Skip to content

Instantly share code, notes, and snippets.

@dritten
Forked from miketheman/security-group-cleanup.py
Last active May 17, 2024 12:08
Show Gist options
  • Save dritten/51fa60a0ee669d7025ac to your computer and use it in GitHub Desktop.
Save dritten/51fa60a0ee669d7025ac to your computer and use it in GitHub Desktop.
#!/usr/bin/env python
import sys
import boto
import boto.ec2
import boto.ec2.elb
import boto.rds
import pprint
import argparse
def lookup_by_id(sgid):
sg = ec2.get_all_security_groups(group_ids=sgid)
return sg[0].name
# set credentials
#ACCESS_KEY="<ACCESS_KEY>"
#SECRET_KEY="<SECRET_KEY>"
#get a full list of the available regions
region_list=[]
counter=0
regions = boto.ec2.regions()
for i in regions:
#print regions[counter].name
region_list.append(str(regions[counter].name))
counter=counter+1
parser = argparse.ArgumentParser(description="Show unused security groups")
parser.add_argument("-r", "--region", type=str, default="us-east-1", help="The default region is us-east-1. The list of available regions are as follows: %s" % sorted(region_list))
parser.add_argument("-d", "--delete", help="delete security groups from AWS")
args = parser.parse_args()
pp = pprint.PrettyPrinter(indent=4)
ec2 = boto.ec2.connect_to_region(args.region, aws_access_key_id=ACCESS_KEY, aws_secret_access_key=SECRET_KEY)
allgroups = []
# Get ALL security groups names
groups = ec2.get_all_security_groups()
for groupobj in groups:
allgroups.append(groupobj.name)
# Get all instances security groups
groups_in_use = ['default']
reservations = ec2.get_all_instances()
for r in reservations:
for ec2_group_list in r.groups:
if ec2_group_list.name not in groups_in_use:
groups_in_use.append(ec2_group_list.name)
elb = boto.ec2.elb.connect_to_region(args.region, aws_access_key_id=ACCESS_KEY, aws_secret_access_key=SECRET_KEY)
load_balancers = elb.get_all_load_balancers()
for load_balancer in load_balancers:
if load_balancer.source_security_group.name not in groups_in_use:
groups_in_use.append(load_balancer.source_security_group.name)
rds = boto.rds.connect_to_region(args.region, aws_access_key_id=ACCESS_KEY, aws_secret_access_key=SECRET_KEY)
dbs = rds.get_all_dbinstances()
for db in dbs:
if len(db.vpc_security_groups) > 0:
sg_name = lookup_by_id(db.vpc_security_groups[0].vpc_group)
if sg_name not in groups_in_use:
groups_in_use.append(sg_name)
enis = ec2.get_all_network_interfaces()
for eni in enis:
for eni_grp in eni.groups:
if eni_grp.name not in groups_in_use:
groups_in_use.append(eni_grp.name)
delete_candidates = []
for group in allgroups:
if group not in groups_in_use and not group.startswith('AWS-OpsWorks-'):
delete_candidates.append(group)
if args.delete:
print "We will now delete security groups identified to not be in use."
for group in delete_candidates:
ec2.delete_security_group(group)
else:
print "The list of security groups to be removed is below."
print "Run this again with `-d` to remove them"
#pp.pprint(sorted(delete_candidates))
for group in sorted(delete_candidates):
print " " + group
print "---------------"
print "Activity Report"
print "---------------"
print "Total number of Security Groups evaluated: %d" % (len(groups_in_use))
print "Total number of EC2 Instances evaluated: %d" % (len(reservations))
print "Total number of Load Balancers evaluated: %d" % (len(load_balancers))
print "Total number of RDS instances evaluated: %d" % (len(dbs))
print "Total number of Network Interfaces evaluated: %d" % (len(enis))
if args.delete:
print "Total number of security groups deleted: %d" % (len(delete_candidates))
else:
print "Total number of security groups targeted for removal: %d" % (len(delete_candidates))
# For each security group in the total list, if not in the "used" list, flag for deletion
# If running with a "--delete" flag, delete the ones flagged.
@sa-jbrooks
Copy link

Yo, I've done a boto3/python 3.5 version of this. I also included VPCs, since they now claim security groups, and I've added an exception to note security groups that could not be automatically deleted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment