0

I've a network whose outbound traffic is strictly limited to a whitelist of sites or domains. I searched and couldn't find any documentation about how could I allow stations on this network to use AWS Management Console without allowing any arbitrary outgoing connections.

Is there any minimal list of hostnames, domains or IP ranges - similar to https://learn.microsoft.com/en-us/azure/azure-portal/azure-portal-safelist-urls - that I'd whitelist for this purpose?

Thanks!

Cat Mucius
  • 155
  • 1
  • 11

1 Answers1

1

This is the list of AWS IP ranges which can be filtered by region.

As for domains, you're going to have a tough time whitelisting everything, unless you use a very restricted set of services. Example:

console.aws.amazon.com
[your region].console.aws.amazon.com
signin.aws.amazon.com
support.aws.amazon.com
s3.console.aws.amazon.com
aws.amazon.com
docs.aws.amazon.com
forums.aws.amazon.com
status.aws.amazon.com
aws-portal.amazon.com
... etc ...

You would need a zone transfer to actually get a full list of subdomains, something like dig @server.com zone.com axfr — but this also would be brittle, if AWS's DNS servers even allow it (they probably don't).

Zac Anger
  • 143
  • 7
  • Zac, thanks for the info, the problem is, though, that I'm looking for a way to open access to AWS native services, like the Console - while avoiding opening it to services of AWS tenants, which, as I understand, might be placed in the same ranges or under the same domains as AWS own ones. – Cat Mucius Apr 14 '23 at 09:32