Introduction
Security audits often require verifying whether a specific IP address belongs to AWS and, if so, identifying the related service and region. Manually checking the AWS ip-ranges.json file every time can be tedious.
To simplify this process, I built two PowerShell scripts that can:
- Extract IP ranges based on AWS service and region
- Lookup which service and region an IP address belongs to
- Export results to CSV (optional)
These tools are especially helpful during security reviews or when configuring allowlists.
Get IP Ranges by Service and Region
Features
- Uses the official ip-ranges.json
- Provides a selectable list of services and regions
- CSV export supported
Script
# Download AWS IP ranges JSON
Invoke-WebRequest -Uri https://ip-ranges.amazonaws.com/ip-ranges.json -OutFile ip-ranges.json
# Load the JSON
$json = Get-Content -Raw -Path ip-ranges.json | ConvertFrom-Json
# Select a service
$services = $json.prefixes | Select-Object -ExpandProperty service | Sort-Object -Unique
Write-Host "=== Select a Service ==="
for ($i = 0; $i -lt $services.Count; $i++) { Write-Host "$i`: $($services[$i])" }
$serviceIndex = Read-Host "Enter service number"
$selectedService = $services[$serviceIndex]
# Select a region
$regions = $json.prefixes | Select-Object -ExpandProperty region | Sort-Object -Unique
Write-Host "`n=== Select a Region ==="
for ($i = 0; $i -lt $regions.Count; $i++) { Write-Host "$i`: $($regions[$i])" }
$regionIndex = Read-Host "Enter region number"
$selectedRegion = $regions[$regionIndex]
# Filter and show matching CIDRs
$cidrObjects = $json.prefixes | Where-Object {
$_.service -eq $selectedService -and $_.region -eq $selectedRegion
} | Select-Object ip_prefix, region, service
Write-Host "`n=== Matching IP Ranges ==="
if ($cidrObjects.Count -eq 0) {
Write-Host "No matches found."
} else {
foreach ($cidr in $cidrObjects) {
Write-Host $cidr.ip_prefix
}
# Ask to save CSV
$saveCsv = Read-Host "`nSave to CSV? (y/n)"
if ($saveCsv -eq "y") {
$fileName = "${selectedService}_${selectedRegion}_ip-ranges.csv"
$cidrObjects | Select-Object service, region, ip_prefix | Export-Csv -Path $fileName -NoTypeInformation -Encoding UTF8
Write-Host "Saved to '$fileName'"
}
}
Example Output
.\aws-ip-range.ps1
=== Select a Service ===
0: AMAZON
1: AMAZON_APPFLOW
2: AMAZON_CONNECT
3: API_GATEWAY
4: AURORA_DSQL
5: CHIME_MEETINGS
6: CHIME_VOICECONNECTOR
7: CLOUD9
8: CLOUDFRONT
9: CLOUDFRONT_ORIGIN_FACING
10: CODEBUILD
11: DYNAMODB
12: EBS
13: EC2
14: EC2_INSTANCE_CONNECT
15: GLOBALACCELERATOR
16: IVS_LOW_LATENCY
17: IVS_REALTIME
18: KINESIS_VIDEO_STREAMS
19: MEDIA_PACKAGE_V2
20: ROUTE53
21: ROUTE53_HEALTHCHECKS
22: ROUTE53_HEALTHCHECKS_PUBLISHING
23: ROUTE53_RESOLVER
24: S3
25: WORKSPACES_GATEWAYS
Enter service number: 13
=== Select a Region ===
0: af-south-1
1: ap-east-1
2: ap-east-2
3: ap-northeast-1
4: ap-northeast-2
5: ap-northeast-3
6: ap-south-1
7: ap-south-2
8: ap-southeast-1
9: ap-southeast-2
10: ap-southeast-3
11: ap-southeast-4
12: ap-southeast-5
13: ap-southeast-6
14: ap-southeast-7
15: ca-central-1
16: ca-west-1
17: cn-north-1
18: cn-northwest-1
19: eu-central-1
20: eu-central-2
21: eu-north-1
22: eusc-de-east-1
23: eu-south-1
24: eu-south-2
25: eu-west-1
26: eu-west-2
27: eu-west-3
28: GLOBAL
29: il-central-1
30: me-central-1
31: me-south-1
32: me-west-1
33: mx-central-1
34: sa-east-1
35: sa-west-1
36: us-east-1
37: us-east-2
38: us-gov-east-1
39: us-gov-west-1
40: us-west-1
41: us-west-2
Enter region number: 3
=== Matching IP Ranges ===
43.206.0.0/15
54.248.0.0/15
99.77.244.0/24
5.60.128.0/17
35.71.114.0/24 54.250.0.0/16 35.50.226.0/24 35.55.2.0/24 13.192.0.0/16
54.92.0.0/17
3.112.0.0/14
64.252.111.0/24
35.50.227.0/24
216.39.160.0/21
3.5.152.0/21
15.220.80.0/20
52.94.248.80/28
13.112.0.0/14
52.68.0.0/15
54.95.0.0/16
35.55.3.0/24
151.148.37.0/24
54.168.0.0/16
64.252.113.0/24
15.177.79.0/24
54.64.0.0/15
176.34.0.0/19
46.51.224.0/19
99.150.48.0/21
54.199.0.0/16
52.95.255.48/28
173.83.210.0/24
1.178.64.0/24
35.96.38.0/24
64.252.110.0/24
35.55.1.0/24
52.95.243.0/24
15.220.56.0/21
13.158.0.0/15
18.182.0.0/16
18.178.0.0/16
57.180.0.0/14
18.179.0.0/16
35.50.224.0/24
18.180.0.0/15
176.32.64.0/19
52.192.0.0/15
99.77.139.0/24
18.99.64.0/19
103.4.8.0/21
54.238.0.0/16
35.72.0.0/13
52.194.0.0/15
176.34.32.0/19
15.193.156.0/22
13.230.0.0/15
18.176.0.0/15
208.78.130.0/23
15.193.1.0/24
54.150.0.0/16
54.178.0.0/16
175.41.192.0/18
15.128.0.0/16
64.252.112.0/24
99.77.160.0/24
18.183.0.0/16
52.196.0.0/14
Save to CSV? (y/n): y
Saved to 'EC2_ap-northeast-1_ip-ranges.csv'
Identify Service & Region by IP Address
This second script checks whether a given IP address belongs to any AWS service and region by searching through ip-ranges.json.
Features
- Parses official ip-ranges.json
- Matches IP against all published CIDRs
- Lists all matches (some IPs belong to multiple services)
Script
function Test-IPInCIDR {
param (
[Parameter(Mandatory=$true)][string]$ip,
[Parameter(Mandatory=$true)][string]$cidr
)
$ipAddr = [System.Net.IPAddress]::Parse($ip)
$cidrParts = $cidr.Split('/')
$networkAddr = [System.Net.IPAddress]::Parse($cidrParts[0])
$prefixLength = [int]$cidrParts[1]
$ipBytes = $ipAddr.GetAddressBytes()
$netBytes = $networkAddr.GetAddressBytes()
$maskBytes = @()
for ($i=0; $i -lt $ipBytes.Length; $i++) {
$bitsLeft = $prefixLength - ($i * 8)
if ($bitsLeft -ge 8) {
$maskBytes += 255
} elseif ($bitsLeft -gt 0) {
$maskBytes += [math]::Floor(256 - [math]::Pow(2, 8 - $bitsLeft))
} else {
$maskBytes += 0
}
}
for ($i=0; $i -lt $ipBytes.Length; $i++) {
if (($ipBytes[$i] -band $maskBytes[$i]) -ne ($netBytes[$i] -band $maskBytes[$i])) {
return $false
}
}
return $true
}
# Load the JSON
Invoke-WebRequest -Uri https://ip-ranges.amazonaws.com/ip-ranges.json -OutFile ip-ranges.json
$json = Get-Content -Raw -Path ip-ranges.json | ConvertFrom-Json
# Get input IP
$targetIp = Read-Host "Enter the IP address to check"
# Search for matches
$matches = @()
foreach ($prefix in $json.prefixes) {
if (Test-IPInCIDR -ip $targetIp -cidr $prefix.ip_prefix) {
$matches += [PSCustomObject]@{
Service = $prefix.service
Region = $prefix.region
CIDR = $prefix.ip_prefix
}
}
}
# Show results
if ($matches.Count -eq 0) {
Write-Host "No AWS match found for the IP."
} else {
Write-Host "`nMatches Found:"
$matches | Format-Table -AutoSize
}
Example Output
.\aws-ip-lookup.ps1
Enter the IP address to check: 13.114.62.32
Matches Found:
Service Region CIDR
------- ------ ----
AMAZON ap-northeast-1 13.112.0.0/14
EC2 ap-northeast-1 13.112.0.0/14
AMAZON refers to general AWS infrastructure that may not be tied to a specific service like EC2, S3, etc.
Summary
These small PowerShell utilities can help streamline:
- Verifying whether an IP belongs to AWS
- Identifying its associated service and region
- Exporting IP range data for allowlisting or documentation
Top comments (0)