EC2 Address

Verify IP Address Usage Across AWS Accounts

James Lane
May 17, 2023


Verifying IP addresses used across multiple AWS accounts is important for maintaining IP reputation and customer whitelisting. To collect information about networking resources in a multi-account AWS environment, there are several scalable options including IPAM, AWS Config, and building an automated solution using the AWS CLI or SDKs.

6 ways to verify IP address usage

1. Instance Metadata API

Use the Instance Metadata API on the instance to retrieve the AWS account ID associated with the instance. The API can be accessed by running the following command on the instance:

curl http://your-ip-address/latest/dynamic/instance-identity/document

The command will return a JSON object that contains the account ID in the accountId field.

2. AWS CLI and Network Interfaces

Use the AWS CLI to find the network interface that owns the IP address. The following command can be run:

aws ec2 describe-network-interfaces --filters Name=addresses.private-ip-address,Values=

Replace <IPv4 address> with the IP address that needs to be investigated. The output of the command will include the description of the network interface, which can be used to identify the resource that owns the IP address.

3. Amazon VPC IP Address Manager (IPAM)

Use Amazon VPC IP Address Manager (IPAM) to monitor and audit IP addresses at scale. IPAM is a VPC feature that makes it easier to plan, track, and monitor IP addresses for AWS workloads. From a centralized dashboard, IPAM can monitor IP address space that's in use and use the IP historical data to search for the status change of IP addresses or CIDRs. IPAM can be integrated with AWS organisations to activate the Amazon VPC IPAM service to manage and monitor networking resources created by all AWS organizations member accounts.

4. Automating with AWS Config Aggregator

Automate multi-account network information capture with AWS Config aggregator. AWS Config records AWS resource configurations and allows reviewing changes in configurations and relationships between AWS resources. Networking resource types collected by AWS Config include internet gateways, NAT gateways, load balancers, VPC CIDRs, and subnets. AWS Config data from multiple accounts and AWS Regions can be aggregated into a single account using multi-account, multi-Region data aggregation.

5. Automatic Report Generation with aws-sts-network-query-tool

Automatically generate a multi-account network resources report using aws-sts-network-query-tool. This script uses AWS CLI to collect networking-related information for multiple accounts and outputs the information in a CSV. It can be run by specifying a list of member accounts to scan. The script can collect information about internet gateways, NAT gateways, load balancers, VPC CIDRs, subnets, elastic IP addresses, and elastic network interfaces.

6. Overmind

Overmind makes it easy to search IP addresses across accounts while getting all important related content and metadata about its usage. Within Explore, you can start by listing all ec2-address types. From there you can expand outwards discovering any related types including DNS entries, ec2-network-interfaces or IPs.

Using Overmind to find IP addresses
Using Overmind 'List' to discover IP addresses

To do this across multiple accounts simply those accounts as new sources. Once you have added these sources you will be able to search across all of them by making sure the scope is set to ‘*’.

Choosing the Right Option

Choosing the option depends on the specific use case and the available infrastructure.

  1. For a list of VPC CIDRs, subnets, elastic network interfaces, elastic IP addresses, and IP usage within CIDRs, IPAM can be used.
  2. If internet gateways, NAT gateways, and load balancers within accounts need to be listed, along with the resources elastic IP addresses are attached to, AWS Config aggregator or aws-sts-network-query-tool can be used.
  3. If the accounts are not within an AWS organisation, aws-sts-network-query-tool would be the best option.


What is the Instance Metadata API, and how does it help in verifying IP address usage?

To verify IP address usage, you can utilise the instance metadata to get the instance ID and other relevant details. The instance metadata is available in all Amazon EC2 instances at the following address: /latest/meta-data/. In there, you can find quite a lot of useful information, including the instance ID, which can be used to verify IP address usage.

Can I use the AWS CLI to find the owner of an IP address in AWS?

Yes, you can use the AWS CLI to find the owner of an IP address in AWS. The docs link can be found here.

Which option should I choose if I need to monitor IP addresses within VPCs and track their usage?

To monitor IP addresses within VPCs and track their usage, the best option is to use Amazon VPC IP Address Manager (IPAM).