Describes the stale security group rules for security groups referenced across a VPC peering connection, transit gateway connection, or with a security group VPC association. Rules are stale when they reference a deleted security group. Rules can also be stale if they reference a security group in a peer VPC for which the VPC peering connection has been deleted, across a transit gateway where the transit gateway has been deleted (or the transit gateway security group referencing feature has been disabled), or if a security group VPC association has been disassociated.
Request Parameters
The following parameters are for this specific action. For more information about required and optional parameters that are common to all actions, see Common Query Parameters.
- DryRun
-
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is
DryRunOperation. Otherwise, it isUnauthorizedOperation.Type: Boolean
Required: No
- MaxResults
-
The maximum number of items to return for this request. To get the next page of items, make another request with the token returned in the output. For more information, see Pagination.
Type: Integer
Valid Range: Minimum value of 5. Maximum value of 255.
Required: No
- NextToken
-
The token returned from a previous paginated request. Pagination continues from the end of the items returned by the previous request.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 1024.
Required: No
- VpcId
-
The ID of the VPC.
Type: String
Required: Yes
Response Elements
The following elements are returned by the service.
- nextToken
-
The token to include in another request to get the next page of items. This value is
nullwhen there are no more items to return.Type: String
- requestId
-
The ID of the request.
Type: String
- staleSecurityGroupSet
-
Information about the stale security groups.
Type: Array of StaleSecurityGroup objects
Errors
For information about the errors that are common to all actions, see Common client error codes.
Examples
Example
This example describes stale security group rules for vpc-11223344. The response shows that sg-5fa68d3a in your account has a stale ingress SSH rule that references sg-279ab042 in the peer VPC, and sg-fe6fba9a in your account has a stale egress SSH rule that references sg-ef6fba8b in the peer VPC.
Sample Request
https://ec2.amazonaws.com/?Action=DescribeStaleSecurityGroups
&VpcId=vpc-11223344
&AUTHPARAMSSample Response
<DescribeStaleSecurityGroupsResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
<requestId>ece1f9a0-b201-4eec-b74b-example</requestId>
<staleSecurityGroupSet>
<item>
<staleIpPermissionsEgress>
<item>
<fromPort>22</fromPort>
<toPort>22</toPort>
<groups>
<item>
<vpcId>vpc-7a20e51f</vpcId>
<groupId>sg-ef6fba8b</groupId>
<vpcPeeringConnectionId>pcx-b04deed9</vpcPeeringConnectionId>
<peeringStatus>active</peeringStatus>
<description>Access to pcx-b04deed9</description>
</item>
</groups>
<ipProtocol>tcp</ipProtocol>
</item>
</staleIpPermissionsEgress>
<groupName>Sg-1</groupName>
<vpcId>vpc-11223344</vpcId>
<groupId>sg-fe6fba9a</groupId>
<description>Sg-1 for peering</description>
<staleIpPermissions/>
</item>
<item>
<staleIpPermissionsEgress/>
<groupName>Sg-2</groupName>
<vpcId>vpc-11223344</vpcId>
<groupId>sg-5fa68d3a</groupId>
<description>Sg-2 for peering</description>
<staleIpPermissions>
<item>
<fromPort>22</fromPort>
<toPort>22</toPort>
<groups>
<item>
<vpcId>vpc-7a20e51f</vpcId>
<groupId>sg-279ab042</groupId>
<vpcPeeringConnectionId>pcx-b04deed9</vpcPeeringConnectionId>
<peeringStatus>active</peeringStatus>
<description>Access from pcx-b04deed9</description>
</item>
</groups>
<ipProtocol>tcp</ipProtocol>
</item>
</staleIpPermissions>
</item>
</staleSecurityGroupSet>
</DescribeStaleSecurityGroupsResponse>See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
