{"id":15657322,"url":"https://github.com/cytopia/aws-ec2-sg-exporter","last_synced_at":"2026-03-08T16:35:11.891Z","repository":{"id":147859132,"uuid":"202884266","full_name":"cytopia/aws-ec2-sg-exporter","owner":"cytopia","description":"A dockerized Prometheus exporter that compares desired/wanted IPv4/IPv6 CIDR against currently applied inbound CIDR rules in your security group(s).","archived":false,"fork":false,"pushed_at":"2020-04-27T16:20:10.000Z","size":322,"stargazers_count":22,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-30T22:05:50.614Z","etag":null,"topics":["aws","metrics","monitoring","prometheus","prometheus-exporter","security-group","security-groups"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cytopia.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-08-17T13:27:46.000Z","updated_at":"2024-08-10T20:55:28.000Z","dependencies_parsed_at":"2023-05-27T17:30:08.195Z","dependency_job_id":null,"html_url":"https://github.com/cytopia/aws-ec2-sg-exporter","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cytopia%2Faws-ec2-sg-exporter","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cytopia%2Faws-ec2-sg-exporter/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cytopia%2Faws-ec2-sg-exporter/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cytopia%2Faws-ec2-sg-exporter/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cytopia","download_url":"https://codeload.github.com/cytopia/aws-ec2-sg-exporter/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252525578,"owners_count":21762327,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","metrics","monitoring","prometheus","prometheus-exporter","security-group","security-groups"],"created_at":"2024-10-03T13:06:19.678Z","updated_at":"2026-03-08T16:35:08.783Z","avatar_url":"https://github.com/cytopia.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AWS Security Group exporter for Prometheus\n\n**[Motivation](#motivation)** |\n**[How does it work](#how-does-it-work)** |\n**[Requirements](#requirements)** |\n**[Docker settings](#docker-settings)** |\n**[Metrics](#metrics)** |\n**[Examples](#examples)** |\n**[Grafana](#grafana-setup)** |\n**[Errors](#error-handling)**\n\n[![Build Status](https://travis-ci.com/cytopia/aws-ec2-sg-exporter.svg?branch=master)](https://travis-ci.com/cytopia/aws-ec2-sg-exporter)\n[![Tag](https://img.shields.io/github/tag/cytopia/aws-ec2-sg-exporter.svg)](https://github.com/cytopia/aws-ec2-sg-exporter/releases)\n[![](https://images.microbadger.com/badges/version/cytopia/aws-ec2-sg-exporter:latest.svg?\u0026kill_cache=1)](https://microbadger.com/images/cytopia/aws-ec2-sg-exporter:latest \"aws-ec2-sg-exporter\")\n[![](https://images.microbadger.com/badges/image/cytopia/aws-ec2-sg-exporter:latest.svg?\u0026kill_cache=1)](https://microbadger.com/images/cytopia/aws-ec2-sg-exporter:latest \"aws-ec2-sg-exporter\")\n[![](https://img.shields.io/docker/pulls/cytopia/aws-ec2-sg-exporter.svg)](https://hub.docker.com/r/cytopia/aws-ec2-sg-exporter)\n[![](https://img.shields.io/badge/github-cytopia%2Faws--ec2--sg--exporter-red.svg)](https://github.com/cytopia/aws-ec2-sg-exporter \"github.com/cytopia/aws-ec2-sg-exporter\")\n[![License](https://img.shields.io/badge/license-MIT-%233DA639.svg)](https://opensource.org/licenses/MIT)\n\n![Grafana](https://raw.githubusercontent.com/cytopia/aws-ec2-sg-exporter/master/doc/grafana-dash-ok.png \"Grafana Graph Example\")\n\n![Grafana](https://raw.githubusercontent.com/cytopia/aws-ec2-sg-exporter/master/doc/grafana-dash-err.png \"Grafana Graph Example\")\n\nA dockerized\u003cstrong\u003e\u003csup\u003e[1]\u003c/sup\u003e\u003c/strong\u003e Prometheus exporter that compares desired/wanted\nIPv4/IPv6 CIDR against currently applied inbound CIDR rules by protocol and port number in your AWS\nsecurity group(s) per region.