New deal!

Join 90,000+ creators to write, schedule and publish on Twitter • Sign up for free → typefully.com

Get in Touch

Updated:

How to find unused security groups in AWS

Danny Steenman

Security groups are an important part of ensuring your instances are secure. It acts as a virtual firewall for your instances, controlling inbound and outbound traffic.

Over time, you might have created many security groups that are not used anymore.

This not only adds to the clutter but also makes it difficult to manage your security groups effectively.

This blog post will show you how to find unused Amazon EC2 security groups in a single AWS region using a Python Boto3 script.

How to find all unused security groups in an AWS Region

Before you can start, you’re required to have done the following prerequisites before you can run the Python script on your AWS account.

  1. Install the AWS CLI and configure an AWS profile
  2. Setting up the Python Environment

If you’ve already done this, you can proceed to step 3.

1. Install AWS CLI and configure an AWS profile

The AWS CLI is a command line tool that allows you to interact with AWS services in your terminal. Depending on if you’re running LinuxmacOS, or Windows the installation goes like this:

# macOS install method:
brew install awscli

# Windows install method:
wget https://awscli.amazonaws.com/AWSCLIV2.msi
msiexec.exe /i https://awscli.amazonaws.com/AWSCLIV2.msi

# Linux (Ubuntu) install method:
sudo apt install awscli

In order to access your AWS account with the AWS CLI, you first need to configure an AWS Profile. There are 2 ways of configuring a profile:

  • Access and secret key credentials from an IAM user
  • AWS Single Sign-on (SSO) user

In this article, I’ll briefly explain how to configure the first method so that you can proceed with running the python script on your AWS account.

If you wish to set up the AWS profile more securely, then I’d suggest you read and apply the steps described in setting up AWS CLI with AWS Single Sign-On (SSO).

In order to configure the AWS CLI with your IAM user’s access and secret key credentials, you need to login to the AWS Console.

Go to IAM > Users, select your IAM user, and click on the Security credentials tab to create an access and secret key.

Then configure the AWS profile on the AWS CLI as follows:

➜ aws configure
AWS Access Key ID [None]: <insert_access_key>
AWS Secret Access Key [None]: <insert_secret_key>
Default region name [None]: <insert_aws_region>
Default output format [json]: json

Your was credentials are stored in ~/.aws/credentials and you can validate that your AWS profile is working by running the command:

➜ aws sts get-caller-identity
{
    "UserId": "AIDA5BRFSNF24CDMD7FNY",
    "Account": "012345678901",
    "Arn": "arn:aws:iam::012345678901:user/test-user"
}

2. Setting up the Python Environment

To be able to run the Python Boto3 script, you will need to have Python installed on your machine.

Depending on if you’re running LinuxmacOS, or Windows the installation goes like this:

# macOS install method:
brew install python

# Windows install method:
wget https://www.python.org/ftp/python/3.11.2/python-3.11.2-amd64.exe
msiexec.exe /i https://www.python.org/ftp/python/3.11.2/python-3.11.2-amd64.exe

curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
python get-pip.py

# Linux (Ubuntu) install method:
sudo apt install python3 python3-pip

Once you have installed Python, you will need to install the Boto3 library.

You can install Boto3 using pip, the Python package manager, by running the following command in your terminal:

pip install boto3

3. Create a Python Boto3 script to find unused Amazon EC2 security groups in a single AWS Region

Once you have our environment set up, you can create the Python script.

Copy the following code into a new file on the desired location and name it: find_unused_security_groups.py.

#  https://github.com/dannysteenman/aws-toolbox
#
#  License: MIT
#
# This script finds all unused security groups in a single AWS Region

import boto3

if __name__ == "__main__":
    ec2 = boto3.client("ec2")
    elb = boto3.client("elb")
    elbv2 = boto3.client("elbv2")
    rds = boto3.client("rds")

    used_SG = set()

    # Find EC2 instances security group in use.
    response = ec2.describe_instances()
    for reservation in response["Reservations"]:
        for instance in reservation["Instances"]:
            for sg in instance["SecurityGroups"]:
                used_SG.add(sg["GroupId"])

    # Find Classic load balancer security group in use
    response = elb.describe_load_balancers()
    for lb in response["LoadBalancerDescriptions"]:
        for sg in lb["SecurityGroups"]:
            used_SG.add(sg)

    # Find Application load balancer security group in use
    response = elbv2.describe_load_balancers()
    for lb in response["LoadBalancers"]:
        for sg in lb["SecurityGroups"]:
            used_SG.add(sg)

    # Find RDS db security group in use
    response = rds.describe_db_instances()
    for instance in response["DBInstances"]:
        for sg in instance["VpcSecurityGroups"]:
            used_SG.add(sg["VpcSecurityGroupId"])

    response = ec2.describe_security_groups()
    total_SG = [sg["GroupId"] for sg in response["SecurityGroups"]]
    unused_SG = set(total_SG) - used_SG

    print(f"Total Security Groups: {len(total_SG)}")
    print(f"Used Security Groups: {len(used_SG)}\n")
    print(f"Unused Security Groups: {len(unused_SG)} compiled in the following list:")
    print(f"{list(unused_SG)}")

We’ll use boto3 library to connect to our AWS account and access the EC2, ELB, and RDS clients.

We’ll then create a set to hold the security groups that are in use.

We’ll iterate through the reservations in the describe_instances() response to get the security groups in use by EC2 instances. We’ll do the same for ELBs, ALBs, and RDS DB instances.

Finally, we’ll create another set to hold all the security groups and subtract the set of used security groups from the total set to get a list of unused security groups.

4. Running the Python boto3 script on your AWS account

To run the script, simply execute the following command in your terminal or command prompt:

python find_unused_security_groups.py

The script will start running, and you should see output similar to the following:

➜ python find_unused_security_groups.py

Total Security Groups: 3
Used Security Groups: 0

Unused Security Groups: 3 compiled in the following list:
['sg-05fb07fc61fe187ad', 'sg-0d48a3989d74bd109', 'sg-06db595a19bbd3441']

The output will show the total number of security groups, the number of used security groups, and the number of unused security groups.

The unused security groups are listed at the end.

Conclusion

In this blog post, we have shown you how to find unused Amazon EC2 security groups using a Python Boto3 script.

By running this script, you can easily identify which security groups are not in use and delete them to maintain better security and a more organized AWS environment.

if you wish to delete all unused security groups on your AWS account then have a look at the following guide that will extend this script and proceeds with the removal.

Want to join us? Join for tips, strategies, and resources that I use in my solo cloud agency to build well-architected, resilient, and cost-optimized AWS solutions on AWS.

Join 1k+ AWS Cloud enthusiasts
Loved by engineers worldwide
, , , ,

Related posts

Danny Steenman

A Senior AWS Cloud Engineer with over 9 years of experience migrating workloads from on-premises to AWS Cloud.

I have helped companies of all sizes shape their cloud adoption strategies, optimizing operational efficiency, reducing costs, and improving organizational agility.

Connect with me today to discuss your cloud aspirations, and let’s work together to transform your business by leveraging the power of AWS Cloud.

I need help with..
stacked cubes
Improving or managing my CDK App.Maximize the potential of your AWS CDK app by leveraging the expertise of a seasoned CDK professional.
Reducing AWS Costs.We can start by doing a thorough assessment of your current AWS infrastructure, identifying areas with potential for cost reduction and efficiency improvement.
Verifying if my infrastructure is reliable and efficient.We’ve created a comprehensive AWS Operations Checklist that you can utilize to quickly verify if your AWS Resources are set up reliably and efficiently.