Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time

ip-ranges RouteTable / SecurityGroup updater

Lambda function that updates the list of CIDRs in a given AWS Route Table or Security Group with prefixes obtained from the official AWS address register:

Lambda is called periodically 1x per day. That's enough becuase ip-ranges.json doesn't change that often.


Configuration parameters are read from (use to start with).

To select certain prefixes from ip-ranges.json use the following JSON syntax:

		"region": "ap-southeast-2",
		"services": [ "+AMAZON", "+EC2", "-S3" ]
		"region": "us-east-1",
		"services": [ "=AMAZON" ]

The above filter will select prefixes from ap-southeast-2 that have either AMAZON or EC2 service but not S3 service. From us-east-1 only the prefixes that have only AMAZON service tag and no other tags (e.g. will not select a prefix that is both AMAZON and EC2).

To update a Route Table pass in these two variables:

  • ROUTE_TABLES = rtb-12345678, rtb-abcdefgh
  • RT_TARGET = igw-..., nat-..., vgw-...

To update a Security Group pass in these variables:

  • SECURITY_GROUPS = sg-1234abcd, sg-abcd1234
  • SG_INGRESS_PORTS = tcp/80, tcp/443
  • SG_EGRESS_PORTS = tcp/443, udp/1234

JSON Filter testing

The lambda source file can be run from the shell to facilitate the JSON filter testing.

$ ./ipranges_updater/ --json '[{"region":"ap-southeast-2","services":["S3"]}]'
Environment variables $ROUTE_TABLES and/or $SECURITY_GROUPS should be set. Running in TEST_ONLY=yes mode.
SELECTED: 4 prefixes          ap-southeast-2         AMAZON S3         ap-southeast-2         AMAZON S3        ap-southeast-2         AMAZON S3        ap-southeast-2         AMAZON S3


The script and the CloudFormation template.yaml use AWS SAM (Serverless Application Model) and aws cloudformation deploy command.

To use the provided deploy script first copy to and fill in your settings. Comment out parameters that you don't need!

Then run ./ and wait.

After a while you will see ipranges-updater stack deployed in the region of your choice.


The lambda function needs permissions to update the Security Groups and/or the Route Tables.


Michael Ludvig @ Enterprise IT Ltd

For more info visit