AWS Lambda Function that Automatically Updates Security Groups using AWS ip-ranges.json file

We heavily restrict outbound traffic for all of our EC2 instances. This is straightforward most of the time, but can be frustrating when you want to allow access to AWS services.

AWS offers VPC endpoints for some services, such as S3, that allow us to make the AWS service available in our VPC without having to allow outbound HTTPS access to the entire internet.

However, what do you do when you want to use a service that does NOT offer a VPC endpoint? For example, we need to allow HTTPS to SQS and we need to allow SUBMISSION (587/tcp) to SES. AWS would tell you that you have to allow outgoing HTTPS or SUBMISSION traffic to the entire internet.

I created a script a few years ago (based on an AWS script for CloudFront) to solve this problem. The script downloads the list of known AWS IP ranges every time the list is updated, merges the ranges for your specified AWS Region, and then updates Security Groups that contain special tags. While not perfect, this script allows us to restrict outgoing HTTPS or SUBMISSION traffic to known AWS IPs instead of the entire internet. It has been working quite well for the past few years.

I published the code with documentation today. Would gladly accept PRs if you try this and want to help improve the documentation. Enjoy!
https://github.com/jason-klein/aws-lambda-update-security-groups-aws-ip-ranges

Leave a Reply

Your email address will not be published. Required fields are marked *