Tracking down api webhook connections

Hello All,

So I implemented ModSecurity on my Nginx reverse proxy in front of my Hassio instance (docker on Ubuntu 18.04.3 VM) and it’s logging the following api webhook connections (not blocking until I can find out what they’re for). I’m unable to track the IPs down to a particular add-on, integration or service. Does anyone else see a lot of connections to these IPs or can provide insight into what these might be from? Trying to avoid shutting off all the add-ons or integrations to track this down. Here are the relevant log entries:

54.82.4.129 - - [08/Nov/2019:08:21:39 +0000] “POST /api/webhook/[webhook ID] HTTP/1.1” 200 17 “-” “AHC/2.1”
54.83.145.181 - - [08/Nov/2019:08:23:03 +0000] “POST /api/webhook/[webhook ID] HTTP/1.1” 200 17 “-” “AHC/2.1”
52.203.225.134 - - [08/Nov/2019:08:23:05 +0000] “POST /api/webhook/[webhook ID] HTTP/1.1” 200 17 “-” “AHC/2.1”

Observations:

  • The repetitive connections are made to these 3 IPs and open and close every couple minutes throughout the day regardless of my interaction with HA.
  • The IPs are registered/hosted by Amazon Web Services.

Add-ons that I’m using on Hassio 0.99.3:

  • MQTT Server and Web Client 1.1.0
  • Node-Red 5.0.3
  • Log Viewer 0.6.4
  • Portainer 0.8.0
  • SSH and Web Terminal 6.4.0
  • Smartthings Bridge 0.0.3
  • Visual Studio Code 1.1.1
  • Chrony 1.0.4

Integrations:

  • Smartthings (maybe HA is “phoning home”?)
  • GPSLogger
  • Google Cast