How to determine AWS security group dependencies?

Solution 1:

Paste the security group ID in the "Network Interfaces" section of EC2. This will find usage across EC2, EB, RDS, ELB.

CLI: aws ec2 describe-network-interfaces --filters Name=group-id,Values=sg-123abc45

Solution 2:

The best way to do this in the AWS EC2 console, is to paste in the security group name in the search field in the EC2->Instances section.

All instances associated with the pasted security group will then populate-those would be the ec2 objects (dependencies).

You can also run this search in ELB section and other AWS offerings that utilize security groups.

If you are trying to delete the security group, you will need to either 'change security group' for each instance (if they are in a VPC) or create an AMI and relaunch using a different security group-then delete the old instance (if using EC2 classic)

Hope that helps-

Solution 3:

You need to look at your EC2 instance objects, not the groups themselves:

$ aws ec2 describe-instances --output text

Then either look for "sg-*" or use standard unix text stream processing tools to pull out the data you need.

Alternatively, if you have a small number of instances, use --output table for a nicely-formatted list.

Solution 4:

You can interrogate the aws cli to get the data you want.

You'll need to:

  • List all security groups looking for references to the group in question
  • List all EC2s and their groups
  • List all ELBs and their groups
  • List all RDSs and their groups

You could also use libraries, like boto instead of the raw aws cli.

Solution 5:

Lambda functions may also have Security Groups. At time of writing, Amazon does not prevent deletion of security groups used by Lambda functions.

I used this:

aws lambda list-functions | jq -c '.Functions[] | {FunctionArn, SecurityGroups: (.VpcConfig.SecurityGroupIds[]? // null) }'


Amazon Ec2