Login/Register
How do I determine what a given AWS Security Group is associated with?
Asked Answered
amazon-web-servicesamazon-ec2aws-cliaws-vpc
I

2

5

The AWS EC2 Security Groups documentation mentions that "Security groups for EC2-VPC have additional capabilities that aren't supported by security groups for EC2-Classic" but the Security Groups dashboard does not provide any information on the "capabilities" of attributes of Security Groups that allow me to distinguish what kind of Security Group I'm looking at or what it is attached to, so that, for example I can't figure out whether I can consolidate Security Groups and share them across EC2 instances (for easier management):

  1. How do I determine whether a given Security Group is appropriate for a given instance?
  2. How do I determine whether what instances a Security Group is associated with (I see how to do the inverse in the Instances console)?
Isola answered 25/5, 2017 at 16:51 Comment(0)
S
4

To find all instances associated with security group My-SG, use the following AWS CLI command:

aws ec2 describe-instances --filters "Name=instance.group-name,Values=My-SG" --query 'Reservations[*].Instances[*].[Tags[?Key==`Name`].Value]' --output text
Spook answered 25/5, 2017 at 18:48 Comment(5)
Great! And if that comes back empty, I can (almost certainly) delete "My-SG"?Isola
Yes. And even by mistake if you try to delete a SG that has instance associated with it, AWS won't let you.Spook
And the ones that say default VPC (that must be associated with a VPC?). I assume I'd be prevented from accidentally deleting those too (even though they won't show an instance)?Isola
Yes, AWS won't let you delete default VPC security groupSpook
Unless I've got rid of the corresponding VPC first, right?Isola
L
2

Security groups for EC2-VPC have additional capabilities that aren't supported by security groups for EC2-Classic

This is only relevant if you have an AWS account that actually supports EC2 classic. If the account is less than a few years old you do not have support for EC2 classic. Security groups worked differently in EC2 classic as it was an entirely flat network. With the creation of VPCs security groups are now segregated by VPC.

  1. How do I determine whether a given Security Group is appropriate for a given instance?

This is entirely up to you and what is on the instance. Security groups are a generic concept and can be applied to any instance. For example, if the instance is running something that needs to contact DynamoDB then you need to have a security group for that instance that supports that interaction. Likewise, if you have an instance that is running a webserver you might want a security group that exposes port 80.

  1. How do I determine whether what instances a Security Group is associated with (I see how to do the inverse in the Instances console)?

This is can be quite daunting to accomplish via the GUI depending on the number of instances even assuming if you only want to look at EC2 groups and not something like RDS as well. It is most easily accomplished using the CLI and a command like:

$ aws ec2 describe-instances --output text | grep sg-{Some id}
Loudmouth answered 25/5, 2017 at 17:11 Comment(5)
So (1) if I have a standard policy for some kind of port access, I can put that in a SG and assign it to any of my EC2 instances to which I want that access to apply and (2) I should be able to remove any SG from an instance and the only change in its behavior will be the loss of whatever in/out-bound rules the SG defined (there's nothing about an SG beyond that that's hidden from me)?Isola
Any idea why I would have 10 SGs (with descriptions like "AWS created security group for d-914925e76b directory controllers" or "default VPC security group") but no Instances, Volumes, or anything else in a region? Does Lambda create these; or CodePipeline. Can I just delete them?Isola
@raxacoricofallapatorius those are SGs created during instance launch but the later the instance was terminated but the SG was not deleted. You can delete them but you can't delete default VPC security group.Spook
I have several (6) called that are default VPC security group.Isola
That means you have 6 VPCsSpook

© 2022 - 2024 — McMap. All rights reserved.