如何使用Python(BOTO3)遍历AWS EC2实例并移除指定安全组?
2026-5-25
How to Remove a Specific Security Group from All EC2 Instances Using Boto3
Got it, let's sort this out for you. First, a quick clarification: the delete_security_group API you looked at is for deleting the security group resource entirely. What you need here is to remove the target security group from instances that have it attached, which uses the modify_instance_attribute method instead. Let's break this down step by step.
Prerequisites
- Install Boto3 if you haven't already:
pip install boto3 - Configure your AWS credentials (via
~/.aws/credentials, environment variables, or IAM roles if running on an EC2 instance) - Ensure your IAM entity has these permissions:
ec2:DescribeInstancesandec2:ModifyInstanceAttribute
Complete Boto3 Script
This script will scan all EC2 instances across all regions, check if they're using your target security group, and remove it from those instances:
import boto3 def remove_target_sg_from_instances(target_sg_id): # Initialize EC2 client to fetch all regions ec2_global = boto3.client('ec2') regions = [region['RegionName'] for region in ec2_global.describe_regions()['Regions']] for region in regions: print(f"Scanning region: {region}") ec2_region = boto3.client('ec2', region_name=region) # Fetch all instances in the current region instances_response = ec2_region.describe_instances() for reservation in instances_response['Reservations']: for instance in reservation['Instances']: instance_id = instance['InstanceId'] current_sg_ids = [sg['GroupId'] for sg in instance['SecurityGroups']] # Check if the target SG is attached to this instance if target_sg_id in current_sg_ids: print(f"Found target SG {target_sg_id} on instance {instance_id}") # Create a new list of SGs excluding the target one updated_sg_ids = [sg for sg in current_sg_ids if sg != target_sg_id] # Update the instance's security groups try: ec2_region.modify_instance_attribute( InstanceId=instance_id, Groups=updated_sg_ids ) print(f"Successfully removed {target_sg_id} from {instance_id}") except Exception as e: print(f"Failed to update {instance_id}: {str(e)}") if __name__ == "__main__": # Replace this with your actual security group ID (e.g., sg-0123456789abcdef0) TARGET_SECURITY_GROUP = "sg-xxxxxxxxxxxxxxxxx" remove_target_sg_from_instances(TARGET_SECURITY_GROUP)
Key Notes About the Script
- Cross-region support: It checks all AWS regions by default. If you only need specific regions, replace the
regionslist with your desired ones (e.g.,['us-east-1', 'eu-west-1']). - Error handling: The try/except block catches issues like stopped instances, missing permissions, or invalid SG IDs, so the script won't crash mid-scan.
- Critical detail: When modifying an instance's security groups, you have to pass the full list of groups you want to keep—not just the one to remove. That's why we filter out the target SG to create
updated_sg_ids.
Bonus: Bash Script (Using AWS CLI)
If you'd prefer a Bash solution with for loops, here's a version that does the same thing:
#!/bin/bash TARGET_SG="sg-xxxxxxxxxxxxxxxxx" # Loop through all AWS regions for region in $(aws ec2 describe-regions --query "Regions[].RegionName" --output text); do echo "Checking region: $region" # Get all instance IDs in the region instance_ids=$(aws ec2 describe-instances --region $region --query "Reservations[].Instances[].InstanceId" --output text) for instance in $instance_ids; do # Fetch current SGs attached to the instance current_sgs=$(aws ec2 describe-instances --region $region --instance-ids $instance --query "Reservations[].Instances[].SecurityGroups[].GroupId" --output text) # Check if target SG is present if echo $current_sgs | grep -q $TARGET_SG; then echo "Removing $TARGET_SG from instance $instance" # Filter out the target SG to create the updated list updated_sgs=$(echo $current_sgs | tr ' ' '\n' | grep -v $TARGET_SG | tr '\n' ' ') # Update the instance aws ec2 modify-instance-attribute --region $region --instance-id $instance --groups $updated_sgs fi done done
内容的提问来源于stack exchange,提问作者RaptorPete
