AWS - Identify Unused Security Groups
AWS - Identify Unused Security Groups
Description
This automation job generates a listing of AWS security groups that are not associated with any network interfaces and are therefore eligible for deletion. It checks various AWS services to ensure comprehensive coverage.
Prerequisites
- Turn on "Runner as Node" setting on your Runner.
- This requires version 5.8.0 or higher. Adjustments to Node tab may be required for earlier versions.
- AWS CLI installed on the runner node.
- Proper AWS credentials configured on the runner node.
AWS IAM Permissions
The AWS IAM role or user associated with this job requires the following permissions:
ec2:DescribeSecurityGroupsec2:DescribeNetworkInterfaceselb:DescribeLoadBalancerselbv2:DescribeLoadBalancersrds:DescribeDBInstanceselasticache:DescribeCacheClustersredshift:DescribeClusters
These permissions should be applied to all resources in the specified region.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroups",
"ec2:DescribeNetworkInterfaces",
"elb:DescribeLoadBalancers",
"elbv2:DescribeLoadBalancers",
"rds:DescribeDBInstances",
"elasticache:DescribeCacheClusters",
"redshift:DescribeClusters"
],
"Resource": "*"
}
]
}Job Options
| Option Name | Description | Default Value |
|---|---|---|
region | AWS region to query for security groups | N/A |
always-show-results | Show results even when checking AWS services results in Access Errors | false |
Job Workflow
- It uses the AWS CLI to list all security groups in the specified region.
- The script then checks for security groups associated with:
- Network interfaces
- Classic load balancers
- Application/Network load balancers
- RDS instances
- ElastiCache clusters
- Redshift clusters
- It compares the list of all security groups against those associated with the above services.
- The job generates a report of security groups that are not associated with any of these services and are eligible for deletion.
Output
The job produces a detailed report with the following information:
- List of all security groups in the region
- List of security groups associated with various AWS services
- Security groups that can be safely deleted (not associated with any service)
- Warnings for default security groups (which cannot be deleted)
Script Details
The job uses a Bash script to perform the following tasks:
- Fetch all security groups in the specified region
- Retrieve security groups associated with various AWS services
- Compare the lists to identify unused security groups
- Generate a report of security groups eligible for deletion
Notes
- The job does not actually delete any security groups; it only provides recommendations.
- Default security groups are excluded from the deletion recommendations.
- The script includes error handling and can optionally show the recommendation results even if some AWS API calls result in errors.
Troubleshooting
If you encounter issues running this job:
- Ensure that the AWS CLI is properly installed on the runner node
- Verify that the AWS credentials on the runner node have the necessary permissions
- Check the
always-show-resultsoption if you want to see partial results in case of API errors