AWS is becoming more and more prevalent in DFIR casework. In addition to requests for acquiring data from services such as S3 and EC2, it is common to investigate what we can tell about an AWS IP address associated with interesting behavior. Amazon publishes a mapping of their IP addresses in json format and has developed tools to allow the querying of the currently published dataset from the command line. In our investigations, we need the ability to go back in time, and see what the IP address was mapped to 6 months ago when the activity occurred. With this, I’ve built a tool to allow us to efficiently query and report on historic AWS IP address information currently hosted at http://awsip.chapinb.com:8080.
Querying for IP Addresses
Through this web application, you can easily paste in one or more IP addresses and, after submitting, get a sortable and downloadable table containing a list of responsive records. These records are de-duplicated by CIDR block, AWS Region, and AWS Service — explaining why we see two entries for each of the below CIDR blocks.
From this page, you can download the table as a CSV for your records. As seen above, the table displays the earliest and most recent dates (in UTC) the server observed the assignment of these CIDR blocks.
Using the API
To make things easier for automated querying, an API for this service is also available. Documented at http://awsip.chapinb.com:8080/api/v1.0/, this API allows a POST request containing a list of IP addresses to query for and returns the result in a structured JSON object.
A sample API request for the same 3 IP addresses looks like this:
And the response looks like this:
Hosting your own database
To make things easier for the community, the backend code is available on GitHub at https://github.com/chapinb/aws-ip-tracker. This code allows for the processing of the AWS JSON IP ranges file into a MongoDB database and also supports querying for records within the database.
The web application code is not currently public, though is a project in progress.
In working on this project, I discovered that the CIDR assignments infrequently change. This means that we can expect to have simple responses as shown above for the most part.
Feel free to reach out to me if this is useful or there are ways this could be more useful to you!