Tool for scanning unsecure & unattached Security Groups on AWS environment.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

SG Scanner

Scanning tool for unused/unattached/unsecure security group on Amazon. If group is not attached to any network interfaces it will be returned as unused. Generally all security groups binded to AWS Services (EC2, RDS, Lambda, Load Balancers, WorkSpaces, AppStream and more) must be attached to network interface. Security scan checks all security groups rules for open ports from


Python 2.x or 3.x

Python libs: tabulate, boto3, argparse


$ pip install boto3
$ pip install tabulate
$ pip install argparse


SG Scanner uses IAM role by default (if started from EC2 instance). If you want to start it from on-premise host then you should pass credentials. Also region should be given.

Using IAM role:

$ python region mode

Using credentials:

$ python region mode --accesskey="yourAccessKey" --secretkey="yourSecretKey"

Usage example:

$ python eu-west-1 unattached
$ python eu-west-1 unsecure --accesskey="ABCDEF" --secretkey="123456"
$ python eu-west-1 unsecure --accesskey="ABCDEF" --secretkey="123456" --ignoreports="40,80,443"

IAM Policy

Policy with minimum required permissions can be found in sgscanner-policy.json file.


  • v0.1.1 - 10.09.2018 - Added possibility to ignore list of ports while scanning security.
  • v0.1.0 - 09.09.2018 - Public Release