Security groups are an important part of ensuring your instances are secure. It acts as a virtual firewall for your instances, controlling inbound and outbound traffic.
Over time, you might have created many security groups that are not used anymore.
This not only adds to the clutter but also makes it difficult to manage your security groups effectively.
This blog post will show you how to find unused Amazon EC2 security groups in a single AWS region using a Python Boto3 script.
Table of Contents
How to find all unused security groups in an AWS Region
Before you can start, you’re required to have done the following prerequisites before you can run the Python script on your AWS account.
- Install the AWS CLI and configure an AWS profile
- Setting up the Python Environment
If you’ve already done this, you can proceed to step 3.
1. Install AWS CLI and configure an AWS profile
The AWS CLI is a command line tool that allows you to interact with AWS services in your terminal. Depending on if you’re running Linux, macOS, or Windows the installation goes like this:
# macOS install method:
brew install awscli
# Windows install method:
wget https://awscli.amazonaws.com/AWSCLIV2.msi
msiexec.exe /i https://awscli.amazonaws.com/AWSCLIV2.msi
# Linux (Ubuntu) install method:
sudo apt install awscliIn order to access your AWS account with the AWS CLI, you first need to configure an AWS Profile. There are 2 ways of configuring a profile:
- Access and secret key credentials from an IAM user
- AWS Single Sign-on (SSO) user
In this article, I’ll briefly explain how to configure the first method so that you can proceed with running the python script on your AWS account.
If you wish to set up the AWS profile more securely, then I’d suggest you read and apply the steps described in setting up AWS CLI with AWS Single Sign-On (SSO).
In order to configure the AWS CLI with your IAM user’s access and secret key credentials, you need to login to the AWS Console.
Go to IAM > Users, select your IAM user, and click on the Security credentials tab to create an access and secret key.
Then configure the AWS profile on the AWS CLI as follows:
➜ aws configure
AWS Access Key ID [None]: <insert_access_key>
AWS Secret Access Key [None]: <insert_secret_key>
Default region name [None]: <insert_aws_region>
Default output format [json]: jsonYour was credentials are stored in ~/.aws/credentials and you can validate that your AWS profile is working by running the command:
➜ aws sts get-caller-identity
{
"UserId": "AIDA5BRFSNF24CDMD7FNY",
"Account": "012345678901",
"Arn": "arn:aws:iam::012345678901:user/test-user"
}2. Setting up the Python Environment
To be able to run the Python Boto3 script, you will need to have Python installed on your machine.
Depending on if you’re running Linux, macOS, or Windows the installation goes like this:
# macOS install method:
brew install python
# Windows install method:
wget https://www.python.org/ftp/python/3.11.2/python-3.11.2-amd64.exe
msiexec.exe /i https://www.python.org/ftp/python/3.11.2/python-3.11.2-amd64.exe
curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
python get-pip.py
# Linux (Ubuntu) install method:
sudo apt install python3 python3-pipOnce you have installed Python, you will need to install the Boto3 library.
You can install Boto3 using pip, the Python package manager, by running the following command in your terminal:
pip install boto33. Create a Python Boto3 script to find unused Amazon EC2 security groups in a single AWS Region
Once you have our environment set up, you can create the Python script.
Copy the following code into a new file on the desired location and name it: find_unused_security_groups.py.
# https://github.com/dannysteenman/aws-toolbox
#
# License: MIT
#
# This script finds all unused security groups in a single AWS Region
import boto3
if __name__ == "__main__":
ec2 = boto3.client("ec2")
elb = boto3.client("elb")
elbv2 = boto3.client("elbv2")
rds = boto3.client("rds")
used_SG = set()
# Find EC2 instances security group in use.
response = ec2.describe_instances()
for reservation in response["Reservations"]:
for instance in reservation["Instances"]:
for sg in instance["SecurityGroups"]:
used_SG.add(sg["GroupId"])
# Find Classic load balancer security group in use
response = elb.describe_load_balancers()
for lb in response["LoadBalancerDescriptions"]:
for sg in lb["SecurityGroups"]:
used_SG.add(sg)
# Find Application load balancer security group in use
response = elbv2.describe_load_balancers()
for lb in response["LoadBalancers"]:
for sg in lb["SecurityGroups"]:
used_SG.add(sg)
# Find RDS db security group in use
response = rds.describe_db_instances()
for instance in response["DBInstances"]:
for sg in instance["VpcSecurityGroups"]:
used_SG.add(sg["VpcSecurityGroupId"])
response = ec2.describe_security_groups()
total_SG = [sg["GroupId"] for sg in response["SecurityGroups"]]
unused_SG = set(total_SG) - used_SG
print(f"Total Security Groups: {len(total_SG)}")
print(f"Used Security Groups: {len(used_SG)}\n")
print(f"Unused Security Groups: {len(unused_SG)} compiled in the following list:")
print(f"{list(unused_SG)}")We’ll use boto3 library to connect to our AWS account and access the EC2, ELB, and RDS clients.
We’ll then create a set to hold the security groups that are in use.
We’ll iterate through the reservations in the describe_instances() response to get the security groups in use by EC2 instances. We’ll do the same for ELBs, ALBs, and RDS DB instances.
Finally, we’ll create another set to hold all the security groups and subtract the set of used security groups from the total set to get a list of unused security groups.
4. Running the Python boto3 script on your AWS account
To run the script, simply execute the following command in your terminal or command prompt:
python find_unused_security_groups.pyThe script will start running, and you should see output similar to the following:
➜ python find_unused_security_groups.py
Total Security Groups: 3
Used Security Groups: 0
Unused Security Groups: 3 compiled in the following list:
['sg-05fb07fc61fe187ad', 'sg-0d48a3989d74bd109', 'sg-06db595a19bbd3441']The output will show the total number of security groups, the number of used security groups, and the number of unused security groups.
The unused security groups are listed at the end.
Conclusion
In this blog post, we have shown you how to find unused Amazon EC2 security groups using a Python Boto3 script.
By running this script, you can easily identify which security groups are not in use and delete them to maintain better security and a more organized AWS environment.
if you wish to delete all unused security groups on your AWS account then have a look at the following guide that will extend this script and proceeds with the removal.
