January 7, 2022

How to get all public IP addresses in your AWS account

The knowledge of all public IP addresses across different services within AWS is a good way to get started with understanding what the attack footprint of an organisation looks like. This article describes fetching this information using both, the web console and the CLI.

Table of Contents

Background

AWS IP Ranges

Identifying AWS Public IP addresses for different services

  AWS EC2

     Ephemeral IP - Using the console

     Ephemeral IP - Using the command line

     Elastic IP - Using the console

     Elastic IP - Using the command line

  AWS EC2 Load Balancers

     Load Balancer IPs via Console

     Load Balancer IPs via AWS Command Line

  AWS RDS

     RDS Instance IPs via Console

     RDS IPs via AWS Command Line

  AWS API Gateway

     HTTP API Gateway IPs via Console

     WebSocket API Gateway IPs via Console

     REST API Gateway IPs via Console

     REST API Gateway IPs via AWS Command Line

  AWS Elastic Beanstalk

     AWS Elastic Beanstalk public IPs via Console

     AWS Elastic Beanstalk public IPs via AWS Command Line

Conclusion


Background

AWS has a multitude of services, created to solve specific problems and in working with each other, run entire organisations and their businesses. From an attacker point of view, gaining access to any service within AWS can mean additional information leakage and potential access to customer data and intellectual property in the form of code and business intelligence.

From a technical standpoint, there are 2 attack approaches that can be used to compromise AWS resources.

  1. Enumerating externally visible footprint and exploiting a weakness therein
  2. Gaining access to access credentials of an AWS IAM user or role and then using that access to gain a foothold into the account. 

Both of these approaches have various facets and can be used in conjunction with each other depending on what kind of information is available when beginning the attack.

In this article, we will look at various ways by which you can enumerate the public IP addresses within AWS, as that is a common facet that attackers use when launching attacks from the Internet. Attackers use public-facing IP addresses to run port scans to identify what services could potentially be listening on these IPs and then attack each of these services based on identified weaknesses.

Remember, as the sheer size of services in AWS is pretty large, not all services are covered. The ones listed below are the most common services within AWS that are used with an external endpoint.

AWS IP Ranges

AWS publishes its public IP address ranges in JSON format. You can download the latest current version from https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html.

Whenever AWS has an IP address range update, a new JSON is published for download. It is the user’s responsibility to maintain history for the JSON files, by saving successive versions locally. 

Providing the IP ranges to customers allows customers to set up network level access control via firewalls or authentication servers. Basically, if you ever set up a system that can whitelist sources, this json file would give you the information needed to whitelist your traffic coming from the AWS platform.

All public IP addresses that are assigned by AWS across all services are present in this JSON. So if you ever created an Elastic IP, it came from the pools mentioned in this JSON.

Identifying AWS Public IP addresses for different services

This section will take you through various services that expose a public DNS record or IP address including the commonly used Elastic IPs for AWS Compute.

AWS EC2

AWS EC2 allows users to set up public access via various means. The most common configurations include an ephemeral public IP that changes when the EC2 is rebooted and an Elastic IP that remains static and can be assigned to other instances. Another common way to expose a service running on EC2 to the world is using a Load balancer but we will look at that in the next section.

Let’s look at enumerating public IPs via the EC2 service.

Ephemeral IP - Using the console

  1. Login to the AWS console and navigate to the EC2 service
  2. Select the instance and look at the “Public IPv4 address” field under “Instance summary” in the bottom pane
  3. This needs to be repeated for every instance in every region in case you want complete cloud coverage.


Select the instance and look at the “Public IPv4 address” field under “Instance summary” in the bottom pane


Ephemeral IP - Using the command line

Note: The command line makes no distinction between Elastic IPs and Ephemeral IPs

  1. Configure your AWS command line profile
  2. Run the following command, to fetch the public IP of an instance with instance ID “i-0d0d377b6167567a4” and in the “us-east-2” region. Change the value of “--region” to fetch IPs from other regions.
aws ec2 describe-instances --instance-ids i-0d0d377b6167567a4 --query=Reservations[].Instances[].PublicIpAddress --region us-east-2
aws ec2 describe-instances --instance-ids i-0d0d377b6167567a4 --query=Reservations[].Instances[].PublicIpAddress --region us-east-2


You can also remove the instance Ids to fetch IP information for all the instances in one command. However, this is still region restricted.

You can also remove the instance Ids to fetch IP information for all the instances in one command. However, this is still region restricted.


