Getting Information About Your Security Groups

You can get information about one or more security groups and the rules they contain.

Information about your security groups is also available from within the associated virtual machines (VMs) themselves. For more information, see Accessing the Metadata and User Data of a VM.

Getting Information About Your Security Groups Using Cockpit v2

See the Security Groups dashboard.

Getting Information About Your Security Groups Using OSC CLI

The ReadSecurityGroups command lists one or more security groups.
You can specify either the name of the security groups or their IDs.

Request sample

$ osc-cli api ReadSecurityGroups --profile "default" \
    --Filters '{
        "SecurityGroupIds": ["sg-12345678"]
      }'

Request sample

$ osc-cli api ReadSecurityGroups --profile "default" \
    --Filters '{
        "InboundRuleIpRanges": ["192.0.2.0"]
      }'

This command contains the following attributes that you need to specify:

DryRun: (optional) If true, checks whether you have the required permissions to perform the action.
Filters: (optional) One or more filters.
- Descriptions: (optional) The descriptions of the security groups.
- InboundRuleAccountIds: (optional) The account IDs that have been granted permissions.
- InboundRuleFromPortRanges: (optional) The beginnings of the port ranges for the TCP and UDP protocols, or the ICMP type numbers.
- InboundRuleIpRanges: (optional) The IP ranges that have been granted permissions, in CIDR notation (for example, 10.0.0.0/24).
- InboundRuleProtocols: (optional) The IP protocols for the permissions (tcp | udp | icmp, or a protocol number, or -1 for all protocols).
- InboundRuleSecurityGroupIds: (optional) The IDs of the security groups that have been granted permissions.
- InboundRuleSecurityGroupNames: (optional) The names of the security groups that have been granted permissions.
- InboundRuleToPortRanges: (optional) The ends of the port ranges for the TCP and UDP protocols, or the ICMP code numbers.
- NetIds: (optional) The IDs of the Nets specified when the security groups were created.
- OutboundRuleAccountIds: (optional) The account IDs that have been granted permissions.
- OutboundRuleFromPortRanges: (optional) The beginnings of the port ranges for the TCP and UDP protocols, or the ICMP type numbers.
- OutboundRuleIpRanges: (optional) The IP ranges that have been granted permissions, in CIDR notation (for example, 10.0.0.0/24).
- OutboundRuleProtocols: (optional) The IP protocols for the permissions (tcp | udp | icmp, or a protocol number, or -1 for all protocols).
- OutboundRuleSecurityGroupIds: (optional) The IDs of the security groups that have been granted permissions.
- OutboundRuleSecurityGroupNames: (optional) The names of the security groups that have been granted permissions.
- OutboundRuleToPortRanges: (optional) The ends of the port ranges for the TCP and UDP protocols, or the ICMP code numbers.
- SecurityGroupIds: (optional) The IDs of the security groups.
- SecurityGroupNames: (optional) The names of the security groups.
- TagKeys: (optional) The keys of the tags associated with the security groups.
- TagValues: (optional) The values of the tags associated with the security groups.
- Tags: (optional) The key/value combination of the tags associated with the security groups, in the following format: "Filters":{"Tags":["TAGKEY=TAGVALUE"]}.
NextPageToken: (optional) The token to request the next page of results. Each token refers to a specific page.
ResultsPerPage: (optional) The maximum number of logs returned in a single response (between 1 and 1000, both included).

The ReadSecurityGroups command returns the following elements:

NextPageToken: The token to request the next page of results. Each token refers to a specific page.
ResponseContext: Information about the context of the response.
- RequestId: The ID of the request.
SecurityGroups: Information about one or more security groups.
- AccountId: The account ID that has been granted permission.
- Description: The description of the security group.
- InboundRules: The inbound rules associated with the security group.
  - FromPortRange: The beginning of the port range for the TCP and UDP protocols, or an ICMP type number.
  - IpProtocol: The IP protocol name (tcp, udp, icmp, or -1 for all protocols). By default, -1. In a Net, this can also be an IP protocol number. For more information, see the IANA.org website.
  - IpRanges: One or more IP ranges for the security group rules, in CIDR notation (for example, 10.0.0.0/16).
  - SecurityGroupsMembers: Information about one or more source or destination security groups.
    
    AccountId: The account ID that owns the source or destination security group.
    
    SecurityGroupId: The ID of a source or destination security group that you want to link to the security group of the rule.
    
