| | | | | | --- | --- | --- | --- | * * * [[_TOC_]] * * * **Purpose** ----------- This page provides details on how we publish our list of [CIDRs](https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html), how to parse the list to filter for target services and regions, and how notifications can be implemented to  trigger reviews and updates to these rules. This procedure can be used to support two use cases: 1. On-Prem Systems and Users to AWS Public Service Endpoints 2. AWS VPC Systems to AWS Public Service Endpoints **Procedure** ------------- * AWS IP Address Ranges Amazon Web Services (AWS) publishes its current IP address ranges in JSON format. To view the current ranges, download the [`.json` file](https://ip-ranges.amazonaws.com/ip-ranges.json). f you access this file programmatically, it is your responsibility to ensure that the application downloads the file only after successfully verifying the TLS certificate presented by the server.To maintain history, save successive versions of the `.json` file on your system. To determine whether there have been changes since the last time that you saved the file, check the publication time in the current file and compare it to the publication time in the last file that you saved.  * Egress Filter Script for AWS Services The following Python script filters the us-east-1 and us-west-2 region CIDR ranges for AWS services and Global CIDR Ranges for Route53. It does not include CIDR Ranges used by EC2 instances or GLOBAL CIDR Ranges for CLOUDFRONT. * Example Script Output During the running of the script above on 1/8/2019, 133 CIDR Ranges were identified. * AWS IP Address Ranges Notifications Whenever there is a change to the AWS IP address ranges, we send notifications to subscribers of the `AmazonIpSpaceChanged` topic. The payload contains information in the following format: If you want to be notified whenever there is a change to the AWS IP address ranges, you can subscribe as follows to receive notifications using Amazon SNS. **To subscribe to AWS IP address range notifications** 1. Open the Amazon SNS console at [https://console.aws.amazon.com/sns/v2/home](https://console.aws.amazon.com/sns/v2/home). 2. In the navigation bar, change the region to US East (N. Virginia), if necessary. You must select this region because the SNS notifications that you are subscribing to were created in this region. 3. In the navigation pane, choose Subscriptions. 4. Choose Create subscription. 5. In the Create subscription dialog box, do the following: 1. For Topic ARN, copy the following Amazon Resource Name (ARN): arn:aws:sns:us-east-1:XXXXXXXXXXXX:AmazonIpSpaceChanged 2. For Protocol, choose the protocol to use (for example, `Email`). 3. For Endpoint, type the endpoint to receive the notification (for example, your email address). 4. Choose Create subscription. 6. You'll be contacted on the endpoint that you specified and asked to confirm your subscription. For example, if you specified an email address, you'll receive an email message with the subject line `AWS Notification - Subscription Confirmation`. Follow the directions to confirm your subscription. Notifications are subject to the availability of the endpoint. Therefore, you might want to check the JSON file periodically to ensure that you've got the latest ranges. For more information about Amazon SNS reliability, see [https://aws.amazon.com/sns/faqs/#Reliability](https://aws.amazon.com/sns/faqs/#Reliability). If you no longer want to receive these notifications, use the following procedure to unsubscribe. **To unsubscribe from AWS IP address ranges notifications** 1. Open the Amazon SNS console at [https://console.aws.amazon.com/sns/v2/home](https://console.aws.amazon.com/sns/v2/home). 2. In the navigation pane, choose Subscriptions. 3. Select the check box for the subscription. 4. Choose Actions, Delete subscriptions. 5. When prompted for confirmation, choose Delete. For more information about Amazon SNS, see the [Amazon Simple Notification Service Developer Guide](https://docs.aws.amazon.com/sns/latest/dg/). **Attachments:**