DescribeStaleSecurityGroups - Amazon Elastic Compute Cloud


[VPC only] Describes the stale security group rules for security groups in a specified VPC. Rules are stale when they reference a deleted security group in the same VPC or in a peer VPC, or if they reference a security group in a peer VPC for which the VPC peering connection has been deleted.

Request Parameters

The following parameters are for this specific action. For more information about required and optional parameters that are common to all actions, see Common Query Parameters.


Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.

Type: Boolean

Required: No


The maximum number of items to return for this request. The request returns a token that you can specify in a subsequent call to get the next set of results.

Type: Integer

Valid Range: Minimum value of 5. Maximum value of 255.

Required: No


The token for the next set of items to return. (You received this token from a prior call.)

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Required: No


The ID of the VPC.

Type: String

Required: Yes

Response Elements

The following elements are returned by the service.


The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.

Type: String


The ID of the request.

Type: String


Information about the stale security groups.

Type: Array of StaleSecurityGroup objects


For information about the errors that are common to all actions, see Common client error codes.



This example describes stale security group rules for vpc-11223344. The response shows that sg-5fa68d3a in your account has a stale ingress SSH rule that references sg-279ab042 in the peer VPC, and sg-fe6fba9a in your account has a stale egress SSH rule that references sg-ef6fba8b in the peer VPC.

Sample Request &VpcId=vpc-11223344 &AUTHPARAMS

Sample Response

<DescribeStaleSecurityGroupsResponse xmlns=""> <requestId>ece1f9a0-b201-4eec-b74b-example</requestId> <staleSecurityGroupSet> <item> <staleIpPermissionsEgress> <item> <fromPort>22</fromPort> <toPort>22</toPort> <groups> <item> <vpcId>vpc-7a20e51f</vpcId> <groupId>sg-ef6fba8b</groupId> <vpcPeeringConnectionId>pcx-b04deed9</vpcPeeringConnectionId> <peeringStatus>active</peeringStatus> <description>Access to pcx-b04deed9</description> </item> </groups> <ipProtocol>tcp</ipProtocol> </item> </staleIpPermissionsEgress> <groupName>Sg-1</groupName> <vpcId>vpc-11223344</vpcId> <groupId>sg-fe6fba9a</groupId> <description>Sg-1 for peering</description> <staleIpPermissions/> </item> <item> <staleIpPermissionsEgress/> <groupName>Sg-2</groupName> <vpcId>vpc-11223344</vpcId> <groupId>sg-5fa68d3a</groupId> <description>Sg-2 for peering</description> <staleIpPermissions> <item> <fromPort>22</fromPort> <toPort>22</toPort> <groups> <item> <vpcId>vpc-7a20e51f</vpcId> <groupId>sg-279ab042</groupId> <vpcPeeringConnectionId>pcx-b04deed9</vpcPeeringConnectionId> <peeringStatus>active</peeringStatus> <description>Access from pcx-b04deed9</description> </item> </groups> <ipProtocol>tcp</ipProtocol> </item> </staleIpPermissions> </item> </staleSecurityGroupSet> </DescribeStaleSecurityGroupsResponse>

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: