ip ranges (api). So we just need a verification the overlapping of cidr ranges is it limited to EC2 (IaaS) and S3 (PaaS) only. Or do we need to consider S3 and Dynamo DB (Both PaaS) having overlapping IP ranges ?