Security Group Rule Overlap Detector - AWS SG Audit Tool

First Published:
Last Updated:

Audit AWS Security Group rules across multiple SGs to detect duplicates, redundant rules, port range overlaps, over-permissive exposure (e.g. 0.0.0.0/0 + SSH/RDP/DB), and mergeable rule pairs. Paste CSV, paste aws ec2 describe-security-groups JSON, or add rules one by one with the form.

All processing is performed entirely in your browser using client-side JavaScript. No data is transmitted to any server. Your Security Group rules never leave your device.

  • This tool is provided "AS IS" without any warranties of any kind.
  • The author accepts no responsibility for misconfigurations resulting from rule changes informed by this tool.
  • Findings are heuristic and may not reflect all risks in your environment - always validate against your security policies before applying changes.
  • Security Group ID references (e.g. sg-xxxx) are treated as opaque identifiers; this tool does not resolve referenced SGs or Prefix Lists.
  • Always keep backups of your original Security Group configurations before making modifications.
  • By using this tool, you accept full responsibility for any outcomes.

This tool uses client-side JavaScript for all processing. No data is transmitted to servers, no files are uploaded online, all processing happens locally in your browser. Once loaded, this tool continues to work even without an internet connection. For more details, please refer to our Web Tools Disclaimer.

Columns: sg-id, direction (ingress|egress), protocol (tcp|udp|icmp|-1), from_port, to_port, source (CIDR or sg-xxx). Header row is optional. Lines starting with # are ignored. Use -1 or leave ports blank for "all".

Accepts the full response object, the SecurityGroups array, or a single SG object. IpPermissions/IpPermissionsEgress, IpRanges, Ipv6Ranges, UserIdGroupPairs, and PrefixListIds are expanded into individual rules.

Features

  • Three input modes: paste CSV, paste aws ec2 describe-security-groups JSON, or add rules via form.
  • Multi-SG audit: analyzes several Security Groups in a single run, grouping results per SG and direction.
  • Duplicate detection: flags identical rules within the same SG and direction.
  • Containment detection: identifies rules fully covered by another (broader port range + broader CIDR).
  • Port range overlap: spots rules whose port ranges partially overlap for the same source.
  • Over-permissive exposure: highlights 0.0.0.0/0 ingress on sensitive ports such as SSH (22), RDP (3389), MySQL (3306), PostgreSQL (5432), MSSQL (1433), Oracle (1521), MongoDB (27017), Redis (6379), and more.
  • Broad CIDR warnings: raises a warning for /0 through /8 sources.
  • Merge suggestions: proposes combined port ranges when rules share protocol and source and sit adjacent or overlap.
  • Report export: one-click copy of a plain-text audit report for tickets and reviews.
  • 100% client-side: no network calls; works offline after load.

How to Use

  1. Choose an input tab: CSV, JSON, or Form.
  2. For CSV, paste rows in the format sg-id,direction,protocol,from_port,to_port,source. An optional header row is supported.
  3. For JSON, paste the output of aws ec2 describe-security-groups. You can pass the full response, the SecurityGroups array, or a single SG object.
  4. For Form, fill in the fields and click Add rule for each rule; queued rules appear in the table below.
  5. Click Load Sample to try a three-SG (ALB → EC2 → RDS) example with intentional findings.
  6. Click Analyze to run the audit. Results include a summary, per-SG rule tables with finding badges, a findings list sorted by severity, and merge suggestions.
  7. Click Copy Report to copy a plain-text summary of all findings and merge suggestions.

Important Notes

  • This tool audits rules only; it does not connect to AWS APIs. Provide rule data via one of the three input methods.
  • Security Group ID references and Prefix List references are treated as opaque identifiers. The tool does not expand referenced SGs or resolve AWS-managed or customer-managed prefix lists.
  • NACLs and other network layers are out of scope for this MVP; findings reflect only SG rule logic.
  • CIDR containment and overlap are computed for IPv4 only. IPv6 comparisons use exact-string matching for safety.
  • Findings are heuristic. Review context (public vs. private subnet, bastion design, compliance posture) before taking action on any suggestion.
  • Always keep a backup of your Security Group configuration (e.g. via aws ec2 describe-security-groups) before applying changes informed by this tool.

References:
Tech Blog with curated related content
Web Tools Collection

Written by Hidekazu Konishi