Summary

Teri Radichel advocates for AWS to enhance its IP range list by sorting IP ranges by region, combining contiguous CIDRs, and providing a better database for querying non-overlapping service details to simplify firewall rule creation.

Abstract

The website content discusses the need for AWS to improve its IP list by organizing IP ranges by region and merging contiguous CIDRs used by the same service into single blocks, which would significantly aid in managing network security. Radichel, with experience in managing IP ranges for a major bank, points out that while AWS provides an IP list of its network, the current format is not granular enough and includes redundant entries, making it cumbersome for customers to use effectively. She suggests that AWS could easily automate this process, given that it already provides a script to pull IP ranges. Radichel also shares her own script for extracting Asia Pacific CIDR blocks and expresses hope that AWS will soon implement a more user-friendly system, allowing her to focus on other important tasks.

Opinions

AWS's current method of listing IP ranges could be significantly improved for customer use.
Sorting IP ranges by region and combining contiguous CIDRs would make the list more useful for network security management.
AWS's service categorization is too broad, with everything lumped under EC2, which complicates firewall rule creation.
The presence of redundant entries and confusing data in the current IP list indicates a need for a better database.
Radichel has personal experience with the

Concatenate Contiguous IP Ranges in Its IP List #awswishlist

See example here and related blog post for why

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: Network Security | AWS Security | Cloud Architecture

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

AWS kindly produces an IP list of all the IPs in it’s network and what service uses them and in which region they are located.

AWS IP address ranges

Lists the IP address ranges for AWS.

docs.aws.amazon.com

This is better than a lot of companies. But it could be a lot better.

First of all, the services are not granual enough to be that useful. Everything is lumped into EC2. But this is kind of hard because their services may shift around so I understand. I used to have to manage IP ranges for one of the largest banks in the US in the cloud.

But there is one thing that seems like would not be too difficult to fix.

I wrote about contiguous CIDRs and the tricks people play in Internet registries to make your firewall rules hard to create.

Concatenating IP Ranges And Other Firewall Rule Tricks

Tips for fewer firewall rules when you’re trying to block traffic from a network

medium.com

The script AWS provides is an automated creation I’m sure.

So it would be very easy to be kinder to customers and:

Sort the IP range by region
Combine contiguous CIDRS into one block if they are all used by the same service.

For example here’s a bunch of /32 CIDRs in Asia.

Really? Is there an range here even if some are unallocated that can be lumped together for one CIDR block?

Like maybe 104.255.59.0/24?

I’m also seeing redundant entries like this.

This is a bit confusing as well:

So here’s the problem. What we really need is a concatenated list of all the contiguous CIDRs by region in one list, and a separate list of all the service details — with no overlaps. Or possibly a better database to query all that and spit out the necessary JSON to automate rules in firewalls, etc.

By the way here’s my ugly script to pull the Asia Pacific CIDR blocks out of the IP range. Replace ap with whatever region you want to pull into a single list.

cat ip-ranges.json | grep region -B1 | grep ap -B1 | grep -v ipv6 | grep -v region | grep -v '\-' | cut -d ":" -f2 | sed 's|"||g' | sed 's| ||g' | sed 's|,||g' | sort | uniq > ap-ips.txt

I’ve written software to concatenate IPs before but hoping AWS will do this soon for the IP range so I don’t have to. I have too many other things to do.

Follow for updates.

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab