Skip to main content
The AWS Security Group Auditor scans 22 AWS services across your account to identify which resources are using each security group. This comprehensive check helps you safely identify and remove unused security groups.

Compute services

EC2

Resources checked: EC2 instancesThe tool checks all EC2 instances in your account and identifies their associated security groups and instance states.
# Source: check_sg_usage.py:70-79
instances = ec2.describe_instances(
    Filters=[{'Name': 'instance.group-id', 'Values': [sg_id]}]
)

Elastic Beanstalk

Resources checked: Elastic Beanstalk environments and their underlying EC2 instancesScans all Elastic Beanstalk environments and checks the security groups of their managed EC2 instances.
# Source: check_sg_usage.py:207-221
eb_environments = elasticbeanstalk.describe_environments()
resources = elasticbeanstalk.describe_environment_resources(
    EnvironmentId=env['EnvironmentId']
)

Container services

ECS

Resources checked: ECS services with awsvpc network modeScans all ECS clusters and services, checking network configurations for security group associations. Handles pagination for accounts with many services.
# Source: check_sg_usage.py:106-139
clusters = ecs.list_clusters()['clusterArns']
detailed_services = ecs.describe_services(
    cluster=cluster_arn, 
    services=service_chunk
)

EKS

Resources checked: EKS node groups and cluster security groupsChecks all EKS clusters and their associated node groups for security group usage.
# Source: check_sg_usage.py:142-151
eks_clusters = eks.list_clusters()['clusters']
nodegroup = eks.describe_nodegroup(
    clusterName=cluster_name, 
    nodegroupName=nodegroup_name
)

Load balancing

Classic Load Balancer (ELB)

Resources checked: Classic Load BalancersIdentifies security groups attached to classic Elastic Load Balancers.
# Source: check_sg_usage.py:80-85
elbs = elb.describe_load_balancers()

Application/Network Load Balancer (ELBv2)

Resources checked: Application Load Balancers and Network Load BalancersChecks ALBs and NLBs for security group associations.
# Source: check_sg_usage.py:87-92
elbv2_load_balancers = elbv2.describe_load_balancers()

Database services

RDS

Resources checked: RDS database instancesScans all RDS instances and their VPC security group configurations.
# Source: check_sg_usage.py:94-104
dbs = rds.describe_db_instances()['DBInstances']

Neptune

Resources checked: Neptune database instancesChecks Neptune graph database instances for security group associations.
# Source: check_sg_usage.py:190-196
neptune_instances = neptune.describe_db_instances()

DocumentDB

Resources checked: DocumentDB clustersScans DocumentDB clusters and their VPC security groups.
# Source: check_sg_usage.py:198-204
docdb_clusters = docdb.describe_db_clusters()

Redshift

Resources checked: Redshift clustersIdentifies security groups associated with Redshift data warehouse clusters.
# Source: check_sg_usage.py:165-171
redshift_clusters = redshift.describe_clusters()

Caching and messaging

ElastiCache

Resources checked: ElastiCache clusters (Redis and Memcached)Checks both Redis and Memcached ElastiCache clusters for security group usage.
# Source: check_sg_usage.py:174-180
cache_clusters = elasticache.describe_cache_clusters(
    ShowCacheNodeInfo=True
)

Amazon MSK

Resources checked: Managed Streaming for Apache Kafka clustersScans MSK (Kafka) clusters and their broker node security groups.
# Source: check_sg_usage.py:182-188
kafka_clusters = kafka.list_clusters()['ClusterInfoList']

Amazon MQ

Resources checked: Amazon MQ brokersChecks Amazon MQ message broker instances for security group associations.
# Source: check_sg_usage.py:287-295
mq_brokers = mq.list_brokers()['BrokerSummaries']
broker = mq.describe_broker(BrokerId=broker_summary['BrokerId'])

Analytics and machine learning

SageMaker

Resources checked: SageMaker endpointsIdentifies security groups used by SageMaker model endpoints in VPC configurations.
# Source: check_sg_usage.py:223-231
sm_endpoints = sagemaker.list_endpoints()['Endpoints']
endpoint_desc = sagemaker.describe_endpoint(
    EndpointName=endpoint['EndpointName']
)

