powercli site recovery manager: determine which protection group an unprotected VM will be in. SRM uses array based replication - vmware

I use automation to deply VM's to various vcenter clusters.
I then confgiure SRM network mapping to create a network map between the cluster that the VM is in and the cluster which is used for DR purposes, in the protection group for those two clusters.
SRM is set up for array based replication, so as long as the VM is placed on replicated storage in the right cluster it will appear in SRM under the protection group, if a network mapping is in place then the VM will be auto protected by SRM or via my SRM config script.
I currently have the primary cluster, DR cluster and protection group hard coded, but would like to determine the protection group a VM is in and the name of the two clusters which the protection group is set up for, that way any changes to cluster configuration is automatically picked up and doesn't require manual changes to the SRM config script.
I've looked in the SRM API docs but it's not something I have worked out yet!


I have solved the issue:
$credential = Get-Credential
$server_name = "test-server"
Connect-VIServer -Server $primaryDC -Credential $credential
$srmConnection = Connect-SrmServer -Credential $credential -RemoteCredential $credential
Connect-VIServer -Server $secondaryDC -Credential $credential
$srmApi = $srmConnection.ExtensionData
$protectionGroups = $srmApi.Protection.ListProtectionGroups()
foreach ($protectionGroup in $protectionGroups){
$associatedVms = $protectionGroup.ListProtectedDatastores() | Get-VIObjectByVIView | Get-VM | Where-Object {($_.name -eq $server_name) -and($_.ExtensionData.Config.ManagedBy.ExtensionKey -ne 'com.vmware.vcDr' )}
foreach ($vm in $associatedVms) {
if ($vm.Name -eq $server_name) {
$protection_group_name = $protectionGroup.GetInfo().Name
$primary_cluster = get-vm -name $server_name | get-cluster
$primary_cluster_res_group = $primary_cluster.ExtensionData.ResourcePool
$srm_resource_groups = $srmApi.inventoryMapping.getResourcePoolMappings()
foreach ($resource_group in $srm_resource_groups){
if ($resource_group.PrimaryObject -eq $primary_cluster_res_group){
$secondary_res_group = $resource_group.SecondaryObject
}
}
}
}
}
$secondary_cluster = Get-Cluster | Where-Object {$_.ExtensionData.ResourcePool -eq $secondary_res_group}
Write-Host "VM: $vm - Protection Group: $protection_group_name - Primary cluster: $primary_cluster - Secondary cluster: $secondary_cluster - Primary ResGrp: $primary_cluster_res_group - Secondary ResGrp: $secondary_res_group"

Related

VMWARE ESXi - Untick "Override" programmatically

This is one of the Networks attached to vSwitch0.
I'd like to untick "Override" as I'd like for it to inherit from the main settings. The thing is I have a few dozens of those and I want to do it via a script. I was not able to find how to do it via ESXCLI. The override occures when you create characteristics for the portgroup, see the following 2 commented out.
esxcli network vswitch standard portgroup add --portgroup-name=Grid --vswitch-name=vSwitch0
esxcli network vswitch standard portgroup set --portgroup-name=Grid --vlan-id 123
#esxcli network vswitch standard portgroup policy failover set --portgroup-name=Grid --active-uplinks=vmnic0,vmnic2
#esxcli network vswitch standard portgroup policy failover set --portgroup-name=Grid -l portid
I really dont want to re-create everything. There must be a way to untick those boxes.

you can do that with powercli:
$vs = Get-VirtualSwitch -VMHost $vmhost -Name "vSwitch0"
$nics = (Get-VirtualSwitch -VMHost $vmhost).Nic
$policy1 = Get-VirtualPortgroup -VirtualSwitch $vs -VMHost $vmhost -Name 'net2' | Get-NicTeamingPolicy
$policy1 | Set-NicTeamingPolicy -MakeNicActive $nics[0] -MakeNicStandby $nics[1] # this will set the order
$policy1 | Set-NicTeamingPolicy -InheritFailoverOrder $true # this will uncheck/check the failover inherit tick
if doing with esxcli:
first we get current settings (override is not checked)
[root#esx:~] esxcli network vswitch standard portgroup policy failover get -p net2
Load Balancing: srcport
Network Failure Detection: link
Notify Switches: true
Failback: true
Active Adapters: vmnic5, vmnic4
Standby Adapters:
Unused Adapters:
Override Vswitch Load Balancing: false
Override Vswitch Network Failure Detection: false
Override Vswitch Notify Switches: false
Override Vswitch Failback: false
Override Vswitch Uplinks: false
next we run the command to set the nicorder we would like to have and check again.
[root#esx:~] esxcli network vswitch standard portgroup policy failover set -a vmnic5 -s vmnic4 -p net2
[root#esx:~] esxcli network vswitch standard portgroup policy failover get -p net2
Load Balancing: srcport
Network Failure Detection: link
Notify Switches: true
Failback: true
Active Adapters: vmnic5
Standby Adapters: vmnic4
Unused Adapters:
Override Vswitch Load Balancing: false
Override Vswitch Network Failure Detection: false
Override Vswitch Notify Switches: false
Override Vswitch Failback: false
Override Vswitch Uplinks: true
this will tick the override checkbox and set the active nic to vmnic5 and stby to vmnic4
Good luck
Pargit

I rigged up a script with PowerCLI.
Cant believe I didnt think of using it...
$vmhost = 'server_name'
$portgroups = Get-VirtualPortGroup -VirtualSwitch vSwitch0 -VMHost $vmhost | select -ExpandProperty Name | sort
foreach ( $portgroup in $portgroups ) {
$portgroup
Write-Output ""
$policy1 = Get-VirtualPortGroup -VirtualSwitch vSwitch0 -VMHost $vmhost -Name $portgroup | Get-NicTeamingPolicy
Write-Output "Load Balancing: "
$policy1.IsLoadBalancingInherited
if (!($policy1.IsLoadBalancingInherited)) { $policy1 | Set-NicTeamingPolicy -InheritLoadBalancingPolicy $true }
Write-Output "Network Failure Detection: "
$policy1.IsNetworkFailoverDetectionInherited
if (!($policy1.IsNetworkFailoverDetectionInherited)) { $policy1 | Set-NicTeamingPolicy -InheritNetworkFailoverDetectionPolicy $true }
Write-Output "Notify Switches: "
$policy1.IsNotifySwitchesInherited
if (!($policy1.IsNotifySwitchesInherited)) { $policy1 | Set-NicTeamingPolicy -InheritNotifySwitches $true }
Write-Output "Failback: "
$policy1.IsFailbackInherited
if (!($policy1.IsFailbackInherited)) { $policy1 | Set-NicTeamingPolicy -InheritFailback $true }
Write-Output "Failover Order: "
$policy1.IsFailoverOrderInherited
if (!($policy1.IsFailoverOrderInherited)) { $policy1 | Set-NicTeamingPolicy -InheritFailoverOrder $true }
Write-Output ""
Write-Output ""
}

Scheduling a Powershell script to run weekly in AWS

So, I've got the following powershell script to find inactive AD users and disable their accounts, creating a log file containing a list of what accounts have been disabled:
Import-Module ActiveDirectory
# Set the number of days since last logon
$DaysInactive = 60
$InactiveDate = (Get-Date).Adddays(-($DaysInactive))
# Get AD Users that haven't logged on in xx days
$Users = Get-ADUser -Filter { LastLogonDate -lt $InactiveDate -and Enabled -eq $true } -
Properties LastLogonDate | Select-Object #{ Name="Username"; Expression=.
{$_.SamAccountName} }, Name, LastLogonDate, DistinguishedName
# Export results to CSV
$Users | Export-Csv C:\Temp\InactiveUsers.csv -NoTypeInformation
# Disable Inactive Users
ForEach ($Item in $Users){
$DistName = $Item.DistinguishedName
Disable-ADAccount -Identity $DistName
Get-ADUser -Filter { DistinguishedName -eq $DistName } | Select-Object #{ Name="Username"; Expression={$_.SamAccountName} }, Name, Enabled
}
The script works and is doing everything it should. What I am trying to figure out is how to automate this in an AWS environment.
I'm guessing I need to use a Lambda function in AWS to trigger this script to run on a schedule but don't know where to start.
Any help greatly appreciated.

I recomment to create a Lambda function with dotnet environment: https://docs.aws.amazon.com/lambda/latest/dg/lambda-powershell.html
Use a CloudWatch Event on a Scheduled basis to trigger the function:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/RunLambdaSchedule.html
An alternative, if you like to to have a more pipeline style execution you could use CodePipeline and CodeBuild to run the script. Use again CloudWatch to trigger the CodePipeline on a scheduled basis!

Using Powershell to Report AWS Security Groups

I am new to powershell and the AWS CLI and have look and looked for someone else who has posted this...
What I'm trying to do is get the code right to create a report of each AWS Security Group that shows the inbound rules.
Something like this I would image the output would be.
SecurityGroupName GroupID, Type, Protcol, PortRange, Source, Description
SSH & HTTP gs-1111 SSH TCP 22 0.0.0.0/0 Inbound SSH & HTTP
SSH & HTTP gs-1111 HTTP TCP 80 1.2.34 Inbound SSH & HTTP
HTTPS gs-2222 HTTPS TCP 443 0.0.0.0/0
'
But I can't figure it out.
I can use $GroupID=Get-EC2SecurityGroup -Region us-east-1 |Select-Object -ExpandProperty GroupID
ForEach ($item in $GroupID) {
(Get-EC2SecurityGroup -Region us-east-1 -GroupId $item).IpPermissions | Select-Object IPProtocol,IpRange, FromPort,ToPort}
to get the basic rule but can't seem to combine all the properties you need. This is where my lack of powershell really hurts. Any help would be great!

First, you need to create a new Powershell array that will hold all the objects.
Later, run over all the security groups in the specific region and add relevant data to the hash-table object.
Then, just add the object to the array we created earlier.
Code snippet:
$region = 'YOUR_REGION'
$allSG = #()
Get-EC2SecurityGroup -Region $region | % {
$obj = #{
Description = $_.IpPermission.Ipv4Ranges.Description
GroupId = $_.GroupId
SecurityGroupName = $_.GroupName
Source = $_.IpPermission.Ipv4Ranges.CidrIp
FromPort = $_.IpPermission.FromPort
ToPort = $_.IpPermission.ToPort
Protocol = $_.IpPermission.IpProtocol
}
$object = new-object psobject -Property $obj
$allSG += $object
}
Output:
Insights:
Some Descriptions might be missing.
The From/To Port represent the Type (e.g - 80 = HTTP, 443 = HTTPS)
More about Get-EC2SecurityGroup.

Powershell/Azure-CLI - User input variable passed into regex string match?

I have a script that automates the resizing of a managed OS disk in Azure. Currently, I need to hardcode the name of the VM in the two spots below labeled as "VM NAME HERE" in order for it to work.
I am trying to figure out how I can take the input for $vm and use it to match the regex instead of hardcoding the names.
Is it possible to do this?
# Set the required variables with user input
$vm = Read-Host -Prompt 'Input the name of the target VM'
$rg = Read-Host -Prompt 'Input the name of your Resource Group'
$size = Read-Host -Prompt 'How many GB should the disk be changed to'
$new_snap = Read-Host -Prompt 'Please name the backup snapshot for your OS Disk'
# Locate the OS Disk information based on the name of the VM
$disk_id = (az vm list --query "[].{ name:name, os:storageProfile.osDisk.managedDisk.id }")
$os_disk = $disk_id | Select-String -Pattern '("VM NAME HERE"[_\w\d]+)' | ForEach-Object {
$_.Matches.Groups[1].Value }
$snap = $disk_id | Select-String -Pattern '([\.\/\-\w\d]+"VM NAME HERE"[_\w\d]+)' | ForEach-Object {
$_.Matches.Groups[1].Value }
# Create Snapshot
Write-Output "Creating Snapshot: $new_snap"
az snapshot create --resource-group $rg --name $new_snap --source $snap
# Deallocate Target VM
Write-Output "Deallocating VM: $vm"
az vm deallocate --resource-group $rg --name $vm
# Resize Managed Disk
Write-Output "Updating OS Disk size to $size GB"
az disk update --name $os_disk --resource-group $rg --size-gb $size
# Restart Target VM
Write-Output "Restarting VM: $vm"
az vm start --resource-group $rg --name $vm

According to my test, we can directly use the following command to get the the vm os disk id
$disk_id = (az vm list --query "[?name == '$vm'].storageProfile.osDisk.managedDisk.id" -o tsv)
For more details, please refer to https://www.craigforrester.com/posts/resize-azure-vm-disks-with-azure-cli/.

How to find Unused Amazon EC2 Security groups

I'm try to find a way to determine orphan security groups so I can clean up and get rid of them. Does anyone know of a way to discover unused security groups.
Either through the console or with the command line tools will work (Running command line tools on linux and OSX machines).

Note: this only considers security use in EC2, not other services like RDS. You'll need to do more work to include security groups used outside EC2. The good thing is you can't easily (might not even be possible) to delete active security groups if you miss one associated w/another service.
Using the newer AWS CLI tool, I found an easy way to get what I need:
First, get a list of all security groups
aws ec2 describe-security-groups --query 'SecurityGroups[*].GroupId' --output text | tr '\t' '\n'
Then get all security groups tied to an instance, then piped to sort then uniq:
aws ec2 describe-instances --query 'Reservations[*].Instances[*].SecurityGroups[*].GroupId' --output text | tr '\t' '\n' | sort | uniq
Then put it together and compare the 2 lists and see what's not being used from the master list:
comm -23 <(aws ec2 describe-security-groups --query 'SecurityGroups[*].GroupId' --output text | tr '\t' '\n'| sort) <(aws ec2 describe-instances --query 'Reservations[*].Instances[*].SecurityGroups[*].GroupId' --output text | tr '\t' '\n' | sort | uniq)

If you select all of your security groups in the EC2 console, then press actions -> Delete Security Groups, a popup will appear telling you that you cannot delete security groups that are attached to instances, other security groups, or network interfaces, and it will list the security groups that you can delete; ie the unused security groups.
NOTE: according to #andrewlorien’s comment this does not work for all types of AWS services.

This is the sample code written in boto (Python SDK for AWS) to list the Security Group against number of instances it is associated with.
You may use this logic to obtain the same in command line as well
Boto Code
import boto
ec2 = boto.connect_ec2()
sgs = ec2.get_all_security_groups()
for sg in sgs:
print sg.name, len(sg.instances())
Output
Security-Group-1 0
Security-Group-2 1
Security-Group-3 0
Security-Group-4 3

After about a year of unaudited use, I found it necessary to audit my AWS EC2 security groups and clean up legacy, unused groups.
This was a daunting task to perform via the web GUI, so I looked to the AWS CLI to make the task easier. I found a start on how to do this at StackOverflow, but it was far from complete. So I decided to write my own script. I used the AWS CLI, MySQL and some “Bash-foo” to perform the following:
Get a list of all EC2 security groups.
I store the group-id, group-name and description in a tabled called “groups” in a MySQL database called aws_security_groups on the localhost. The total number of groups found is reported to the user.
Get a list of all security groups associated with each of the following services and exclude them from the table:
EC2 Istances
EC2 Elastic Load Balancers
AWS RDS Instances
AWS OpsWorks (shouldn’t be removed per Amazon)
Default security groups (Can’t be deleted)
ElastiCache
For each service I report a count of the number of groups left in the table after the exclusion is complete.
Finally I display the group-id, group-name and description for the groups that are left. These are the “unused” groups that need to be audited and/or deleted. I’ve found that SG’s between instances and Elastic Load Balancers (ELBs) often refer to each other. It’s best practice to do some manual investigation to ensure they are truly not in use prior to removing the cross references and deleting the security groups. But my script at least pares this down to something mor manageable.
NOTES:
1. You will want to create a file to store your MySQL host, username and password and point the $DBCONFIG variable to it. It should be structured like this:
[mysql]
host=your-mysql-server-host.com
user=your-mysql-user
password=your-mysql-user-password
You can change the name of the database if you wish – make sure to change the $DB variable in the script
Let me know if you find this useful or have any comments,fixes or enhancements.
Here is the script.
#!/bin/bash
# Initialize Variables
DBCONFIG="--defaults-file=mysql-defaults.cnf"
DB="aws_security_groups"
SGLOOP=0
EC2LOOP=0
ELBLOOP=0
RDSLOOP=0
DEFAULTLOOP=0
OPSLOOP=0
CACHELOOP=0
DEL_GROUP=""
# Function to report back # of rows
function Rows {
ROWS=`echo "select count(*) from groups" | mysql $DBCONFIG --skip-column-names $DB`
# echo -e "Excluding $1 Security Groups.\nGroups Left to audit: "$ROWS
echo -e $ROWS" groups left after Excluding $1 Security Groups."
}
# Empty the table
echo -e "delete from groups where groupid is not null" | mysql $DBCONFIG $DB
# Get all Security Groups
aws ec2 describe-security-groups --query "SecurityGroups[*].[GroupId,GroupName,Description]" --output text > /tmp/security_group_audit.txt
while IFS=$'\t' read -r -a myArray
do
if [ $SGLOOP -eq 0 ];
then
VALUES="(\""${myArray[0]}"\",\""${myArray[1]}"\",\""${myArray[2]}"\")"
else
VALUES=$VALUES",(\""${myArray[0]}"\",\""${myArray[1]}"\",\""${myArray[2]}"\")"
fi
let SGLOOP="$SGLOOP + 1"
done < /tmp/security_group_audit.txt
echo -e "insert into groups (groupid, groupname, description) values $VALUES" | mysql $DBCONFIG $DB
echo -e $SGLOOP" security groups total."
# Exclude Security Groups assigned to Instances
for groupId in `aws ec2 describe-instances --output json | jq -r ".Reservations[].Instances[].SecurityGroups[].GroupId" | sort | uniq`
do
if [ $EC2LOOP -eq 0 ];
then
DEL_GROUP="'$groupId'"
else
DEL_GROUP=$DEL_GROUP",'$groupId'"
fi
let EC2LOOP="$EC2LOOP + 1"
done
echo -e "delete from groups where groupid in ($DEL_GROUP)" | mysql $DBCONFIG $DB
Rows "EC2 Instance"
DEL_GROUP=""
# Exclude groups assigned to Elastic Load Balancers
for elbGroupId in `aws elb describe-load-balancers --output json | jq -c -r ".LoadBalancerDescriptions[].SecurityGroups" | tr -d "\"[]\"" | sort | uniq`
do
if [ $ELBLOOP -eq 0 ];
then
DEL_GROUP="'$elbGroupId'"
else
DEL_GROUP=$DEL_GROUP",'$elbGroupId'"
fi
let ELBLOOP="$ELBLOOP + 1"
done
echo -e "delete from groups where groupid in ($DEL_GROUP)" | mysql $DBCONFIG $DB
Rows "Elastic Load Balancer"
DEL_GROUP=""
# Exclude groups assigned to RDS
for RdsGroupId in `aws rds describe-db-instances --output json | jq -c -r ".DBInstances[].VpcSecurityGroups[].VpcSecurityGroupId" | sort | uniq`
do
if [ $RDSLOOP -eq 0 ];
then
DEL_GROUP="'$RdsGroupId'"
else
DEL_GROUP=$DEL_GROUP",'$RdsGroupId'"
fi
let RDSLOOP="$RDSLOOP + 1"
done
echo -e "delete from groups where groupid in ($DEL_GROUP)" | mysql $DBCONFIG $DB
Rows "RDS Instances"
DEL_GROUP=""
# Exclude groups assigned to OpsWorks
for OpsGroupId in `echo -e "select groupid from groups where groupname like \"AWS-OpsWorks%\"" | mysql $DBCONFIG $DB`
do
if [ $OPSLOOP -eq 0 ];
then
DEL_GROUP="'$OpsGroupId'"
else
DEL_GROUP=$DEL_GROUP",'$OpsGroupId'"
fi
let OPSLOOP="$OPSLOOP + 1"
done
echo -e "delete from groups where groupid in ($DEL_GROUP)" | mysql $DBCONFIG $DB
Rows "OpsWorks"
DEL_GROUP=""
# Exclude default groups (can't be deleted)
for DefaultGroupId in `echo -e "select groupid from groups where groupname like \"default%\"" | mysql $DBCONFIG $DB`
do
if [ $DEFAULTLOOP -eq 0 ];
then
DEL_GROUP="'$DefaultGroupId'"
else
DEL_GROUP=$DEL_GROUP",'$DefaultGroupId'"
fi
let DEFAULTLOOP="$DEFAULTLOOP + 1"
done
echo -e "delete from groups where groupid in ($DEL_GROUP)" | mysql $DBCONFIG $DB
Rows "Default"
DEL_GROUP=""
# Exclude Elasticache groups
for CacheGroupId in `aws elasticache describe-cache-clusters --output json | jq -r ".CacheClusters[].SecurityGroups[].SecurityGroupId" | sort | uniq`
do
if [ $CACHELOOP -eq 0 ];
then
DEL_GROUP="'$CacheGroupId'"
else
DEL_GROUP=$DEL_GROUP",'$CacheGroupId'"
fi
let CACHELOOP="$CACHELOOP + 1"
done
echo -e "delete from groups where groupid in ($DEL_GROUP)" | mysql $DBCONFIG $DB
Rows "ElastiCache"
# Display Security Groups left to audit / delete
echo "select * from groups order by groupid" | mysql $DBCONFIG $DB | sed 's/groupid\t/groupid\t\t/'
And here is the sql to create the database.
-- MySQL dump 10.13 Distrib 5.5.41, for debian-linux-gnu (x86_64)
--
-- Host: localhost Database: aws_security_groups
-- ------------------------------------------------------
-- Server version 5.5.40-log
/*!40101 SET #OLD_CHARACTER_SET_CLIENT=##CHARACTER_SET_CLIENT */;
/*!40101 SET #OLD_CHARACTER_SET_RESULTS=##CHARACTER_SET_RESULTS */;
/*!40101 SET #OLD_COLLATION_CONNECTION=##COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;
/*!40103 SET #OLD_TIME_ZONE=##TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET #OLD_UNIQUE_CHECKS=##UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET #OLD_FOREIGN_KEY_CHECKS=##FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET #OLD_SQL_MODE=##SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET #OLD_SQL_NOTES=##SQL_NOTES, SQL_NOTES=0 */;
--
-- Table structure for table `groups`
--
DROP TABLE IF EXISTS `groups`;
/*!40101 SET #saved_cs_client = ##character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `groups` (
`groupid` varchar(12) DEFAULT NULL,
`groupname` varchar(200) DEFAULT NULL,
`description` varchar(200) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = #saved_cs_client */;
--
-- Dumping data for table `groups`
--
LOCK TABLES `groups` WRITE;
/*!40000 ALTER TABLE `groups` DISABLE KEYS */;
/*!40000 ALTER TABLE `groups` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=#OLD_TIME_ZONE */;
/*!40101 SET SQL_MODE=#OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=#OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=#OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=#OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=#OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=#OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=#OLD_SQL_NOTES */;
-- Dump completed on 2015-01-27 16:07:44

Among other functions, both ScoutSuite and Prowler report unused EC2 Security Groups. Both are open source.

A boto example printing the Group IDs and Names only of the security groups that have no current instances.
It also shows how to specify which region you are concerned with.
import boto
import boto.ec2
EC2_REGION='ap-southeast-2'
ec2region = boto.ec2.get_region(EC2_REGION)
ec2 = boto.connect_ec2(region=ec2region)
sgs = ec2.get_all_security_groups()
for sg in sgs:
if len(sg.instances()) == 0:
print ("{0}\t{1}".format(sg.id, sg.name))
To confirm which security groups are still being used you should reverse or remove the if len(sg.instances()) == 0 test and print the len(sg.instances()) value out.
E.g.
print ("{0}\t{1}\t{2} instances".format(sg.id, sg.name, len(sg.instances())))

Using the node.js AWS SDK I can confirm that AWS doesn't allow you to delete security groups that are in use. I wrote a script that simply tries to delete all groups and gracefully handles the errors. This works for classic and the modern VPC. The error message can be seen below.
Err { [DependencyViolation: resource sg-12345678 has a dependent object]
message: 'resource sg-12345678 has a dependent object',
code: 'DependencyViolation',
time: Mon Dec 07 2015 12:12:43 GMT-0500 (EST),
statusCode: 400,
retryable: false,
retryDelay: 30 }

To the SGs attached to the network interfaces:
By name:
aws ec2 describe-network-interfaces --output text --query NetworkInterfaces[*].Groups[*].GroupName | tr -d '\r' | tr "\t" "\n" | sort | uniq
By id:
aws ec2 describe-network-interfaces --output text --query NetworkInterfaces[*].Groups[*].GroupId | tr -d '\r' | tr "\t" "\n" | sort | uniq

I was searching for the same info.
How to find all security groups that are not attached to any resource? And I found this:
Using AWS config rule "EC2_SECURITY_GROUP_ATTACHED_TO_ENI," I got a list of checks that non-default security groups are attached to Amazon Elastic Compute Cloud (EC2) instances or elastic network interfaces (ENIs). The rule returns NON_COMPLIANT if the security group is not associated with an EC2 instance or an ENI.

This is a very old question and I'm sure there are more ways to skin this AWS cat, but here's my solution in bash (you'll need jq for this to work):
REGION="eu-west-1"
SGLIST=$(aws ec2 describe-security-groups --query 'SecurityGroups[*].GroupId' | jq -r .[])
echo $SGLIST | xargs -n1 | while read SG; do [ "$(aws ec2 describe-network-interfaces --filters Name=group-id,Values=$SG --region $REGION | jq .NetworkInterfaces)" != '[]' ] || echo $SG; done
Remember to replace REGION with whatever region you're using.
The 1st step is to get a list of security groups.
Then we're checking for each security group if there's a network interface associated with it - this is not limited to EC2 instances, it checks anything that has a network interface (LBs, RDS, etc).
For reference see here.

Unfortunately the chosen answer is not as accurate as I need (I've tried to investigate the why, but I've preferred to implement it).
If I check ALL NetworkInterfaces, looking for attachments to any SecurityGroup, It gets me partial results. If I check only on EC2Instances, it gets me back partial results as well.
So that's my approach to the problem:
I get ALL EC2 SecurityGroups -> all_secgrp
I get ALL EC2 Instances -> all_instances
For each Instance, I get all SecurityGroups attached to it
I remove from all_secgrp each of these SecurityGroup (because attached)
For each SecurityGroup, I check an association with any NetworkInterfaces (using the filter function and filtering using that security-group-id)
IF no association is found, I remove the security-group from all_secgrp
Attached you can see a snippet of code. Don't complain for efficiency, but try to optimize it if you want.
all_secgrp = list(ec2_connector.security_groups.all())
all_instances = ec2_connector.instances.all()
for single_instance in all_instances:
instance_secgrp = ec2_connector.Instance(single_instance.id).security_groups
for single_sec_grp in instance_secgrp:
if ec2.SecurityGroup(id=single_sec_grp['GroupId']) in all_secgrp:
all_secgrp.remove(ec2.SecurityGroup(id=single_sec_grp['GroupId']))
all_secgrp_detached_tmp = all_secgrp[:]
for single_secgrp in all_secgrp_detached_tmp:
try:
print(single_secgrp.id)
if len(list(ec2_connector.network_interfaces.filter(Filters=[{'Name': 'group-id', 'Values': [single_secgrp.id]}]))) > 0:
all_secgrp.remove(single_secgrp)
except Exception:
all_secgrp.remove(single_secgrp)
return all_secgrp_detached

There's a tool in the AWS marketplace that makes this a lot easier. It shows you which groups are attached/detached for easy deletion, but it also compares your VPC Flow Logs against the security group rules and shows you which SG rules are in use or unused. AWS posted an ELK-stack solution to do this, but it was ridiculously complex.
Here's the tool, and a disclaimer that I worked on it. But I hope you all find it pertinent:
https://www.piasoftware.net/single-post/2018/04/24/VIDEO-Watch-as-we-clean-up-EC2-security-groups-in-just-a-few-minutes

This is a difficult problem, if you have security groups that reference other security groups in the rules. If so, you'll have to resolve DependencyErrors, which is not trivial.
If you are only using IP addresses, then this solution will work, after you create a boto3 client:
# pull all security groups from all vpcs in the given profile and region and save as a set
all_sgs = {sg['GroupId'] for sg in client.describe_security_groups()['SecurityGroups']}
# create a new set for all of the security groups that are currently in use
in_use = set()
# cycle through the ENIs and add all found security groups to the in_use set
for eni in client.describe_network_interfaces()['NetworkInterfaces']:
for group in eni['Groups']:
in_use.add(group['GroupId'])
unused_security_groups = all_sgs - in_use
for security_group in unused_security_groups:
try:
response = client.delete_security_group(GroupId=security_group)
except ClientError as e:
if e.response['Error']['Code'] == 'DependencyViolation':
print('EC2/Security Group Dependencies Exist')
else:
print('Unexpected error: {}'.format(e))