    SecurityGroupName: (Public Cloud only) The name of a source or destination security group that you want to link to the security group of the rule.
  - ServiceIds: One or more service IDs to allow traffic from a Net to access the corresponding OUTSCALE services. For more information, see ReadNetAccessPointServices.
  - ToPortRange: The end of the port range for the TCP and UDP protocols, or an ICMP code number.
- NetId: The ID of the Net for the security group.
- OutboundRules: The outbound rules associated with the security group.
  - FromPortRange: The beginning of the port range for the TCP and UDP protocols, or an ICMP type number.
  - IpProtocol: The IP protocol name (tcp, udp, icmp, or -1 for all protocols). By default, -1. In a Net, this can also be an IP protocol number. For more information, see the IANA.org website.
  - IpRanges: One or more IP ranges for the security group rules, in CIDR notation (for example, 10.0.0.0/16).
  - SecurityGroupsMembers: Information about one or more source or destination security groups.
    
    AccountId: The account ID that owns the source or destination security group.
    
    SecurityGroupId: The ID of a source or destination security group that you want to link to the security group of the rule.
    
    SecurityGroupName: (Public Cloud only) The name of a source or destination security group that you want to link to the security group of the rule.
  - ServiceIds: One or more service IDs to allow traffic from a Net to access the corresponding OUTSCALE services. For more information, see ReadNetAccessPointServices.
  - ToPortRange: The end of the port range for the TCP and UDP protocols, or an ICMP code number.
- SecurityGroupId: The ID of the security group.
- SecurityGroupName: The name of the security group.
- Tags: One or more tags associated with the security group.
  - Key: The key of the tag, with a minimum of 1 character.
  - Value: The value of the tag, between 0 and 255 characters.

Result sample

{
  "SecurityGroups": [
    {
      "Tags": [],
      "SecurityGroupName": "security-group-example",
      "OutboundRules": [
        {
          "FromPortRange": -1,
          "IpProtocol": "-1",
          "ToPortRange": -1,
          "IpRanges": [
            "0.0.0.0/0"
          ]
        }
      ],
      "SecurityGroupId": "sg-12345678",
      "AccountId": "123456789012",
      "Description": "Example of security group",
      "InboundRules": [
        {
          "FromPortRange": 22,
          "IpProtocol": "tcp",
          "ToPortRange": 22,
          "IpRanges": [
            "192.0.2.0",
            "198.51.100.0"
          ]
        }
      ],
      "NetId": "vpc-12345678"
    }
  ],
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  }
}

Getting Information About Your Security Groups Using oapi-cli

The ReadSecurityGroups command lists one or more security groups.
You can specify either the name of the security groups or their IDs.

Request sample

$ oapi-cli --profile "default" ReadSecurityGroups \
    --Filters '{
        "SecurityGroupIds": ["sg-12345678"]
      }'

Request sample

$ oapi-cli --profile "default" ReadSecurityGroups \
    --Filters '{
        "InboundRuleIpRanges": ["192.0.2.0"]
      }'

This command contains the following attributes that you need to specify:

DryRun: (optional) If true, checks whether you have the required permissions to perform the action.
Filters: (optional) One or more filters.
- Descriptions: (optional) The descriptions of the security groups.
- InboundRuleAccountIds: (optional) The account IDs that have been granted permissions.
- InboundRuleFromPortRanges: (optional) The beginnings of the port ranges for the TCP and UDP protocols, or the ICMP type numbers.
- InboundRuleIpRanges: (optional) The IP ranges that have been granted permissions, in CIDR notation (for example, 10.0.0.0/24).
- InboundRuleProtocols: (optional) The IP protocols for the permissions (tcp | udp | icmp, or a protocol number, or -1 for all protocols).
- InboundRuleSecurityGroupIds: (optional) The IDs of the security groups that have been granted permissions.
- InboundRuleSecurityGroupNames: (optional) The names of the security groups that have been granted permissions.
- InboundRuleToPortRanges: (optional) The ends of the port ranges for the TCP and UDP protocols, or the ICMP code numbers.
- NetIds: (optional) The IDs of the Nets specified when the security groups were created.
- OutboundRuleAccountIds: (optional) The account IDs that have been granted permissions.
- OutboundRuleFromPortRanges: (optional) The beginnings of the port ranges for the TCP and UDP protocols, or the ICMP type numbers.
- OutboundRuleIpRanges: (optional) The IP ranges that have been granted permissions, in CIDR notation (for example, 10.0.0.0/24).
- OutboundRuleProtocols: (optional) The IP protocols for the permissions (tcp | udp | icmp, or a protocol number, or -1 for all protocols).
- OutboundRuleSecurityGroupIds: (optional) The IDs of the security groups that have been granted permissions.
- OutboundRuleSecurityGroupNames: (optional) The names of the security groups that have been granted permissions.
- OutboundRuleToPortRanges: (optional) The ends of the port ranges for the TCP and UDP protocols, or the ICMP code numbers.
- SecurityGroupIds: (optional) The IDs of the security groups.
- SecurityGroupNames: (optional) The names of the security groups.
- TagKeys: (optional) The keys of the tags associated with the security groups.
- TagValues: (optional) The values of the tags associated with the security groups.
- Tags: (optional) The key/value combination of the tags associated with the security groups, in the following format: "Filters":{"Tags":["TAGKEY=TAGVALUE"]}.
NextPageToken: (optional) The token to request the next page of results. Each token refers to a specific page.
ResultsPerPage: (optional) The maximum number of logs returned in a single response (between 1 and 1000, both included).

