DescribeStaleSecurityGroups - Amazon Elastic Compute Cloud


Describes the stale security group rules for security groups in a specified VPC. Rules are stale when they reference a deleted security group in the same VPC or peered VPC. Rules can also be stale if they reference a security group in a peer VPC for which the VPC peering connection has been deleted.

Request Parameters

The following parameters are for this specific action. For more information about required and optional parameters that are common to all actions, see Common Query Parameters.


Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.

Type: Boolean

Required: No


The maximum number of items to return for this request. To get the next page of items, make another request with the token returned in the output. For more information, see Pagination.

Type: Integer

Valid Range: Minimum value of 5. Maximum value of 255.

Required: No


The token returned from a previous paginated request. Pagination continues from the end of the items returned by the previous request.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Required: No


The ID of the VPC.

Type: String

Required: Yes

Response Elements

The following elements are returned by the service.


The token to include in another request to get the next page of items. If there are no additional items to return, the string is empty.

Type: String


The ID of the request.

Type: String


Information about the stale security groups.

Type: Array of StaleSecurityGroup objects


For information about the errors that are common to all actions, see Common client error codes.



This example describes stale security group rules for vpc-11223344. The response shows that sg-5fa68d3a in your account has a stale ingress SSH rule that references sg-279ab042 in the peer VPC, and sg-fe6fba9a in your account has a stale egress SSH rule that references sg-ef6fba8b in the peer VPC.

Sample Request &VpcId=vpc-11223344 &AUTHPARAMS

Sample Response

<DescribeStaleSecurityGroupsResponse xmlns=""> <requestId>ece1f9a0-b201-4eec-b74b-example</requestId> <staleSecurityGroupSet> <item> <staleIpPermissionsEgress> <item> <fromPort>22</fromPort> <toPort>22</toPort> <groups> <item> <vpcId>vpc-7a20e51f</vpcId> <groupId>sg-ef6fba8b</groupId> <vpcPeeringConnectionId>pcx-b04deed9</vpcPeeringConnectionId> <peeringStatus>active</peeringStatus> <description>Access to pcx-b04deed9</description> </item> </groups> <ipProtocol>tcp</ipProtocol> </item> </staleIpPermissionsEgress> <groupName>Sg-1</groupName> <vpcId>vpc-11223344</vpcId> <groupId>sg-fe6fba9a</groupId> <description>Sg-1 for peering</description> <staleIpPermissions/> </item> <item> <staleIpPermissionsEgress/> <groupName>Sg-2</groupName> <vpcId>vpc-11223344</vpcId> <groupId>sg-5fa68d3a</groupId> <description>Sg-2 for peering</description> <staleIpPermissions> <item> <fromPort>22</fromPort> <toPort>22</toPort> <groups> <item> <vpcId>vpc-7a20e51f</vpcId> <groupId>sg-279ab042</groupId> <vpcPeeringConnectionId>pcx-b04deed9</vpcPeeringConnectionId> <peeringStatus>active</peeringStatus> <description>Access from pcx-b04deed9</description> </item> </groups> <ipProtocol>tcp</ipProtocol> </item> </staleIpPermissions> </item> </staleSecurityGroupSet> </DescribeStaleSecurityGroupsResponse>

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: