How to Export security groups inbound/outbound rules using aws command line

0

Hi,

From the console, I am able to do the following to get the RDS Security group for inbound SSH and DB access

Export security groups to CSV Export security groups inbound/outbound rules to CSV

I want to produce a similar output using the aws command line but I can't work out what are the command options to use. I am wanting to produce a similar output for when I choose to Export from the console or close to it

So far, I tried the following aws command and while it seems close enough, the output is not pretty. Not sure how to exclude the TAGS from the output. At the moment doing grep -v "^TAGS". The output format is not so great though :( May Google how to format it.

aws ec2 --no-cli-pager --output text \
    describe-security-groups --group-ids "[as-per-console=Security group ID]"

Also, when I try using --group-names, I get the error below. I have also tried using with --region as suggested when I do search but still gives the same error. While the --group-ids works fine, it is easier to remember the group name.

aws ec2 --no-cli-pager --output text \
    describe-security-groups --group-names "[as-per-Security group name]"

An error occurred (InvalidGroup.NotFound) when calling the DescribeSecurityGroups operation: The security group '[as-per-Security group name]' does not exist in default VPC 'vpc-blah'

Real lost reading the filter and query example. In theory, I don't really need to use either as I want to print all rules for a particular --group-ids/group-names? Is there no site anywhere where you can test running aws command line? This will have been helpful if there is one, something similar to when you want to practice scripting. Can someone help please?

2 Answers
1

To export security group inbound/outbound rules using the AWS command line, you can use the describe-security-groups command with some additional options to format the output. Here's an improved approach:

  1. For a specific security group using its ID:
aws ec2 describe-security-groups --group-ids sg-1234567890abcdef0 --query 'SecurityGroups[*].[GroupName,GroupId,Description,IpPermissions,IpPermissionsEgress]' --output table

Replace sg-1234567890abcdef0 with your actual security group ID.

  1. To exclude tags and get a more readable output, you can use the --query parameter to specify exactly what you want to see:
aws ec2 describe-security-groups --group-ids sg-1234567890abcdef0 --query 'SecurityGroups[*].[GroupName,GroupId,Description,IpPermissions[*].[IpProtocol,FromPort,ToPort,IpRanges[*].CidrIp],IpPermissionsEgress[*].[IpProtocol,FromPort,ToPort,IpRanges[*].CidrIp]]' --output table

This will give you a table format output with the group name, ID, description, and both inbound and outbound rules.

Regarding the issue with --group-names, this parameter is only supported for EC2-Classic. For VPC security groups, you must use the --group-ids parameter. If you want to use the group name, you'll need to first query for the group ID using the name, then use that ID in the describe-security-groups command.

To get the group ID from the name:

aws ec2 describe-security-groups --filters "Name=group-name,Values=your-group-name" --query "SecurityGroups[*].GroupId" --output text

You can then use this ID in the previous commands.

Unfortunately, there isn't an official AWS CLI testing environment available online. However, you can set up a sandbox environment on your local machine or use AWS CloudShell, which provides a browser-based shell with AWS CLI pre-installed.

To export to CSV, you can pipe the output to a file:

aws ec2 describe-security-groups --group-ids sg-1234567890abcdef0 --query 'SecurityGroups[*].[GroupName,GroupId,Description,IpPermissions[*].[IpProtocol,FromPort,ToPort,IpRanges[*].CidrIp],IpPermissionsEgress[*].[IpProtocol,FromPort,ToPort,IpRanges[*].CidrIp]]' --output json | jq -r '.[] | @csv' > security_group_rules.csv

This command uses jq to convert the JSON output to CSV format. Make sure you have jq installed on your system.
Sources
describe-security-group-rules — AWS CLI 2.19.1 Command Reference
Use DescribeSecurityGroups with an AWS SDK or CLI - AWS SDK Code Examples
Use DescribeSecurityGroups with an AWS SDK or CLI - Amazon Elastic Compute Cloud

profile picture
answered a month ago
profile picture
EXPERT
reviewed a month ago
0

When using the --group-names this ONLY works in the default VPC. You have to use Security group ID's for any other VPCs I am afraid.

--group-names (list)
[Default VPC] The names of the security groups. You can specify either the security group name or the security group ID.
--group-ids (list)
The IDs of the security groups. Required for security groups in a nondefault VPC.

https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html

profile picture
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions