aws ec2 describe-security-groups: Inspect SGs in CI
aws ec2 describe-security-groups returns security groups and their inbound/outbound rules, commonly used to resolve a group ID from its name before launching instances.
Other commands want a security-group ID, not a name. This is the lookup that turns a stable name into the sg-... ID, and the way to audit which ports a group opens.
What it does
aws ec2 describe-security-groups lists security groups visible to your account, filtered by --group-ids, --group-names, or --filters. The response includes ingress and egress rules, so it doubles as a quick firewall audit.
Common usage
# Resolve a group ID from its name within a VPC
aws ec2 describe-security-groups \
--filters 'Name=group-name,Values=ci-runner-sg' \
'Name=vpc-id,Values=vpc-0123456789abcdef0' \
--query 'SecurityGroups[0].GroupId' --output textOptions
| Flag | What it does |
|---|---|
| --group-ids <sg...> | Describe specific groups by ID |
| --group-names <name...> | Describe by name (default VPC only) |
| --filters Name=..,Values=.. | Filter by group-name, vpc-id, tag, etc. |
| --query <jmespath> | Pull GroupId or rule details |
In CI
Prefer --filters Name=group-name,... over --group-names when the group lives in a non-default VPC, because --group-names resolves names only in the default VPC and otherwise errors. Use --query "SecurityGroups[0].GroupId" --output text to feed run-instances cleanly.
Common errors in CI
"An error occurred (InvalidGroup.NotFound) when calling the DescribeSecurityGroups operation: The security group 'ci-runner-sg' does not exist" with --group-names typically means the group is in a non-default VPC; switch to --filters. "InvalidGroupId.Malformed" means a bad sg- ID. "UnauthorizedOperation" means missing ec2:DescribeSecurityGroups.