The ReadSecurityGroups command returns the following elements:

NextPageToken: The token to request the next page of results. Each token refers to a specific page.
ResponseContext: Information about the context of the response.
- RequestId: The ID of the request.
SecurityGroups: Information about one or more security groups.
- AccountId: The account ID that has been granted permission.
- Description: The description of the security group.
- InboundRules: The inbound rules associated with the security group.
  - FromPortRange: The beginning of the port range for the TCP and UDP protocols, or an ICMP type number.
  - IpProtocol: The IP protocol name (tcp, udp, icmp, or -1 for all protocols). By default, -1. In a Net, this can also be an IP protocol number. For more information, see the IANA.org website.
  - IpRanges: One or more IP ranges for the security group rules, in CIDR notation (for example, 10.0.0.0/16).
  - SecurityGroupsMembers: Information about one or more source or destination security groups.
    
    AccountId: The account ID that owns the source or destination security group.
    
    SecurityGroupId: The ID of a source or destination security group that you want to link to the security group of the rule.
    
    SecurityGroupName: (Public Cloud only) The name of a source or destination security group that you want to link to the security group of the rule.
  - ServiceIds: One or more service IDs to allow traffic from a Net to access the corresponding OUTSCALE services. For more information, see ReadNetAccessPointServices.
  - ToPortRange: The end of the port range for the TCP and UDP protocols, or an ICMP code number.
- NetId: The ID of the Net for the security group.
- OutboundRules: The outbound rules associated with the security group.
  - FromPortRange: The beginning of the port range for the TCP and UDP protocols, or an ICMP type number.
  - IpProtocol: The IP protocol name (tcp, udp, icmp, or -1 for all protocols). By default, -1. In a Net, this can also be an IP protocol number. For more information, see the IANA.org website.
  - IpRanges: One or more IP ranges for the security group rules, in CIDR notation (for example, 10.0.0.0/16).
  - SecurityGroupsMembers: Information about one or more source or destination security groups.
    
    AccountId: The account ID that owns the source or destination security group.
    
    SecurityGroupId: The ID of a source or destination security group that you want to link to the security group of the rule.
    
    SecurityGroupName: (Public Cloud only) The name of a source or destination security group that you want to link to the security group of the rule.
  - ServiceIds: One or more service IDs to allow traffic from a Net to access the corresponding OUTSCALE services. For more information, see ReadNetAccessPointServices.
  - ToPortRange: The end of the port range for the TCP and UDP protocols, or an ICMP code number.
- SecurityGroupId: The ID of the security group.
- SecurityGroupName: The name of the security group.
- Tags: One or more tags associated with the security group.
  - Key: The key of the tag, with a minimum of 1 character.
  - Value: The value of the tag, between 0 and 255 characters.

Result sample

{
  "SecurityGroups": [
    {
      "Tags": [],
      "SecurityGroupName": "security-group-example",
      "OutboundRules": [
        {
          "FromPortRange": -1,
          "IpProtocol": "-1",
          "ToPortRange": -1,
          "IpRanges": [
            "0.0.0.0/0"
          ]
        }
      ],
      "SecurityGroupId": "sg-12345678",
      "AccountId": "123456789012",
      "Description": "Example of security group",
      "InboundRules": [
        {
          "FromPortRange": 22,
          "IpProtocol": "tcp",
          "ToPortRange": 22,
          "IpRanges": [
            "192.0.2.0",
            "198.51.100.0"
          ]
        }
      ],
      "NetId": "vpc-12345678"
    }
  ],
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  }
}

Getting Information About Your Security Groups Using AWS CLI

Before you begin: Install and configure AWS CLI. For more information, see Installing and Configuring AWS CLI.

