List Security Groups question

[sayla]

Hi all;

I have a couple of hopefully simple questions. I am new to cloud custodian, only started looking at cloud custodian today.

I am using the following - taken straight from the official documentation:

policies: 

   - name: security-groups-unused 

     resource: security-group 

     filters: 

        - unused

This works and outputs 1 line which provides a count of the SGs.

My questions:

1. Are these truely unused SGs - i.e. not associated with ec2 instances, RDS, elasticache etc

2. How do i produce output which lists the security group ids?

Thank in advance.

[AJ Kerrigan]

Hi Sayla -

1. The usage filter performs a bunch of checks, to see if a security group is referenced by:

* Active network interfaces (this covers a bunch of cases, including your specific points about EC2, RDS and Elasticache)

* Rules in other security groups

* Lambda configurations

* EC2 launch configurations

* ECS VPC configurations for CloudWatch event rule targets

* Codebuild job configurations

2. When you run a custodian policy, you'll get some files in an output directory. You can inspect the resources.json file yourself, or point the "custodian report" command to the same output directory to get a results summary.

Hope that helps!

AJ

[AJ Kerrigan]

Specifically if you ran a policy with a command like:

custodian run --output-dir c7n-output my-sg-policy.yml

You could substitute "report" for "run" to get summary output of the policy results:

custodian report --output-dir c7n-output my-sg-policy.yml

"custodian report --help" has more information about extra options for customizing the report output.

[sayla]

Thanks aj. Ill try out your suggests.

Thank again.

[sayla]

The above worked, thanks. I have another question:

So using the same policy file:

policies: 

   - name: security-groups-unused 

     resource: security-group 

     filters: 

        - unused

I run the following at the command line:

custodian report --output-dir c7n-output my-sg-policy.yml

This outputs the unused SGs as expected. I then login to my AWS console and remove one of the unused SGs.

I now rerun the above command, but I get an error:

blah...

blah...

blah...

  File "/Users/alyasgul/custodian/lib/python3.9/site-packages/botocore/client.py", line 745, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (InvalidGroup.NotFound) when calling the DescribeSecurityGroupReferences operation: The security group ID 'sg-XXXXXXXXXXX' does not exist
2022-06-06 11:29:12,740: custodian.commands:ERROR The following policies had errors while executing

 - security-groups-unused

I.E error states the SG i removed does not exist.

I get the same, if I run the command leaving the c7n-output sub-dir in place or first removing it.

Can anyone provide a fix?

Why should Cloud Custodian care if the SG is removed, I just need it to reported on the currently configured SGs.

Thanks in advance.

[ananth balasubramanian]

I believe you are missing the below.
Yes, there is caching of results. You can avoid that by using the --cache-period option with a value of 0

https://github.com/cloud-custodian/cloud-custodian/issues/1215

Let me know whether it works for you.

[sayla]

linuxananth1976 - thanks that worked!!!