You have noticed your VPC's subnets (which use x.x.x.x/20 CIDR) have 4096 available IP addresses although this CIDR should have 4096 addresses. What is the reason for that?
Answer
AWS reserves 5 IP addresses in each subnet - first 4 and the last one, and so they aren't available for use.