AWS Glue

Resources checked: Glue jobs and connectionsScans Glue ETL jobs and their connection configurations for security groups.
# Source: check_sg_usage.py:251-261
glue_jobs = glue.get_jobs()['Jobs']
connection_info = glue.get_connection(Name=connection_name)

Elasticsearch Service

Resources checked: Elasticsearch domainsChecks Elasticsearch (OpenSearch) domains deployed in VPCs.
# Source: check_sg_usage.py:264-272
es_domains = es.list_domain_names()['DomainNames']
domain_config = es.describe_elasticsearch_domain(
    DomainName=domain_name
)

Developer tools

CodeBuild

Resources checked: CodeBuild projectsScans CodeBuild projects that run in VPCs and checks their security group configurations.
# Source: check_sg_usage.py:154-162
codebuild_projects = codebuild.list_projects()['projects']
project = codebuild.batch_get_projects(names=[project_name])
vpc_config = project.get('vpcConfig', {})

Storage and file systems

Amazon FSx

Resources checked: FSx file systems (Windows File Server, Lustre, NetApp ONTAP, OpenZFS)Identifies security groups associated with all FSx file system types.
# Source: check_sg_usage.py:297-303
fsx_file_systems = fsx.describe_file_systems()['FileSystems']

File transfer and virtual desktops

AWS Transfer Family

Resources checked: Transfer Family servers (SFTP, FTPS, FTP)Checks Transfer Family servers deployed in VPC endpoints for security group usage.
# Source: check_sg_usage.py:237-248
transfer_servers = transfer.list_servers()['Servers']
server_details = transfer.describe_server(ServerId=server_id)
vpc_config = ec2.describe_vpc_endpoints(
    VpcEndpointIds=[endpoint_details['VpcEndpointId']]
)

Amazon WorkSpaces

Resources checked: WorkSpaces directoriesScans WorkSpaces directories for workspace security group configurations.
# Source: check_sg_usage.py:305-310
workspaces_directories = workspaces.describe_workspace_directories()

Networking

VPC Endpoints

Resources checked: VPC endpoints (Interface and Gateway Load Balancer endpoints)Identifies security groups attached to VPC endpoints.
# Source: check_sg_usage.py:312-317
vpc_endpoints = ec2.describe_vpc_endpoints()['VpcEndpoints']

VPN Connections

Resources checked: Site-to-Site VPN connectionsChecks VPN connections for security group references through customer gateway tags.
# Source: check_sg_usage.py:275-285
vpn_connections = ec2.describe_vpn_connections()
customer_gateway = ec2.describe_customer_gateways(
    CustomerGatewayIds=[customer_gateway_id]
)

Security group cross-references

The tool also checks if security groups are referenced by other security groups in ingress or egress rules. This is important because a security group can be “in use” even if no resources are directly attached to it.
# Source: check_sg_usage.py:319-333
for sg in security_groups:
    for perm in sg.get('IpPermissions', []) + sg.get('IpPermissionsEgress', []):
        for user_id_group_pair in perm.get('UserIdGroupPairs', []):
            if user_id_group_pair['GroupId'] == sg_id:
                referenced_by_sgs.append(sg['GroupId'])
If a security group is referenced by another security group’s rules, it’s considered “in use” and won’t be flagged for deletion.

Coverage summary

The auditor provides comprehensive coverage across:
  • Compute: EC2, ECS, EKS, Elastic Beanstalk
  • Databases: RDS, Neptune, DocumentDB, Redshift, ElastiCache
  • Networking: ELB, ALB, NLB, VPC Endpoints, VPN
  • Storage: FSx
  • Analytics: Glue, Elasticsearch, MSK
  • ML: SageMaker
  • Developer Tools: CodeBuild
  • Messaging: Amazon MQ
  • Transfer: Transfer Family, WorkSpaces
  • Security Group Rules: Cross-references between security groups
The tool covers the vast majority of AWS services that support security groups. If you need support for additional services, contributions are welcome - see the contributing guide.

Build docs developers (and LLMs) love

Get started for freeTalk to us