upodroid/sg-check.py

## sg-check.py
import boto3
import os

def getLambdaSgs():
    lambdaclient = boto3.client('lambda', region_name=os.getenv("AWS_REGION"))
    marker = None
    lambdasgs = []

    while True:
        if marker:
            response_iterator = lambdaclient.list_functions(
                MaxItems=50,
                Marker=marker
            )
        else:
            response_iterator = lambdaclient.list_functions(
                MaxItems=50
            )
        for function in response_iterator['Functions']:
            if 'VpcConfig' in function:
                lambdasgs = lambdasgs + function['VpcConfig']['SecurityGroupIds']
        try:
            marker = response_iterator['NextMarker']
        except KeyError:
            break

    return set(lambdasgs)

def getRdsSgs():
    rds = boto3.client('rds', region_name=os.getenv("AWS_REGION"))
    marker = None
    rdssgs = []

    while True:
        if marker:
            response_iterator = rds.describe_db_instances(
                MaxRecords=50,
                Marker=marker
            )
        else:
            response_iterator = rds.describe_db_instances(
                MaxRecords=50
            )
        for db in response_iterator['DBInstances']:
            if 'VpcSecurityGroups' in db:
                for sg in db['VpcSecurityGroups']:
                    rdssgs = rdssgs + [sg["VpcSecurityGroupId"]]
        try:
            marker = response_iterator['NextMarker']
        except KeyError:
            break

    return set(rdssgs)

ec2 = boto3.resource('ec2', region_name=os.getenv("AWS_REGION"))

sgs = ec2.security_groups.all() # Fetching all security groups in AWS account

all_sgs = set([sg.id for sg in sgs]) # Creating a list of only security group names


instances = ec2.instances.all() # Getting all instances in AWS account

inssgs = set([sg['GroupId'] for ins in instances for sg in ins.security_groups]) # Getting all security groups attached to any instances

lamsgs = getLambdaSgs()
rdssgs = getRdsSgs()

unused_sgs = all_sgs - inssgs - lamsgs - rdssgs # Removing SGs in use

print("### Unused SGs ####")
print(list(unused_sgs))
for sg in unused_sgs:
  sgroup = ec2.SecurityGroup(sg)
  print(f"Security Group Name: {sgroup.group_name}, Security Group Id: {sgroup.group_id}, Security Group Tags: {sgroup.tags}")
  print(f"Deleting {sgroup.group_name} ")
  #sgroup.delete()

## stack-deletion.sh
#!/bin/bash
STACKS_TO_LIST=""
for STACK in $(aws opsworks describe-stacks --region us-east-1 | jq '.Stacks[].StackId' -r)
do
  INSTANCE_COUNT=$(aws opsworks describe-instances --region us-east-1 --stack-id $STACK | jq .Instances | jq length)
    if [INSTANCE_COUNT -eq 0]
      STACKS_TO_LIST="$STACKS_TO_LIST $STACK"
    fi
done

echo "#### DELETING STACKS"

for STACK_TO_DELETE in STACKS_TO_LIST
do
  aws opsworks delete-stack --stack-id $STACK_TO_DELETE
done

## stacks-to-delete.sh
#!/bin/bash
STACKS_TO_LIST=""
for STACK in $(aws opsworks describe-stacks --region us-east-1 | jq '.Stacks[].StackId' -r)
do
  INSTANCE_COUNT=$(aws opsworks describe-instances --region us-east-1 --stack-id $STACK | jq .Instances | jq length)
    if [INSTANCE_COUNT -eq 0]
      STACKS_TO_LIST="$STACKS_TO_LIST $STACK"
    fi
done
aws opsworks describe-stacks --region us-east-1 --stack-ids $STACKS_TO_LIST --query 'Stacks[?UseOpsworksSecurityGroups==`true`].{Name:Name,StackId:StackId,UseOpsworksSecurityGroups:UseOpsworksSecurityGroups,Region:Region,VpcId:VpcId}' --output table
	import boto3
	import os

	def getLambdaSgs():
	lambdaclient = boto3.client('lambda', region_name=os.getenv("AWS_REGION"))
	marker = None
	lambdasgs = []

	while True:
	if marker:
	response_iterator = lambdaclient.list_functions(
	MaxItems=50,
	Marker=marker
	)
	else:
	response_iterator = lambdaclient.list_functions(
	MaxItems=50
	)
	for function in response_iterator['Functions']:
	if 'VpcConfig' in function:
	lambdasgs = lambdasgs + function['VpcConfig']['SecurityGroupIds']
	try:
	marker = response_iterator['NextMarker']
	except KeyError:
	break

	return set(lambdasgs)

	def getRdsSgs():
	rds = boto3.client('rds', region_name=os.getenv("AWS_REGION"))
	marker = None
	rdssgs = []

	while True:
	if marker:
	response_iterator = rds.describe_db_instances(
	MaxRecords=50,
	Marker=marker
	)
	else:
	response_iterator = rds.describe_db_instances(
	MaxRecords=50
	)
	for db in response_iterator['DBInstances']:
	if 'VpcSecurityGroups' in db:
	for sg in db['VpcSecurityGroups']:
	rdssgs = rdssgs + [sg["VpcSecurityGroupId"]]
	try:
	marker = response_iterator['NextMarker']
	except KeyError:
	break

	return set(rdssgs)

	ec2 = boto3.resource('ec2', region_name=os.getenv("AWS_REGION"))

	sgs = ec2.security_groups.all() # Fetching all security groups in AWS account

	all_sgs = set([sg.id for sg in sgs]) # Creating a list of only security group names


	instances = ec2.instances.all() # Getting all instances in AWS account

	inssgs = set([sg['GroupId'] for ins in instances for sg in ins.security_groups]) # Getting all security groups attached to any instances

	lamsgs = getLambdaSgs()
	rdssgs = getRdsSgs()

	unused_sgs = all_sgs - inssgs - lamsgs - rdssgs # Removing SGs in use

	print("### Unused SGs ####")
	print(list(unused_sgs))
	for sg in unused_sgs:
	sgroup = ec2.SecurityGroup(sg)
	print(f"Security Group Name: {sgroup.group_name}, Security Group Id: {sgroup.group_id}, Security Group Tags: {sgroup.tags}")
	print(f"Deleting {sgroup.group_name} ")
	#sgroup.delete()
	#!/bin/bash
	STACKS_TO_LIST=""
	for STACK in $(aws opsworks describe-stacks --region us-east-1 \| jq '.Stacks[].StackId' -r)
	do
	INSTANCE_COUNT=$(aws opsworks describe-instances --region us-east-1 --stack-id $STACK \| jq .Instances \| jq length)
	if [INSTANCE_COUNT -eq 0]
	STACKS_TO_LIST="$STACKS_TO_LIST $STACK"
	fi
	done

	echo "#### DELETING STACKS"

	for STACK_TO_DELETE in STACKS_TO_LIST
	do
	aws opsworks delete-stack --stack-id $STACK_TO_DELETE
	done