Elastic IP - Using the console

  1. Login to the AWS console and navigate to Elastic IP under “Network & Security” under EC2 service.
  2. Click on the IP address listed in the console page to see more information about the Elastic IP including if it is associated with any EC2 instance


Click on the IP address listed in the console page to see more information about the Elastic IP including if it is associated with any EC2 instance


Click on the IP address listed in the console page to see more information about the Elastic IP including if it is associated with any EC2 instance


Elastic IP - Using the command line

Note: This command exclusively fetches the Elastic IP but does not list any Ephemeral IPs that may be assigned

  1. Configure your AWS command line profile
  2. Run the following command to fetch Elastic IPs in the “us-east-2” region. Change the value of “--region” to fetch IPs from other regions.
aws ec2 describe-addresses --query Addresses[*].PublicIp --region us-east-2
aws ec2 describe-addresses --query Addresses[*].PublicIp --region us-east-2


AWS EC2 Load Balancers

Elastic Load Balancing automatically distributes incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones.

We can enumerate Load Balancer IP addresses using the following steps via the console and the command line.

Load Balancer IPs via Console

  1. Login to the AWS console and navigate to “Load Balancers” under “Load Balancing” under EC2 service in the left pane.
  2. Select the Load Balancer whose public IP you want to enumerate
  3. Under the “Description” pane copy the DNS name of the Load Balancer. This is the public DNS name to which external communication can be made
Under the “Description” pane copy the DNS name of the Load Balancer. This is the public DNS name to which external communication can be made


  1. To find its IP address, you can run the nslookup or the dig command as shown below
To find its IP address, you can run the nslookup or the dig command as shown below


Load Balancer IPs via AWS Command Line

  1. Configure your AWS command line profile
  2. Run the following command to fetch the Load Balancer DNS name in the “us-east-2” region. Change the value of “--region” to fetch IPs from other regions.
aws elbv2 describe-load-balancers --query LoadBalancers[*].DNSName
aws elbv2 describe-load-balancers --query LoadBalancers[*].DNSName


  1. You can then use nslookup or dig to fetch the IP address from the DNS name as shown in the previous section.


AWS RDS

Amazon Relational Database Service (RDS) makes it easy to set up, operate, and scale a relational database in the cloud. When a RDS instance is created, it can be set up to be publicly accessible. The AWS console and CLI provide the public DNS endpoint for the RDS instance.

Although a different service within AWS, other database related services like DynamoDB and ElastiCache would also expose an external hostname for consumption.


RDS Instance IPs via Console

  1. Login to the AWS console and navigate to “Databases” under the “Amazon RDS” service.
  2. Select a database whose public endpoint you wish to identify. The endpoint is visible under the “Connectivity & security” tab on the page
Select a database whose public endpoint you wish to identify. The endpoint is visible under the “Connectivity & security” tab on the page

 


  1. To find its IP address, you can run the nslookup or the dig command as shown below
To find its IP address, you can run the nslookup or the dig command as shown below


RDS IPs via AWS Command Line

  1. Configure your AWS command line profile
  2. Run the following command to fetch the RDS DNS name in the “us-east-2” region. Change the value of “--region” to fetch the DNS name for RDS in other regions.
aws rds describe-db-instances --query=DBInstances[*].Endpoint.Address --region us-east-2
aws rds describe-db-instances --query=DBInstances[*].Endpoint.Address --region us-east-2


  1. You can then use nslookup or dig to fetch the IP address from the DNS name as shown in the previous section.


AWS API Gateway

Amazon API Gateway is an AWS service for creating, publishing, maintaining, monitoring, and securing REST, HTTP, and WebSocket APIs at any scale. API developers can create APIs that access AWS or other web services, as well as data stored in the AWS Cloud.

AWS API Gateway supports API types for HTTP, WebSocket and REST APIs. Each of these published endpoints have a DNS name created which can be accessed publicly over the Internet.

The AWS CLI does not have a way to list HTTP API or WebSocket API endpoints, so we resort to only using the web console.


HTTP API Gateway IPs via Console


  1. Login to the AWS console and navigate to “API Gateway”
  2. Click “APIs” in the left pane and select the HTTP API whose public endpoint you wish to identify. The endpoint is visible under the “Stages for <API-NAME> section
Login to the AWS console and navigate to “API Gateway”Click “APIs” in the left pane and select the HTTP API whose public endpoint you wish to identify. The endpoint is visible under the “Stages for <API-NAME> section


  1. To find its IP address, you can run the nslookup or the dig command as shown below
To find its IP address, you can run the nslookup or the dig command as shown below


WebSocket API Gateway IPs via Console


  1. Login to the AWS console and navigate to “API Gateway”
  2. Click “APIs” in the left pane and select the WebSocket API whose public endpoint you wish to identify. 
  3. Click on “Stages” on the left and select a Stage (production for example). The endpoint will be listed as “WebSocket URL:” on the top half of the page
Click on “Stages” on the left and select a Stage (production for example). The endpoint will be listed as “WebSocket URL:” on the top half of the page