\n\n\u003e \u003cstrong\u003e\u003csup\u003e[1]\u003c/sup\u003e\u003c/strong\u003e: If you want to use this exporter without Docker jump here: [Usage without Docker](#usage-without-docker)\n\n[![Docker hub](http://dockeri.co/image/cytopia/aws-ec2-sg-exporter?\u0026kill_cache=1)](https://hub.docker.com/r/cytopia/aws-ec2-sg-exporter)\n\n\n## Motivation\n\nSome IP addresses ranges such as Cloudfront edge nodes or SaaS hosts might change frequently and\nyou possibly want to ensure that those are always in sync with what you have currently defined in\nyour security group.\nThis exporter does exactly this and can easily be hooked up with Alertmanager to trigger alerts in\ncase you get out of sync.\n\n\n## How does it work\n\n#### Desired/Wanted IP address CIDR\n\nYou have to provide a command, which is parsable by bash's `eval` function and evalutes\n**newline-separated** to your desired/wanted IP address CIDR. As a few examples:\n```bash\n# Note that for single IP addresses, AWS requires '/32' to be appended\neval \"dig +short nat.travisci.net | xargs -n1 -I% echo \\\"%/32\\\"\"\neval \"printf \\\"10.13.23.23/32\\n192.168.0.0/24\\n\\\"\"\n```\n\n#### Applied security Group CIDR\n\nYou have to provide the following in order to fetch your currently applied sg rules:\n\n* Security group name (The `Name` tag)\u003cstrong\u003e\u003csup\u003e[1]\u003c/sup\u003e\u003c/strong\u003e\n* AWS region where the security group resides\n* Security group rule protocol (e.g.: `tcp`, `udp`, `icmp`, ...)\n* Security group rule from port (e.g.: `80`, `443`, ...)\n\n\u003e \u003cstrong\u003e\u003csup\u003e[1]\u003c/sup\u003e\u003c/strong\u003e: The `*` wildcard is supported for the name, but you have to ensure to match exactly one security group\n\n#### Output\n\nThe exporter will then output Prometheus readable information as such:\n```bash\n# HELP aws_ec2_sg_compare Determines If CIDR is applied to security group.\n# TYPE aws_ec2_sg_compare counter\naws_ec2_sg_compare{name=\"sg-name\",region=\"us-east-1\",proto=\"tcp\",from_port=\"80\",ip=\"v4\",cidr=\"10.4.1.1/32\",sg_id=\"sg-xxxxx\",errno=\"0\",error=\"\"} 1\naws_ec2_sg_compare{name=\"sg-name\",region=\"us-east-1\",proto=\"tcp\",from_port=\"80\",ip=\"v4\",cidr=\"10.4.1.5/32\",sg_id=\"sg-xxxxx\",errno=\"0\",error=\"\"} 0\n```\n\n* A value of `1` means the desired/wanted IP CIDR is applied to the security group\n* A value of `0` means the desired/wanted IP CIDR is not applied to the security group\n\nSee [Metrics](#metrics) for an indepth description.\n\n\n## Requirements\n\nYou will need AWS access key and secret with the following permission:\n```yaml\nec2:DescribeSecurityGroups\n```\n\n\n## Docker settings\n\n### Tagging\n\nEnsure to **use Docker image tags** (which are the same as git tags from this repository) to prevent\nany backwards incompatible changes. The `latest` tag should only be used for testing purposes.\n\nAdditionally do not blindly update Docker image tags before having tested it. Security group rule\nchecks are an important matter and you want to ensure your alerting is reliable.\n\n\n### Environment variables\n\nYou can specify up to 4 security group checks: `SG1_*`, `SG2_*`, `SG3_*` and `SG4_*`.