Update AWS RouteTable and/or SecurityGroup with selected AWS IP prefixes
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


ip-ranges RouteTable / SecurityGroup updater

Lambda function that updates the list of CIDRs in a given AWS Route Table or Security Group with prefixes obtained from the official AWS address register: https://ip-ranges.amazonaws.com/ip-ranges.json

Lambda is called periodically 1x per day. That's enough becuase ip-ranges.json doesn't change that often.


Configuration parameters are read from config.sh (use config.sh.template to start with).

To select certain prefixes from ip-ranges.json use the following JSON syntax:

		"region": "ap-southeast-2",
		"services": [ "+AMAZON", "+EC2", "-S3" ]
		"region": "us-east-1",
		"services": [ "=AMAZON" ]

The above filter will select prefixes from ap-southeast-2 that have either AMAZON or EC2 service but not S3 service. From us-east-1 only the prefixes that have only AMAZON service tag and no other tags (e.g. will not select a prefix that is both AMAZON and EC2).

To update a Route Table pass in these two variables:

  • ROUTE_TABLES = rtb-12345678, rtb-abcdefgh
  • RT_TARGET = igw-..., nat-..., vgw-...

To update a Security Group pass in these variables:

  • SECURITY_GROUPS = sg-1234abcd, sg-abcd1234
  • SG_INGRESS_PORTS = tcp/80, tcp/443
  • SG_EGRESS_PORTS = tcp/443, udp/1234

JSON Filter testing

The lambda source file can be run from the shell to facilitate the JSON filter testing.

$ ./ipranges_updater/lambda.py --json '[{"region":"ap-southeast-2","services":["S3"]}]'
Environment variables $ROUTE_TABLES and/or $SECURITY_GROUPS should be set. Running in TEST_ONLY=yes mode.
SELECTED: 4 prefixes          ap-southeast-2         AMAZON S3         ap-southeast-2         AMAZON S3        ap-southeast-2         AMAZON S3        ap-southeast-2         AMAZON S3


The deploy.sh script and the CloudFormation template.yaml use AWS SAM (Serverless Application Model) and aws cloudformation deploy command.

To use the provided deploy script first copy config.sh.template to config.sh and fill in your settings. Comment out parameters that you don't need!

Then run ./deploy.sh and wait.

After a while you will see ipranges-updater stack deployed in the region of your choice.


The lambda function needs permissions to update the Security Groups and/or the Route Tables.


Michael Ludvig @ Enterprise IT Ltd

For more info visit https://aws.nz/projects/ipranges-updater/