My Journey to the cloud…

In pursuit of excellence….

Python/boto3 script to generate a CSV report for all the AWS Security groups NOT attached to any resource

Recently while working the customer, I was asked if there is any way to find all the Security groups that are NOT attached to any resources. It was more from housekeeping perspective.

Ofcourse one can find it from within the AWS Console but the problem multiplies many fold if you are operating out of hundreds of AWS Accounts and across multiple AWS regions.

I wrote a simple python which can be run against multiple accounts and regions and generate a report in CSV format.

Script Name –

#!/usr/bin/env python
import boto3
import json
import csv
import argparse
import os
from datetime import datetime, timedelta, timezone
import logging
from botocore.exceptions import ClientError

date_time_now ='%Y/%m/%d  %H:%M:%S')

def ec2_client(region):
    Connects to EC2, returns a connection object
        conn = boto3.client('ec2', region_name=region)

    except Exception as e:
            'Could not connect to region: %s. Exception: %s\n' % (region, e))
        conn = None

    return conn

def parse_commandline_arguments():
    global REGION
    global ACCOUNT_ID
    global report_filename

    parser = argparse.ArgumentParser(formatter_class=argparse.ArgumentDefaultsHelpFormatter,
                                     description='Create a CSV Report for listing unused Security Groups.')
    parser.add_argument("-id", "--accountID", dest="account_id", type=str,required=True,
                        help="The AWS Account Name for which the RDS info is neeeded")
    parser.add_argument("-r", "--region", dest="region", type=str,
                        default=DEFAULT_REGION, help="Specify the global region to pull the report")
    parser.add_argument("-f", "--report", dest="reportname", type=str,
                        help="Specify the report file Name with path")
    args = parser.parse_args()

    ACCOUNT_ID= args.account_id
    REGION = args.region
    report_filename = args.reportname

def get_unused_security_groups(ec2Client):

    # get all of the security groups
        print_string = ""
        response = ec2Client.describe_security_groups()
        for group in response['SecurityGroups']:
            group_id = group['GroupId']
            group_name = group['GroupName']
            # Check if SG is attached to any network interface
            ec2nwIntfresponse = ec2Client.describe_network_interfaces(Filters=[{'Name': 'group-id', 'Values': [group_id]}])
            if not ec2nwIntfresponse['NetworkInterfaces']:
                print_string = ACCOUNT_ID + "," + REGION + "," + group_name + "," + group_id + "," + date_time_now
                file.write(print_string + "\n")
    except Exception as e:

if __name__ == '__main__':
        client = ec2_client(REGION)
        if not os.path.isfile(report_filename):
            file = open(report_filename, 'w+')
            print_string_hdr = "AccountID,Region,SecurityGroupName,SecurityGroupID,Reporting_Date_Time\n"
            file = open(report_filename, 'a')
        print("CSV File generated listing Un-used Security Groups.... - {}" .format(report_filename))
    except Exception as error:

How to run the script:

Make sure you have python3 installed and configured and is in path. Script takes takes 3 arguments

  • AWS Account ID against which you need to get the list of Security Groups
  • AWS Region
  • & CSV File name with complete path

Usage: python getListOfUnusedSecGroup -id 123456789 -r us-east-1 -f /tmp/UnusedSecgroups.csv

You can run this python script against all of your AWS Accounts and all of the region by –

Invoking this python script from within a shell script with a control file that has all the AWS Accounts and their corresponding regions. Shell script will loop through all the AWS accounts and region and hen generate a consolidated CSV file.

Hope this helps.

Keep reading and happy learning.

~Anand M.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

About Me

I’m a Hands-On Technical & Entrprise Solutions Architect based out of Houston, TX. I have been working on Oracle ERP, Oracle Database and Cloud technologies for over 20 years and still going strong for learning new things.

You can connect me on Linkedin and also reach out to me

I am certified for 8x AWS, OCP (Oracle Certified Professionals), PMP, ITTL and 6 Sigma.


This is a personal blog. Any views or opinions represented in this blog are personal and belong solely to the blog owner and do not represent those of people, institutions or organizations that the owner may or may not be associated with in professional or personal capacity, unless explicitly stated.
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site.

The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information. Any script available on the blog post MUST be tested before they are run against Production environment.


%d bloggers like this: