boto3 searching unused security groups
First , I suggest you relook how boto3 deal with credential. Better use a genereic AWS credential file , so in the future when required, you can switch to IAM roles base credential or AWS STS without changing your code.
import boto3 # You should use the credential profile file ec2 = boto3.client("ec2") # In boto3, if you have more than 1000 entries, you need to handle the pagination # using the NextToken parameter, which is not shown here. all_instances = ec2.describe_instances() all_sg = ec2.describe_security_groups() instance_sg_set = set() sg_set = set() for reservation in all_instances["Reservations"] : for instance in reservation["Instances"]: for sg in instance["SecurityGroups"]: instance_sg_set.add(sg["GroupName"]) for security_group in all_sg["SecurityGroups"] : sg_set.add(security_group ["GroupName"]) idle_sg = sg_set - instance_sg_set
Note : code are not tested. Please debug it as required.
Use the power of Boto3 and Python's list comprehension and sets to get what you want in 7 lines of code:
import boto3 ec2 = boto3.resource('ec2') #You have to change this line based on how you pass AWS credentials and AWS config sgs = list(ec2.security_groups.all()) insts = list(ec2.instances.all()) all_sgs = set([sg.group_name for sg in sgs]) all_inst_sgs = set([sg['GroupName'] for inst in insts for sg in inst.security_groups]) unused_sgs = all_sgs - all_inst_sgs
print 'Total SGs:', len(all_sgs) print 'SGS attached to instances:', len(all_inst_sgs) print 'Orphaned SGs:', len(unused_sgs) print 'Unattached SG names:', unused_sgs
Total SGs: 289 SGS attached to instances: 129 Orphaned SGs: 160 Unattached SG names: set(['mysg', '...