465,003,293,531,714,894,187,043,555,698

THAT IS A BIG NUMBER

The number is the total current IP address space for Amazon Web Services (AWS), including IPv4 addresses at about 55 million with the rest in IPv6.

https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html

Previously, I shared some Python3 code for searching CIDRs for a specific IP address.

https://www.4n6ir.com/posts/2020/06/searching-cidrs/

WHY IS THIS HELPFUL

The information is helpful to figure out what region an address is assigned. It is also beneficial for potentially identifying the AWS service in your logs.

During an investigation, you notice an IP address of interest in your logs: 18.181.182.183 enriched with additional network information.

{
    "asn": 16509,
    "org": "AMAZON-02",
    "attribution": "This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com."
}

Oh, look, it’s Amazon!

If we search for the CIDR, the additional details may help your investigation, especially from other AWS resources, to your AWS account.

{
    "cidrs": [
        {
            "service": "EC2",
            "region": "ap-northeast-1",
            "cidr": "18.180.0.0/15",
            "lastseen": "2020-11-13-00-11-11"
        },
        {
            "service": "AMAZON",
            "region": "ap-northeast-1",
            "cidr": "18.180.0.0/15",
            "lastseen": "2020-11-13-00-11-11"
        }
    ]
}
CDK PATTERN

In the last five months, there have been 230+ changes to the current unique IPv4 (2,601) and IPv6 (497) CIDRs. I built my IP distillery to keep track of these Amazon changes for data enrichment.

https://github.com/4n6ir/distilleryCDK/

diagram

I just wanted to share in case someone else found it useful too!

Happy Coding,

John