What is AWS Prefix actually?



What/where is the definition of AWS Prefix?


While looking for a way to list S3 endpoint CIDR, encountered the word AWS prefix list but not sure what it exactly means and where the terminology is defined.


Prefix means a word placed in front. For S3, according to Listing Keys Hierarchically Using a Prefix and Delimiter, it should be the starting path to an object.

However, apparently it refers to a IP address range. How come prefix is used for IP ranges? What is the history or reason?

Terraform aws_prefix_list

This can be used both to validate a prefix list given in a variable and to obtain the CIDR blocks (IP address ranges) for the associated AWS service.


Describes available AWS services in a prefix list format, which includes the prefix list name and prefix list ID of the service and the IP address range for the service.

AWS IP Address Ranges


Gateway VPC Endpoints

Specify the VPC in which to create the endpoint, and the service to which you’re connecting. A service is identified by a prefix list—the name and ID of a service for a Region. A prefix list ID uses the form pl-xxxxxxx and a prefix list name uses the form “com.amazonaws.region.service”. Use the prefix list name (service name) to create an endpoint.

what is the meaning of Prefix ?

suppose you have a network like
so you will have the 10.5.10 prefix in that subnet from 1 to 255 and your network address will be

I suppose ( means (Top 24 bit part of 32 bit IP) of a network that has
254 ip addresses from 1 to 254 (0 is network and 255 is broadcast). Prefix is top 24 bit and suffix (?) is last 8 bit. List of top N bit which identifies a network is a list of IP prefix.


If what you are looking for is prefix list id for vpc endpoint like dynamodb/s3, then it is not related to IP or CIDR. As it is mentioned in the documentation:

A prefix list ID is required for creating an outbound security group rule that allows traffic from a VPC to access an AWS service through a gateway VPC endpoint.

So if do not have prefix-list id in your security group outbout for ec2 or vpc-lambda, you will get time out when connecting to dynamodb or s3.

You can get the prefix-list by running

aws ec2 describe-prefix-lists

Then you can put this PrefixListId into your security group outbound via aws web console. If you use terraform for different region, it could be something like:

Leave a Reply