Visualize EC2 security group dependencies

dot-generator.rb

require 'aws-sdk-ec2'

ec2 = Aws::EC2::Client.new

response = ec2.describe_security_groups

puts('digraph securitygroups {')

loop do
  response.security_groups.each do |security_group|
    group_id = security_group.group_id
    printf(%|  "%s" [label="%s"]\n|, group_id, security_group.group_name)
    security_group.ip_permissions.each do |ip_permissions|
      protocol = ip_permissions.ip_protocol
      if protocol == '-1'
        label = 'ALL'
      elsif protocol == 'icmp'
        label = protocol.upcase
      elsif ip_permissions.from_port == ip_permissions.to_port
        label = sprintf('%s %d', protocol.upcase, ip_permissions.from_port)
      else
        label = sprintf('%s %d-%d', protocol.upcase, ip_permissions.from_port, ip_permissions.to_port)
      end
      ip_permissions.ip_ranges.each do |ip_range|
        printf(%|  "%s" -> "%s" [label="%s"];\n|, ip_range.cidr_ip, group_id, label)
      end
      ip_permissions.ipv_6_ranges.each do |ip_range|
        printf(%|  "%s" -> "%s" [label="%s"];\n|, ip_range.cidr_ipv_6, group_id, label)
      end
      ip_permissions.prefix_list_ids.each do |prefix_list_id|
        printf(%|  "%s" -> "%s" [label="%s"];\n|, prefix_list_id, group_id, label)
      end
      ip_permissions.user_id_group_pairs.each do |user_id_group_pair|
        unless user_id_group_pair.group_id == group_id
          printf(%|  "%s" -> "%s" [label="%s"];\n|, user_id_group_pair.group_id, group_id, label)
        end
      end
    end
  end
  if response.last_page?
    break
  else
    response = response.next_page
  end
end

puts('}')

Usage instructions:

$ brew install graphviz
$ gem install aws-sdk-ec2
$ ruby dot-generator.rb > security-groups.dot
$ dot -Tpdf security-groups.dot -o security-groups.pdf
$ open security-groups.pdf

You can also paste the output into GraphvizOnline instead of installing GraphViz.

Also try fdp or neato instead of dot, they give better layouts in some situations.