How to describe Security Groups for a VPC?
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
To describe security groups for a specific VPC, you usually filter the AWS API call by vpc-id. The two most common paths are the AWS CLI and Boto3. Both return the same underlying EC2 security-group metadata, including rules, tags, names, and attached VPC ID.
Use the AWS CLI with a VPC Filter
The direct CLI command is:
This returns only the security groups belonging to that VPC.
If you want a smaller output, use a query:
This is often the most readable form for terminal work.
Understand What the Response Contains
A security-group description includes fields such as:
- '
GroupId' - '
GroupName' - '
Description' - '
VpcId' - inbound permissions in
IpPermissions - outbound permissions in
IpPermissionsEgress - tags
That means one describe call can answer both identification and rule-inspection questions.
Inspect Rules More Closely
If you care about the actual ingress and egress rules, query them explicitly.
This is useful when auditing what traffic is allowed in a VPC without clicking through the console.
Use Boto3 from Python
The equivalent Boto3 call looks like this:
This is the standard approach for automation scripts or inventory tools.
Narrow to One Group When You Already Know the ID
If you already have the security-group ID, you do not need only a VPC filter. You can describe the exact group directly.
CLI:
Boto3:
That is the cleaner choice when the target group is already known.
Security Group Rules Are Nested Structures
One reason these responses feel verbose is that rule data is nested. For example, an ingress rule can include:
- protocol
- port range
- CIDR blocks
- referenced security groups
- IPv6 ranges
- descriptions
That is why queries become useful. Without them, the raw JSON is correct but noisy.
Use the Console for Exploration, CLI for Repeatability
The AWS console is convenient for one-off inspection, but CLI and Boto3 are better when you need:
- repeatable audits
- automation
- inventory reporting
- filtering in scripts
A good pattern is to use the console to learn the shape of the data and then move repeatable checks into CLI or Python.
Mind the Region
Security groups are regional resources. If you query the wrong region, the VPC or security groups may appear not to exist.
Explicit CLI example:
The same applies in Boto3 if your default session is pointed at a different region.
Common Pitfalls
- Forgetting to filter by the correct
vpc-idand assuming all returned groups belong to the same VPC. - Querying the wrong AWS region and thinking the VPC has no security groups.
- Looking only at group names instead of stable IDs such as
GroupIdandVpcId. - Ignoring nested rule fields and missing referenced security-group sources or egress behavior.
- Using console-only workflows for tasks that should really be scripted and repeatable.
Summary
- To describe security groups for a VPC, filter
describe-security-groupsbyvpc-id. - The AWS CLI and Boto3 both expose the same EC2 data.
- Use queries to make the output readable when you only need names, IDs, or rules.
- If you already know the security-group ID, describe that group directly.
- Always confirm the AWS region, because security groups are regional.
