A
Arun's Blog
← Back to all posts

Security Group Removal: A Guide to Deleting Unused AWS Security Groups

CLIQuickBytesSecurity
TL;DR

Use this bash script to automatically identify and delete unused security groups across all AWS regions. The script checks if security groups are attached to any network interfaces before deletion, helping reduce your security blast radius and administrative overhead.

Introduction

In the world of cloud computing, the importance of proper housekeeping cannot be overstated. With the dynamic and rapidly evolving digital landscape, it's easy for some things to accumulate and clutter up your resources, as well as increase your security blast radius - like unused AWS security groups. Left unchecked, these seemingly insignificant elements can add up to administration woes and potentially impact your cloud security footprint.

Welcome to this step-by-step guide on 'Security Group Spring Cleaning'. This post will delve into the significance of removing unused security groups.

Warning

This script permanently deletes security groups. Always test in a non-production environment first. The script skips default security groups, but verify your environment before running in production.

Use This

  • AWS CloudShell
  • Bash Script

Do This

  1. Open CloudShell
  2. Create bash file: touch removeUnusedSecurityGroups.sh
  3. Create contents of bash file: vi removeUnusedSecurityGroups.sh
  4. Type in code below
  5. Save the file
  6. Change the file to an executable file: chmod +x removeUnusedSecurityGroups.sh
  7. Run the script: ./removeUnusedSecurityGroups.sh
Pro Tip

Run the script first with the delete command commented out to generate a report of security groups that would be deleted. This gives you a chance to review before making changes.

Write This

#!/bin/bash

# Fetch all AWS regions
for region in $(aws ec2 describe-regions --output text --query 'Regions[].RegionName')
do
  echo "Checking region $region"
  
  # Fetch all security groups
  for sg in $(aws ec2 describe-security-groups --region "$region" --query "SecurityGroups[?GroupName!='default'].[GroupId]" --output text)
  do
    # Check for security group usage in Network Interfaces
    result=$(aws ec2 describe-network-interfaces --region "$region" --filters Name=group-id,Values="$sg" --query "NetworkInterfaces[*].[GroupId]" --output text)

    if [ -z "$result" ]; then
      echo "Deleting unused security group $sg in region $region"
      aws ec2 delete-security-group --region "$region" --group-id "$sg"
    fi
  done
done
Note

The script automatically excludes the default security group in each VPC since it cannot be deleted. Security groups referenced by other security groups will also fail to delete and require manual cleanup of the references first.

What The Heck Does This Code Do

  1. Gets a list of all AWS regions
  2. For each of the region found, find all non-default security groups
  3. Since secuirty groups are attached to interfaces, find all interfaces and check if the security group is attached to any
  4. If the result of the security group to interface is empty, delete the security group

Troubleshooting

Common Issues and Solutions

DependencyViolation Error

  • Problem: Cannot delete security group because it is referenced by another security group
  • Solution: Find the referencing security group using aws ec2 describe-security-groups --filters Name=ip-permission.group-id,Values=sg-xxx and remove the reference first.

Security Group in Use by Lambda

  • Problem: Security group appears unused but cannot be deleted
  • Solution: Lambda functions in VPCs use ENIs that may be deleted after the function is removed. Wait 15-20 minutes for AWS to clean up the ENI, then retry.

Permission Denied

  • Problem: Access denied when trying to delete security groups
  • Solution: Ensure your IAM user/role has ec2:DeleteSecurityGroup and ec2:DescribeSecurityGroups permissions. Check for SCPs that may be blocking the action.

Security Group Used by RDS

  • Problem: Security group is attached to RDS instance not visible via ENI query
  • Solution: The script checks ENIs which should catch RDS usage, but verify by checking RDS console. Consider adding RDS-specific checks to the script.

Script Deletes Needed Security Groups

  • Problem: Script deleted a security group that was actually needed
  • Solution: Security groups can be recreated but will have different IDs. You'll need to update any references. Consider using AWS Config to track security group changes.

Till Next Time

As we conclude this digital decluttering journey, it's vital to remember that effective AWS security group management isn't a one-off task but an ongoing process. By regularly identifying and deleting unused AWS security groups, you not only lower your administrative burden, but also contribute significantly to reducing your security risk.

The steps and strategies outlined in this guide provide an essential foundation to help you maintain a clean, organized, and efficient cloud space. But every cloud environment is unique, so don't hesitate to tailor these approaches to suit your specific needs.

In the dynamic and often complex world of cloud computing, it's the small things that can make a big difference. And remember, consistent cloud cleanliness is next to digital godliness. So, keep your digital broom at the ready, sweep away unnecessary objects, and keep your cloud environment running at its peak potential. Until next time, happy 'Spring Cleaning'!