I'm having difficulty filtering AWS CLI describe-security-groups output
Goal: Find all SGs with ingress rules on port 22 with cidr
Amazons' own docs provide an example, but state there's a limitation with their query in that it will first filter the entire data set for port 22 then filter that entire data set for What this means is that SGs with the following rules will still trigger:
ingress 22 sg-12345678
ingress 443
This completely defeats the purpose of the filtering, and I'm not even sure why Amazon provides that example with a heading of "To describe security groups that have specific rules"
Route 1: aws cli query first then jq
This route is based off what I found here: https://github.com/aws/aws-cli/issues/971
aws ec2 describe-security-groups --output json --query 'SecurityGroups[*].[GroupName,GroupId,IpPermissions[?ToPort==`22`].[IpRanges[?CidrIp==``]]]'
Which provides a list of all security groups, but showing nested data for any SGs with 22 (and successfully ignoring any ACLs for other ports) In the output below, SG1 is what I'm interested, and SG2/SG3 needs to be filtered out.
"SG 1",
"CidrIp": ""
"SG 2",
"SG 3",
This is a great first step as I've eliminated ACLs that aren't associated with port 22. But as I try to run jq to simply remove entries that have empty data sets, I'm having difficulty cause all the keys have been stripped.
Route 2: jq un-queried CLI output
I've been unable to get away from the pitfall of the original AWS example by using jq from the start, where I can first query for all SGs that contain port 22, then query for any ACLs of, which of course gives me false positives. Due to the stream nature of jq, I haven't figured out how to check condition A (port 22) then check condition B ( only on items related to condition A.
Here's some sanitized raw CLI output of 2 SGs, again, I need to get the first one without triggering a false positive on the 2nd
"SecurityGroups": [
"Description": "SG 1",
"IpPermissions": [
"PrefixListIds": [],
"FromPort": 22,
"IpRanges": [
"CidrIp": ""
"ToPort": 22,
"IpProtocol": "tcp",
"UserIdGroupPairs": [],
"Ipv6Ranges": []
"GroupName": "SG 1",
"VpcId": "vpc-12345678",
"OwnerId": "1234567890",
"GroupId": "sg-11111111"
"Description": "SG 2",
"IpPermissions": [
"PrefixListIds": [],
"FromPort": 22,
"IpRanges": [],
"ToPort": 22,
"IpProtocol": "tcp",
"UserIdGroupPairs": [
"UserId": "1234567890",
"GroupId": "sg-abcdefab"
"Ipv6Ranges": []
"PrefixListIds": [],
"FromPort": 443,
"IpRanges": [
"CidrIp": ""
"ToPort": 443,
"IpProtocol": "tcp",
"UserIdGroupPairs": [],
"Ipv6Ranges": []
"GroupName": "SG 2",
"VpcId": "vpc-12345678",
"OwnerId": "1234567890",
"GroupId": "sg-22222222"
You need to use advanced JMESPath conditions. See if the below cli command satisfies what you are asking.
aws ec2 describe-security-groups \
--filters "Name=ip-permission.to-port,Values=22" \
--query 'SecurityGroups[?IpPermissions[?ToPort==`22` && contains(IpRanges[].CidrIp, ``)]].{GroupId: GroupId, GroupName: GroupName}' \
--output json \
--region us-east-1