Pythonic Forensics
Published in

Pythonic Forensics

Looking Back at AWS IPs

AWS is becoming more and more prevalent in DFIR casework. In addition to requests for acquiring data from services such as S3 and EC2, it is common to investigate what we can tell about an AWS IP address associated with interesting behavior. Amazon publishes a mapping of their IP addresses in json format and has developed tools to allow the querying of the currently published dataset from the command line. In our investigations, we need the ability to go back in time, and see what the IP address was mapped to 6 months ago when the activity occurred. With this, I’ve built a tool to allow us to efficiently query and report on historic AWS IP address information currently hosted at

Querying for IP Addresses

Through this web application, you can easily paste in one or more IP addresses and, after submitting, get a sortable and downloadable table containing a list of responsive records. These records are de-duplicated by CIDR block, AWS Region, and AWS Service — explaining why we see two entries for each of the below CIDR blocks.

Sample query for AWS IP information

From this page, you can download the table as a CSV for your records. As seen above, the table displays the earliest and most recent dates (in UTC) the server observed the assignment of these CIDR blocks.

Using the API

To make things easier for automated querying, an API for this service is also available. Documented at, this API allows a POST request containing a list of IP addresses to query for and returns the result in a structured JSON object.

A sample API request for the same 3 IP addresses looks like this:

API request syntax

And the response looks like this:

Hosting your own database

To make things easier for the community, the backend code is available on GitHub at This code allows for the processing of the AWS JSON IP ranges file into a MongoDB database and also supports querying for records within the database.

The web application code is not currently public, though is a project in progress.


In working on this project, I discovered that the CIDR assignments infrequently change. This means that we can expect to have simple responses as shown above for the most part.

Feel free to reach out to me if this is useful or there are ways this could be more useful to you!




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chapin Bryce

Chapin Bryce

DFIR professional, skier, aviation nerd. Co-author of Learning Python for Forensics & Python Forensics Cookbook. Message me for free links to any of my articles

More from Medium

Python Environment Setup in AWS

AWS EC2 Instance Start/Stop from Lambda (python)

Comparing AWS Glue Python Shell vs AWS Batch

Automating Amazon Web Services(AWS) with Lambda, Python, and Boto3