How to Find and Remove Unused Security Groups in AWS

If you want to maintain excellent resource management in AWS, you should regularly find and remove unused resources like security groups.

In your account, you could have security groups that were created for specific purposes, and are now outdated, or groups that were disassociated from other resources and forgotten. While there isn't a direct recurring cost for having excess security groups, it adds unnecessary attack surface and clutter to your AWS account.

In this guide, we'll show you the steps to find unused security groups and remove them.

Blink Automation: Find Unused Security Groups in AWS

Blink + AWS

Try This Automation

Checking a Security Group for Associated Resources

If the security group has no associated instances, load balancers, and network interfaces, it's an unused security group, and you can safely remove it.

Before removing a security group, you can check if it has any associated resources or dependencies using either the AWS Console or AWS CLI.

Using the AWS Console:

1. Navigate to the AWS Management Console.
2. Choose the EC2 Service. From the left-side menu, select Security Groups.
3. To view the number of associated resources, check the Network Interfaces, Instances, and Load Balancers columns.

Using the AWS CLI:

You can check for dependent resources by using the following command:

aws ec2 describe-security-groups --group-id <Security-Group-Id>

The output will show you all associated load balancers, network interfaces, and instances in the Attachments output.

If there are no associated resources, then you can safely delete it.

This method we just showed is good for individual groups, but what if you want to find all security groups in your AWS account that are unused?

Finding All Unused Security Groups in AWS

Here’s how to search for unused security groups in AWS using the Console and CLI.

Using the AWS Console:

1. Navigate to AWS Management Console.
2. Choose the EC2 service.
3. From the left-side menu, select Security Groups.
4. See through the Instances column whether the security groups have zero active instances or not. Instances for unused security groups will have a “0” value.
5. You can also view load balancers, network interfaces, and Amazon RDS DB instances associated with security groups. If a group has no such associations, it will be referred to as unused.

Using the AWS CLI:

1. Use the following command to view the list of all security groups in AWS:

aws ec2 describe-security-groups

2. You can also add a query parameter to view only the list of unused security groups with zero active instances:

aws ec2 describe-security-groups --query 'SecurityGroups[?attachmentCount==`0`]'

3. Run the following command to save the command output in a variable for later use:

unused_groups=$(aws ec2 describe-security-groups --query 'SecurityGroups[?attachmentCount==`0`]')

4. Enter this command:

for name in $(echo $unused_groups | jq -r '.[].GroupName'); do
echo $name
done 

This command will extract and display the unused security group names from the list.

You can replace the jq parameter in the command with specific names to view only your desired unused security groups.

Remove Unused Security Groups in AWS

Here’s how to remove unused security groups in AWS using the Console and CLI:

Using the AWS Console:

1. Navigate to AWS Management Console.
2. Choose the EC2 service.
3. From the left-side menu, select Security Groups.
4. Select the box next to the unused security groups you want to delete.
5. Choose the Actions option.
6. Select Delete Security Group.
7. When prompted, confirm by pressing Yes, Delete.

Using the AWS CLI:

1. Enter the following command to view the list of all security groups in AWS:

aws ec2 describe-security-groups

2. Filter out the unused security groups from the used ones by typing the command:

 aws ec2 describe-security-groups --filters "Name=group1-name,Values=group-name" 
--query 'SecurityGroups[?attachmentCount==`0`]'

3. Save this output in a variable for later use with this command:

unused_groups=$(aws ec2 describe-security-groups --filters "Name=group1-name,Values=group-name" 
--query 'SecurityGroups[?attachmentCount==`0`]')

4. Sort through the list of unused security groups and delete each one by typing the command:

for id in $(echo $unused_groups | jq -r '.[].GroupId'); do
aws ec2 delete-security-group --group-id $id
done

Replace the Values=group-name parameter with the name of the unused security group you want to remove.

To delete multiple unused security resources at one-time type the command:

for group_1 in $(aws ec2 describe-security-groups --query 'SecurityGroups[?Instances|length==0].GroupId' --output text); do
aws ec2 delete-security-group --group-1 $group_1
done

This will check the number of associated resources with the security groups and only delete the unused ones.

Automatically Removing Unused AWS Security Groups with Blink

You can run through the steps we just covered, but with all the different AWS offerings, cleaning up unused resources takes significant time and context-switching.

Instead of manually running checks, there’s an easier way to manage your resources and ensure a clean AWS account.

With Blink, there’s an easier way to manage all of your resources and ensure a clean AWS account.

This automation in the Blink library scans your AWS account for unused ACLs and Security Groups.

When the automation runs, it does the following steps:

1. Queries AWS for all unused Security Groups.
2. Queries AWS for all unused ACLs.
3. If any are found, it sends a report to a Slack channel.

You can also customize this automation by dragging and dropping no-code actions into the canvas to add conditional logic, notifications, or approval steps.

Build your own automation from scratch or use one of our 5K pre-built automations like this one today.

Get started with Blink today to see how easy automation can be.