By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How do I find the resources associated with an Amazon EC2 security group?

2 minute read
3

I use Amazon Elastic Compute Cloud (Amazon EC2) security groups and I want to determine the resources that use a particular security group.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Use the AWS Management Console

Complete the following steps:

  1. Open the Amazon EC2 console.
  2. In the navigation pane, choose Security Groups.
  3. Copy the security group ID of the security group that you want to investigate.
  4. In the navigation pane, choose Network Interfaces.
  5. Paste the security group ID in the search bar.
    Note: Make sure that you search in the same AWS Region where your security group is located.
  6. Review the search results.

Search results show the network interfaces associated with the security group. To determine the resource that's associated with the security group, check the description of the network interface. For example, ELB app/example-alb/1234567890abcdef shows that an Application Load Balancer with the name example-alb is using this security group.

If you receive a "No Network Interfaces found matching your filter criteria" message, then there are no resources associated with the security group.

Use the AWS CLI

To find network interfaces associated with a security group based on the security group ID, run the describe-network-interfaces AWS CLI command:

aws ec2 describe-network-interfaces --filters Name=group-id,Values=group-id --region region --output json

The output shows the network interfaces associated with the security group.

If the output is empty similar to the following example, then there are no resources associated with the security group:

{    "NetworkInterfaces": []
}

If the output contains results, then run the describe-network-interfaces AWS CLI command with your NetworkInterfaces value:

aws ec2 describe-network-interfaces --filters Name=group-id,Values=group-id --region region --output json --query "NetworkInterfaces[*].[NetworkInterfaceId,Description,PrivateIpAddress,VpcId]"

The output provides information about the resources associated with the security group.

Related information

Control traffic to your AWS resources using security groups

Client-side filtering

AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago
5 Comments

This is not enough. A SG can be also mentioned in other SGs.

replied 9 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
EXPERT
replied 9 months ago

this doesn't show you if used by eks ingress

replied 5 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 5 months ago

As others have mentioned, the answer is not exhaustive. The Security Group may be used by RDS. Would be great if AWS could provide a way of showing any and all resources used by a Security Group, not just EC2 Network Interfaces.

replied 5 months ago