To get information about one or more security groups, use the describe-security-groups command following this syntax:

Request sample

$ aws ec2 describe-security-groups \
    --profile YOUR_PROFILE \
    --group-names my-security-groups \
    --group-ids sg-12345678 \
    --filters Name=X,Values=Y \
    --endpoint https://fcu.eu-west-2.outscale.com

This command contains the following options that you need to specify:

(optional) profile: The named profile you want to use, created when configuring AWS CLI. For more information, see Installing and Configuring AWS CLI.
(optional) group-names: The name of one or more security groups, if you are in the public Cloud. If you are in a VPC, use the group-name filter instead.
(optional) group-ids: The ID of one or more security groups, that you must specify if you are in a VPC. If the ID is invalid or does not exist, returns an error.

(optional) filters: One or more filters, in the "Name=X,Values=Y" format.

You can specify several values for a same filter using the "Name=X,Values=Y, Z" format.

The following filters are available:

description: The description of the security group.
egress.ip-permission.prefix-list-id: The prefix ID of the service to which the security group allows access.
group-id: The ID of the security group.
group-name: The name of the security group.
ip-permission.cidr: An IP or a range of IPs that have been granted permission, in CIDR notation.
ip-permission.from-port: The beginning of the port range for the TCP and UDP protocols, or an ICMP type number (-1 to indicate all ICMP types).
ip-permission.group-id: The ID of a security group that has been granted permission.
ip-permission.group-name: The name of a security group that has been granted permission.
ip-permission.protocol: The IP protocol for the permission (tcp | udp | icmp, or -1 for all protocols).
ip-permission.to-port: The end of the port range for the TCP and UDP protocols, or an ICMP code.
ip-permission.user-id: The account ID that has been granted permission.
owner-id: The account ID of the owner of the security group.

tag-key: The key of a tag associated with the resource.
tag-value: The value of a tag associated with the resource.

tag:XXXX: The value of a tag associated with the resource, where XXXX is the key of the tag.

To filter a tag whose key is XXXX and value is YYYY, you can therefore use either of the following two formats:

--filters Name=tag-key,Values=XXXX Name=tag-value,Values=YYYY
--filters Name=tag:XXXX,Values=YYYY

vpc-id: The ID of the VPC specified when the security group was created.

endpoint: The endpoint corresponding to the Region you want to send the request to. For more information, see Installing and Configuring AWS CLI.

The describe-security-groups command returns the following elements:

SecurityGroups: Information about one or more security groups. This element contains the following information:
- (VPC only) IpPermissionsEgress: Information about one or more outbound rules contained in the security group. This element contains the same information as the IpPermissions one.
- Description: The description of the security group.
- Tags: One or more tags associated with the security group. This element contains the following information:
  - Value: The value of the tag.
  - Key: The key of the tag.
- Ip-permissions: A set of permissions. This element contains the following information:
  - IpProtocol: The protocol you want to use (tcp | udp | icmp, or -1 for all protocols).
  - FromPort: The beginning of the port range for the TCP and UDP protocols, or an ICMP type number (-1 to indicate all ICMP types).
  - ToPort: The end of port range for the TCP and UDP protocols, or an ICMP code number (-1 to indicate all ICMP codes).
  - UserIdGroupPairs: Information about one or more accounts and security groups referenced in rules. This element contains the following information:
    
    UserId: The account ID of the owner of the referenced security group.
    
    GroupName: The name of the referenced security group.
    
    GroupId: The ID of the referenced security group.
- GroupName: The name of the security group.
- (VPC only) VpcId: The ID of the VPC the security group is allocated to.
- OwnerId: The account ID of the owner of the security group.
- GroupId: The ID of the security group.

Result sample

 {
    "SecurityGroups": [
        {
            "IpPermissionsEgress": [],
            "Description": "my_security_group",
            "Tags": [
                {
                    "Value": "SG1",
                    "Key": "Name"
                 }
            ],
           "IpPermissions": [
                {
                    "IpProtocol": "tcp",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    "UserIdGroupPairs": [
                        {
                             "UserId": "987654321000",
                             "GroupId": "sg-1234abcd",
                             "GroupName":
                        }
                    ],
                    "PrefixListIds": []
                    "FromPort": 22,
                    "ToPort": 22,
              ],
           "GroupName": "MySecurityGroup",
           "VpcId": "vpc-87654321",
           "OwnerId": "123456789000",
           "GroupId": "sg-12345678",
        }
    ]
}

Related Pages

Corresponding API Methods

AWS™ and Amazon Web Services™ are trademarks of Amazon Technologies, Inc or its affiliates in the United States and/or other countries.