An application needs to be able to upload / download data from Amazon S3, via the regional endpoint (ap-southeast-1). If there's a network firewall, in place, which IP addresses need to be allow-listed?
From the AWS Service Endpoints, would this be just at s3.ap-southeast-1.amazonaws.com
and where the IP address ranges would come from https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html?
For example IP ranges could be downloaded and filtered as follows:
curl -O https://ip-ranges.amazonaws.com/ip-ranges.json
jq -r '.prefixes[] | select(.region=="ap-southeast-1") | select(.service=="S3") | .ip_prefix' < ip-ranges.json
Result
18.34.248.0/22
16.12.48.0/21
52.219.32.0/21
18.34.64.0/21
52.219.180.0/22
52.219.40.0/22
52.219.164.0/22
52.219.124.0/22
3.5.146.0/23
52.219.128.0/22
52.219.184.0/21
52.219.132.0/22
3.5.148.0/22
13.213.20.144/28
13.213.20.160/28
Would allow-listing just the above IP address ranges be sufficient?