  1. To find its IP address, you can run the nslookup or the dig command as shown below
To find its IP address, you can run the nslookup or the dig command as shown below

REST API Gateway IPs via Console


  1. Login to the AWS console and navigate to “API Gateway”
  2. Click “APIs” in the left pane and select the REST API whose public endpoint you wish to identify
  3. Click on “Stages” on the left and select a Stage (production for example). The endpoint will be listed as “Invoke URL:” on the top half of the page
Click on “Stages” on the left and select a Stage (production for example). The endpoint will be listed as “Invoke URL:” on the top half of the page


  1. To find its IP address, you can run the nslookup or the dig command as shown below
To find its IP address, you can run the nslookup or the dig command as shown below


REST API Gateway IPs via AWS Command Line

  1. Configure your AWS command line profile
  2. Run the following command to fetch all REST API details in the “us-east-1” region. Change the value of “--region” to fetch the data from other regions.
aws apigateway get-rest-apis --region us-east-1
aws apigateway get-rest-apis --region us-east-1
  1. The DNS name can be constructed from the values of REST API id and the AWS region using the following format:
<id>.execute-api.<region>.amazonaws.com
  1. The IP address can then be obtained via a dig or nslookup command as shown in the previous section.


AWS Elastic Beanstalk

Amazon Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS.

AWS Elastic Beanstalk public IPs via Console


  1. Login to the AWS console and navigate to “Elastic Beanstalk”
  2. Click “Environments” from the left pane
  3. In the list of environments, identify the Environment that has a “URL”


In the list of environments, identify the Environment that has a “URL”


  1. Copy the URL from the page or click the Environment name to see a different view from which the URL can be copied
  2. To find its IP address, you can run the nslookup or the dig command as shown below
To find its IP address, you can run the nslookup or the dig command as shown below


AWS Elastic Beanstalk public IPs via AWS Command Line

  1. Configure your AWS command line profile
  2. Run the following command to fetch details of all the Elastic Beanstalk instances in the “us-east-1” region. Change the value of “--region” to fetch the data from other regions.
aws elasticbeanstalk describe-environments --query Environments[*].EndpointURL --region us-east-1
aws elasticbeanstalk describe-environments --query Environments[*].EndpointURL --region us-east-1


Conclusion

Identifying your attack surface is the key to defending your account from malicious actors, bots and targeted threats. Externally accessible endpoints of an organisation are a very important facet of the attack surface. Knowledge of external IP addresses and hostnames allows attackers to poke around what is hosted and identify potential weaknesses beyond the network layer.

On the other hand, knowledge of the external attack surface, public IPs and accessible hostnames allows SREs and Ops to take measures to strengthen their defences to thwart attacks. Although many of the services within AWS are completely managed, which reduces the risks arising from misconfigurations, there may be instances where exposure of the IP addresses and hostnames allows attackers to gain footholds within your account.

This article presents various ways of enumerating the IP address information for common services within AWS and can be used to enumerate them for your account for visibility purposes.


***

This article is brought to you by Kloudle Academy, a free e-resource compilation, created and curated by Kloudle. Kloudle is a cloud security platform that uses the power of automation and simplifies human requirements in cloud security. If you wish to give your feedback on this article, you can write to us here.

Written by:
Riyaz Walikar

Riyaz Walikar

Chief Hacker

Riyaz is a security evangelist, offensive security expert and researcher with over a decade of experience in the cyber security industry. His passion to break into some of the most well defended networks and systems in his career spanning 15 years has earned him a lot respect within the security industry. He has led Security Assessment and Penetration Testing teams at Pricewaterhouse Coopers (PwC) and Appsecco, and the Product Security Team at Citrix before co-founding Kloudle. Riyaz now specializes in cloud native, container and cloud security in general, helping build an easy to use security management platform to help companies enhance their visibility in the cloud, identify security misconfigurations and automate remediation for security gaps enabling compliance and operational security in multi-cloud environments. He is also an avid speaker and trainer and presents his research and findings at security conferences and community meetups around the world including BlackHat USA, BH Europe, BH Asia, nullcon and OWASP AppsecUSA.Specialties: Cloud (AWS, GCP, Azure, IBM, Others) Security, Cloud-Native Security, Kubernetes, Container Security, Web Application Security, Network and System Penetration Testing, Wireless Network Security, Malware Analysis and Reverse Engineering, Threat Modelling, Windows Forensics, Security Code Review, Vulnerability Research, Exploit Development and Reverse Engineering. Certifications: CKA, CKAD, OSCP

Read more