Skip to content

Instantly share code, notes, and snippets.

@arpcefxl

arpcefxl/secgroupdelete_ec2classic.py

Created April 14, 2015 04:30
Show Gist options
  • Save arpcefxl/2acd7d873b95dbebcd42 to your computer and use it in GitHub Desktop.
Save arpcefxl/2acd7d873b95dbebcd42 to your computer and use it in GitHub Desktop.
Download ZIP
AWS ec2 security group delete scripts. One script is for ec2-classic, the other is for VPC
Raw
secgroupdelete_ec2classic.py
#!/usr/bin/env python
# Authored by Chad Smith on 3/10/2015
# please feel free to contact me at arpcefxl@gmail.com with comments or questions
# assumes you have already run aws configure or are running in an ec2 role
import boto.ec2, sys
region = sys.argv[1]
secgroup = sys.argv[2]
conn = boto.ec2.connect_to_region(region)
allgroups = conn.get_all_security_groups()
mygroup = conn.get_all_security_groups(groupnames=secgroup)
groupname = mygroup[0].name
groupid = mygroup[0].id
group = mygroup[0]
for rule in group.rules:
for grants in rule.grants:
if grants.cidr_ip:
print "revoking ingress rule with source as cidr_ip"
print groupname, rule.ip_protocol, rule.from_port, rule.to_port, grants.cidr_ip
conn.revoke_security_group(group_name=groupname, ip_protocol=rule.ip_protocol, from_port=rule.from_port, to_port=rule.to_port, cidr_ip=grants.cidr_ip)
else:
print "revoking ingress rule with source as security group"
print groupname, rule.ip_protocol, rule.from_port, rule.to_port, grants.name
if grants.name == 'amazon-elb-sg':
print "revoking ingress rule with ELB as security group"
conn.revoke_security_group(group_name=groupname, ip_protocol=rule.ip_protocol, from_port=rule.from_port, to_port=rule.to_port, src_security_group_group_id=grants.group_id,src_security_group_owner_id='amazon-elb')
else:
conn.revoke_security_group(group_name=groupname, ip_protocol=rule.ip_protocol, from_port=rule.from_port, to_port=rule.to_port, src_security_group_name=grants.name)
# handle cases where the security group is referred to by other security groups
for othergroup in allgroups:
for otherrule in othergroup.rules:
for othergrant in otherrule.grants:
grant_nom = othergrant.name or othergrant.group_id
if grant_nom:
if grant_nom == groupname:
print "revoking ingress rule where source is the security group to be deleted"
print othergroup.name, otherrule.ip_protocol, otherrule.from_port, otherrule.to_port, othergrant.name
conn.revoke_security_group(group_name=othergroup.name, ip_protocol=otherrule.ip_protocol, from_port=otherrule.from_port, to_port=otherrule.to_port, src_security_group_name=groupname)
# delete the security group itself
print "deleting security group"
conn.delete_security_group(name=groupname)
Raw
secgroupdelete_vpc.py
#!/usr/bin/env python
# Authored by Chad Smith on 3/10/2015
# please feel free to contact me at arpcefxl@gmail.com with comments or questions
# assumes you have already run aws configure or are running in an ec2 role
import boto.ec2, sys
region = sys.argv[1]
secgroup = sys.argv[2]
conn = boto.ec2.connect_to_region(region)
allgroups = conn.get_all_security_groups()
mygroup = conn.get_all_security_groups(group_ids=secgroup)
groupname = mygroup[0].name
groupid = mygroup[0].id
group = mygroup[0]
for rule in group.rules:
for grants in rule.grants:
if grants.cidr_ip:
print "revoking ingress rule with source as cidr_ip"
print groupname, groupid, rule.ip_protocol, rule.from_port, rule.to_port, grants.cidr_ip
conn.revoke_security_group(group_id=groupid, ip_protocol=rule.ip_protocol, from_port=rule.from_port, to_port=rule.to_port, cidr_ip=grants.cidr_ip)
else:
print "revoking ingress rule with source as security group"
print groupname, groupid, rule.ip_protocol, rule.from_port, rule.to_port, grants.name
conn.revoke_security_group(group_id=groupid, ip_protocol=rule.ip_protocol, from_port=rule.from_port, to_port=rule.to_port, src_security_group_name=grants.name)
# handle cases where the security group is referred to by other security groups
for othergroup in allgroups:
for otherrule in othergroup.rules:
for othergrant in otherrule.grants:
grant_nom = othergrant.name or othergrant.group_id
if grant_nom:
if grant_nom == groupid:
print "revoking ingress rule where source is the security group to be deleted"
print othergroup.name, otherrule.ip_protocol, otherrule.from_port, otherrule.to_port, othergrant.group_id
conn.revoke_security_group(group_id=othergroup.id, ip_protocol=otherrule.ip_protocol, from_port=otherrule.from_port, to_port=otherrule.to_port, src_security_group_id=groupid)
# delete the security group itself
print "deleting security group"
conn.delete_security_group(group_id=groupid)
@rjurney
Copy link

rjurney commented Jan 7, 2020

This is what I came up with for boto3:

import boto3
from botocore.exceptions import ClientError

REGION = 'us-east-1'

ec2 = boto3.client('ec2', region_name=REGION)

# Keep removing until all are gone
while True:
    groups = ec2.describe_security_groups()['SecurityGroups']
    group_ids = [g['GroupId'] for g in groups]
    groups_left = len(group_ids)

    if groups_left > 0:
        print(f'Groups left to deauthorize: {groups_left}')
    else:
        print('Complete! All security groups removed.')
        break

    for group in groups:
        print(
            f'Removing ingress from Group ID: {group["GroupId"]}, Group Name: {group["GroupName"]}'
        )
        for ingress in group['IpPermissions']:

            new_group_id_pairs = list()
            for user_group_id_pair in ingress['UserIdGroupPairs']:
                print(user_group_id_pair)
                if isinstance(user_group_id_pair, set):
                    list_ug = list(user_group_id_pair)

                    # Create a new user group pair list without a GroupName
                    new_ug = {}
                    key, value = None, None
                    for i, ug in enumerate(list_ug):
                        if i % 2 == 0:
                            key = ug[i]
                        else:
                            value = ug[i]
                            if key not in ['GroupName']:
                                new_ug[key] = value
                elif isinstance(user_group_id_pair, dict):
                    new_ug = user_group_id_pair.copy()
                    if 'GroupName' in new_ug:
                        del new_ug['GroupName']

                new_group_id_pairs.append(new_ug)

            ingress['UserIdGroupPairs'] = new_group_id_pairs

            kwargs = {
                'DryRun': False,
                'GroupName': group['GroupName'],
                'IpPermissions': [ingress]
            }

            try:
                r2 = ec2.revoke_security_group_ingress(**kwargs)
                print(f'Revoked ingress: {ingress}')
            except ClientError:
                print(f'Error revoking ingress: {ingress}')

        try:
            ec2.delete_security_group(GroupId=group['GroupId'])
            print(f'Success removing security Group ID {group["GroupId"]}, Group Name: {group["GroupName"]}!')
        except ClientError:
            print(f'Error removing security Group ID {group["GroupId"]}, Group Name: {group["GroupName"]}!')

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment