| Did this page help you? Yes No Tell us about it... |
Returns information about security groups in your account. This includes both EC2 security groups and VPC security groups. For information about how the two types of groups differ, go to Security Groups in the Amazon Virtual Private Cloud User Guide.
You can filter the results to return information only about security groups that match criteria you specify. For example, you could get information about groups whose name contains a particular string. You can specify multiple values for a filter. A security group must match at least one of the specified values for it to be included in the results.
You can specify multiple filters (e.g., the group's name contains a particular string, and the group gives permission to another security group with a different string in its name). The result includes information for a particular group only if it matches all your filters. If there's no match, no special message is returned; the response is simply empty.
![[Important]](images/important.png) | Important |
|---|---|
Filters are based on literal strings only. This is important to remember when you want to use filters to return only security groups with access allowed on a specific port number or numbers. For example, let's say you want to get all groups that have access on port 22. And let's say GroupA gives access on a range of ports using |
You can use wildcards with the filter values: * matches zero or more characters, and ? matches exactly one character. You can escape special characters using a backslash before the character. For example, a value of \*amazon\?\\ searches for the literal string *amazon?\.
The following table shows the available filters.
| Filter Name | Description |
|---|---|
|
|
Description of the security group. Type: String |
|
|
ID of the security group. Type: String |
|
|
Name of the security group. Type: String |
|
|
CIDR range that has been granted the permission. Type: String |
|
|
Start of port range for the TCP and UDP protocols, or an ICMP type number. Type: String |
|
|
Name of security group that has been granted the permission. Type: String |
|
|
IP protocol for the permission. Type: String Valid Values: |
|
|
End of port range for the TCP and UDP protocols, or an ICMP code. Type: String |
|
|
ID of AWS account that has been granted the permission. Type: String |
|
|
AWS account ID of the owner of the security group. Type: String |
|
|
Key of a tag assigned to the security group. Type: String |
|
|
Value of a tag assigned to the security group. Type: String |
| Name | Description | Required |
|---|---|---|
|
|
One or more security group names. Type: String Default: Describes all groups you own, or only those otherwise specified. |
No |
|
|
One or more security group IDs. Type: String Default: Describes all groups you own, or only those otherwise specified. |
No |
|
|
Name of a filter. See the preceding table for a list of allowed filter names. Type: String Default: None |
No |
|
|
A value for the filter. See the preceding table for a list of allowed values for each filter. Type: String Default: None |
No |
The elements in the following table are wrapped in a
DescribeSecurityGroupsResponse structure.
| Name | Description |
|---|---|
|
|
The ID of the request. Type: xsd:string |
|
|
List of security groups. Each group's information is
wrapped in an Type: SecurityGroupItemType |
This example returns information about two security groups that are configured for the account.
https://ec2.amazonaws.com/?Action=DescribeSecurityGroups &GroupName.1=WebServers &GroupName.2=RangedPortsBySource &AUTHPARAMS
<DescribeSecurityGroupsResponse xmlns="http://ec2.amazonaws.com/doc/2011-05-15/">
<requestId>59dbff89-35bd-4eac-99ed-be587EXAMPLE</requestId>
<securityGroupInfo>
<item>
<ownerId>999988887777</ownerId>
<groupId>sg-443d0a12</groupId>
<groupName>WebServers</groupName>
<groupDescription>Web Servers</groupDescription>
<vpcId/>
<ipPermissions>
<item>
<ipProtocol>tcp</ipProtocol>
<fromPort>80</fromPort>
<toPort>80</toPort>
<groups/>
<ipRanges>
<item>
<cidrIp>0.0.0.0/0</cidrIp>
</item>
</ipRanges>
</item>
</ipPermissions>
<ipPermissionsEgress/>
<tagSet/>
</item>
<item>
<ownerId>999988887777</ownerId>
<groupId>sg-5ff8a023</groupId>
<groupName>RangedPortsBySource</groupName>
<groupDescription>Group A</groupDescription>
<ipPermissions>
<item>
<ipProtocol>tcp</ipProtocol>
<fromPort>6000</fromPort>
<toPort>7000</toPort>
<groups>
<item>
<userId>999988887777</userId>
<groupId>sg-99gh4012</groupId>
<groupName>Group B</groupName>
</item>
</groups>
<ipRanges/>
</item>
</ipPermissions>
<ipPermissionsEgress/>
<tagSet/>
</item>
</securityGroupInfo>
</DescribeSecurityGroupsResponse>
This example returns information about all security groups that grant access over TCP specifically on port 22 from instances in either the app_server_group or database_group.
https://ec2.amazonaws.com/?Action=DescribeSecurityGroups &Filter.1.Name=ip-permission.protocol &Filter.1.Value.1=tcp &Filter.2.Name=ip-permission.from-port &Filter.2.Value.1=22 &Filter.3.Name=ip-permission.to-port &Filter.3.Value.1=22 &Filter.4.Name=ip-permission.group-name &Filter.4.Value.1=app_server_group &Filter.4.Value.2=database_group &AUTHPARAMS