Overview
AWS operates two primary ASNs: AS16509 (most cloud services) and AS14618 (Amazon retail / corporate). The ip-ranges.json file is the authoritative source — it tags each prefix with the service (EC2, S3, CLOUDFRONT, ROUTE53_RESOLVER, etc.) and the AWS region (us-east-1, eu-west-2, ap-southeast-1, ...). The file updates several times per day; AWS recommends polling daily.
Services on these IPs
Common services to filter by in ip-ranges.json: EC2 (any virtual machine — 1.8k+ prefixes), AMAZON (catch-all — 5.9k+ prefixes), S3 (object storage endpoints — region-specific), CLOUDFRONT (CDN edge), ROUTE53_RESOLVER (DNS), API_GATEWAY (API endpoints), GLOBALACCELERATOR. The "EC2" service is the broadest customer-facing — any IP there could be a customer VM.
How to detect AWS IPs
For Amazon-owned bots (e.g., Alexa crawler), reverse DNS points to *.amazonaws.com or *.compute.amazonaws.com and forward DNS resolves back. For general AWS ownership, fetch ip-ranges.json and check membership. Operationally: AS16509 in ASN lookup = AWS.
When this matters
Security teams allow/block specific AWS services (e.g., allow CloudFront, block EC2 ranges from certain regions). Compliance reports need AWS region tagging for data residency. Threat intel correlates abuse against EC2 ranges to identify rented attack infrastructure.
Caveats
EC2 IPs are dynamically assigned to customers. A connection from an EC2 IP says nothing about who is behind it — could be Netflix, a startup, or a botnet operator. Always check ip-ranges.json freshness; stale data causes false negatives when AWS adds new ranges.