ec2: look up AWS managed Prefix Lists

[alanraison]

There is currently no way to lookup the IP of an AWS-managed Prefix List (i.e. those for S3 and DynamoDB).

Use Case

In order to use an S3 or DynamoDB Gateway endpoint, with a Security Group which allows only specific outbound access, it is necessary to lookup the com.amazonaws.<region>.s3 or com.amazonaws.<region>.dynamodb Prefix List's ID. This is currently not possible.

Proposed Solution

Add the ability to look up a Prefix List by prefix list ID. I don't know if this requires changes in Cloudformation.

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[njlynch]

There is no current CloudFormation support for this. The guidance I have seen elsewhere is to use a Custom Resource to do the lookup. See the description of #13668 for one example of doing that lookup via a Custom Resource.

This is something we could conceivably integrate into the CDK, but it's not clear yet how broad an impact it would have or where it would live. I am unassigning and marking this issue as p2, which means that we are unable to work on this immediately.

We use +1s to help prioritize our work, and are happy to revaluate this issue based on community feedback. You can reach out to the cdk.dev community on Slack to solicit support for reprioritization. In the meantime, I hope the linked workaround helps!

[ramiro]

See also #9568.

[markoperich]

+1

[havenith]

+1

[gottschalkj-fmr]

+1