In [1]:
import pandas as pd
import json
from pandas.io.json import json_normalize
import boto3
from botocore.exceptions import ClientError
import ipaddress
import netaddr

ec2 = boto3.client('ec2', region_name='us-east-1')

try:
    response = ec2.describe_security_groups()
except ClientError as e:
    print(e)

security_groups = response['SecurityGroups']
sg5 = security_groups[5]

INGRESS = "IpPermissions"
EGRESS = "IpPermissionsEgress"
FROM_PORT = "FromPort"
TO_PORT = "ToPort"
IP_PROTOCOL = "IpProtocol"
IP_Ranges = "IpRanges"
IPV6_Ranges = "Ipv6Ranges"
PREFIX_LIST_IDS = "PrefixListIds"
USER_ID_GROUP_PAIRS = "UserIdGroupPairs"
GROUP_ID = "GroupId"
GROUP_NAME = "GroupName"
CIDR_IP = "CidrIp"
VPC_ID = "VpcId"

def flat_sg(sg_list):
    __sg_list = sg_list
    rule_list = []
    #group_name = ""
    for each_sg_list in sg_list:
        #group_id = each_ingress_rule[GROUP_ID]
        #if len(each_ingress_rule[GROUP_NAME]) > 0:
        #    group_name = each_ingress_rule[GROUP_NAME]
        ip_protocol = each_sg_list[IP_PROTOCOL]
        ip_ranges_list = each_sg_list[IP_Ranges]
        ipv6_ranges_list = each_sg_list[IPV6_Ranges]
        user_id_group_pairs_list = each_sg_list[USER_ID_GROUP_PAIRS]
        if ip_protocol == "-1":
            from_port = 0
            to_port = 65535
        else:
            from_port = each_sg_list[FROM_PORT]
            to_port = each_sg_list[TO_PORT]
        #ingress_flat["Group ID"] = group_id
        #if group_name != "":
        #    ingress_flat["Group Name"] = group_name
        for each_ip in ip_ranges_list:
            if (to_port - from_port) > 0:
                rule_list.append(each_ip[CIDR_IP] + ":" + str(from_port) + "-" + str(to_port))
            else:
                rule_list.append(each_ip[CIDR_IP] + ":" + str(from_port))
        for each_sg_pair in user_id_group_pairs_list:
            if (to_port - from_port) > 0:
                rule_list.append(each_sg_pair[GROUP_ID] + ":" + str(from_port) + "-" + str(to_port))
            else:
                rule_list.append(each_sg_pair[GROUP_ID] + ":" + str(from_port))
    return rule_list

def is_private(cidr_block, ip_version="ipv4"):
    ip_network = netaddr(cidr_block)
    return ip_network.is_private()

def is_public(cidr_block, ip_version="ipv4"):
    if is_private(cidr_block, ip_version):
        return False    
    return True

def is_cidr_within_vpc(cidr_block, vpc_cidr_block):
    ip_network = netaddr.IPNetwork(cidr_block)
    vpc_network = netaddr.IPNetwork(vpc_cidr_block)
    if ip_network in vpc_network:
        return True
    return False                                     

def is_target_accepts_traffics(egress_rule, target_ingress_rule):
    if is_ip(egress_rule):
        return ipaddress.IPv4Network("192.168.1.1") in ipaddress.IPv4Network("192.168.0.0/16")
    
def find_vpc_cidr(vpc_id_list):
    result = {}
    if type(vpc_id_list) != list:
        raise Exception("vpc_id must be a list")
    vpc_info = ec2.describe_vpcs(VpcIds=vpc_id_list)
    for each_vpc_info in vpc_info['Vpcs']:
        result[each_vpc_info['VpcId']] = each_vpc_info['CidrBlock']
    return result

def organize_sg(raw_sg):
    result = {}
    __raw_sg = raw_sg
    for each_raw_sg in __raw_sg:
        each_organized_sg = {}
        ingress = each_raw_sg[INGRESS]
        egress = each_raw_sg[EGRESS]
        sg_id = each_raw_sg[GROUP_ID]
        sg_name = ""
        if GROUP_NAME in each_raw_sg:
            sg_name = each_raw_sg[GROUP_NAME]
        if sg_id not in result.keys():
            result[sg_id] = {}
        else:
            raise Exception("Duplicate security group key: " + sg_id)
        result[sg_id] = {}
        result[sg_id]['sg_name'] = sg_name
        result[sg_id]['ingress_rules'] = flat_sg(ingress)
        result[sg_id]['egress_rules'] = flat_sg(egress)
        result[sg_id]['vpc_cidr'] = find_vpc_cidr([each_raw_sg[VPC_ID]])
    return result

In [2]:
organize_sg(security_groups)

{'sg-1177355a': {'egress_rules': ['0.0.0.0/0:0-65535'],
  'ingress_rules': ['0.0.0.0/0:0-65535'],
  'sg_name': 'host3',
  'vpc_cidr': {'vpc-302ef348': '172.31.0.0/16'}},
 'sg-396d2f72': {'egress_rules': ['sg-7e703235:8888',
   'sg-df9dac97:6587',
   'sg-8c95a4c4:0'],
  'ingress_rules': ['98.210.128.226/32:6666',
   'sg-7e703235:4444',
   'sg-1177355a:3333',
   'sg-8c95a4c4:1111',
   'sg-df9dac97:2222'],
  'sg_name': 'host5',
  'vpc_cidr': {'vpc-302ef348': '172.31.0.0/16'}},
 'sg-7e703235': {'egress_rules': ['0.0.0.0/0:0-65535'],
  'ingress_rules': ['98.210.128.226/32:6666',
   '98.210.128.226/32:22',
   'sg-7e703235:4444',
   'sg-1177355a:3333',
   'sg-df9dac97:2222'],
  'sg_name': 'host4',
  'vpc_cidr': {'vpc-302ef348': '172.31.0.0/16'}},
 'sg-8c95a4c4': {'egress_rules': ['0.0.0.0/0:0-65535'],
  'ingress_rules': ['172.0.0.0/32:7777',
   'sg-1177355a:3333',
   'sg-df9dac97:2222'],
  'sg_name': 'host1',
  'vpc_cidr': {'vpc-302ef348': '172.31.0.0/16'}},
 'sg-ad1573df': {'egress_rules': [

In [88]:
secure_template = {
    "USING_DEFAULT": True
    "DEFAULT": {
        "DEFAULT_CLOSED_INGRESS": True,
        "INTRA_VPC_TRAFFIC" : True,
        "MATCHING_EGRESS_INGRESS": True,
        "DEFAULT_CLOSED_EGRESS": True,
        "NO_STANDING_ALONE_RULE": True,
        ""
    },
    "DEAFAULT_CLOSED_INGRESS": 
}

{u'Description': 'vac security group',
 u'GroupId': 'sg-c3c98b88',
 u'GroupName': 'vpc1',
 u'IpPermissions': [],
 u'IpPermissionsEgress': [{u'IpProtocol': '-1',
   u'IpRanges': [{u'CidrIp': '0.0.0.0/0'}],
   u'Ipv6Ranges': [],
   u'PrefixListIds': [],
   u'UserIdGroupPairs': []}],
 u'OwnerId': '378553713853',
 u'Tags': [{u'Key': 'Name', u'Value': 'vpc1'}],
 u'VpcId': 'vpc-302ef348'}