diff --git a/plugins/lookup/aws_service_ip_ranges.py b/plugins/lookup/aws_service_ip_ranges.py
index 77e7ae82d2b..fa579c059bc 100644
--- a/plugins/lookup/aws_service_ip_ranges.py
+++ b/plugins/lookup/aws_service_ip_ranges.py
@@ -43,7 +43,14 @@
 """
 
 import json
+try:
+    import netaddr
+except ImportError as imp_exc:
+    NETADDR_LIBRARY_IMPORT_ERROR = imp_exc
+else:
+    NETADDR_LIBRARY_IMPORT_ERROR = None
 
+from ansible.module_utils.six import raise_from
 from ansible.errors import AnsibleError
 from ansible.module_utils.six.moves.urllib.error import HTTPError
 from ansible.module_utils.six.moves.urllib.error import URLError
@@ -54,6 +61,24 @@
 from ansible.plugins.lookup import LookupBase
 
 
+def valid_cidr(ip_address):
+    """
+    Validate IP address
+    """
+    if NETADDR_LIBRARY_IMPORT_ERROR:
+        raise_from(
+            AnsibleError('netaddr must be installed to use this plugin'),
+            NETADDR_LIBRARY_IMPORT_ERROR)
+    try:
+        netaddr.IPNetwork(ip_address)
+    except netaddr.core.AddrFormatError as e:
+        raise AnsibleError("Not a valid IP address: %s" % e)
+    cidr = ip_address.split('/')
+    if (len(cidr) <= 1 or cidr[1] == ''):
+        return False
+    return True
+
+
 class LookupModule(LookupBase):
     def run(self, terms, variables, **kwargs):
         if "ipv6_prefixes" in kwargs and kwargs["ipv6_prefixes"]:
diff --git a/requirements.txt b/requirements.txt
index 0d58b96112d..f73aa68210f 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,3 +1,4 @@
 boto>=2.49.0
 botocore>=1.16.0
 boto3>=1.13.0
+netaddr>=0.8.0