\n\n| Variable                | Description |\n|-------------------------|-------------|\n| `AWS_ACCESS_KEY_ID`     | The AWS access key (required to connect to AWS to check the sg rules) |\n| `AWS_SECRET_ACCESS_KEY` | The AWS secret key (required to connect to AWS to check the sg rules) |\n| `AWS_SESSION_TOKEN`     | (Optional) The AWS session token |\n| | |\n| `UPDATE_TIME`           | Time interval in sec for how often to update metrics (default: `60`) |\n| | |\n| `SG1_NAME`              | Name of the security group on AWS |\n| `SG1_REGION`            | Region the security group resides in |\n| `SG1_PROTO`             | Security group rule protocol: `tcp`, `udp`, `icmp` or a protocol number |\n| `SG1_FROM_PORT`         | Security group rule from port |\n| `SG1_IP4_CMD`           | The command that evaluates to newline-separated IPv4 IP address CIDR \u003cstrong\u003e\u003csup\u003e[1]\u003c/sup\u003e\u003c/strong\u003e |\n| `SG1_IP6_CMD`           | The command that evaluates to newline-separated IPv6 IP address CDIR \u003cstrong\u003e\u003csup\u003e[1]\u003c/sup\u003e\u003c/strong\u003e |\n| | |\n| `SG2_NAME`              | Name of the security group on AWS |\n| `SG2_REGION`            | Region the security group resides in |\n| `SG2_PROTO`             | Security group rule protocol: `tcp`, `udp`, `icmp` or a protocol number |\n| `SG2_FROM_PORT`         | Security group rule from port |\n| `SG2_IP4_CMD`           | The command that evaluates to newline-separated IPv4 IP address CIDR \u003cstrong\u003e\u003csup\u003e[1]\u003c/sup\u003e\u003c/strong\u003e |\n| `SG2_IP6_CMD`           | The command that evaluates to newline-separated IPv6 IP address CDIR \u003cstrong\u003e\u003csup\u003e[1]\u003c/sup\u003e\u003c/strong\u003e |\n| | |\n| `SG3_NAME`              | Name of the security group on AWS |\n| `SG3_REGION`            | Region the security group resides in |\n| `SG3_PROTO`             | Security group rule protocol: `tcp`, `udp`, `icmp` or a protocol number |\n| `SG3_FROM_PORT`         | Security group rule from port |\n| `SG3_IP4_CMD`           | The command that evaluates to newline-separated IPv4 IP address CIDR \u003cstrong\u003e\u003csup\u003e[1]\u003c/sup\u003e\u003c/strong\u003e |\n| `SG3_IP6_CMD`           | The command that evaluates to newline-separated IPv6 IP address CDIR \u003cstrong\u003e\u003csup\u003e[1]\u003c/sup\u003e\u003c/strong\u003e |\n| | |\n| `SG4_NAME`              | Name of the security group on AWS |\n| `SG4_REGION`            | Region the security group resides in |\n| `SG4_PROTO`             | Security group rule protocol: `tcp`, `udp`, `icmp` or a protocol number |\n| `SG4_FROM_PORT`         | Security group rule from port |\n| `SG4_IP4_CMD`           | The command that evaluates to newline-separated IPv4 IP address CIDR \u003cstrong\u003e\u003csup\u003e[1]\u003c/sup\u003e\u003c/strong\u003e |\n| `SG4_IP6_CMD`           | The command that evaluates to newline-separated IPv6 IP address CDIR \u003cstrong\u003e\u003csup\u003e[1]\u003c/sup\u003e\u003c/strong\u003e |\n\n\u003e \u003cstrong\u003e\u003csup\u003e[1]\u003c/sup\u003e\u003c/strong\u003e: `SG*_IP4_CMD` and `SG*_IP6_CMD` are mutually exclusive. Also note that evaluated\nIP address CIDR are only checked against security group rules that match the protocol (`SG*_PROTO`)\nand also match the from port (`SG*_FROM_PORT`).\n\n\n### Mount points\n\nNone - it's fully stateless\n\n\n### Exposed ports\n\n| External  | Internal | Description |\n|-----------|----------|-------------|\n| Up to you | `8080`   | Where the `aws-ec2-sg-exporter` provides metrics via HTTP |\n\n\n## Metrics\n\nThis exporter outputs metrics in the following format:\n```bash\n# HELP aws_ec2_sg_compare Determines If CIDR is applied to security group.\n# TYPE aws_ec2_sg_compare counter\naws_ec2_sg_compare{name=\"sg-name\",region=\"us-east-1\",proto=\"tcp\",from_port=\"443\",ip=\"v4\",cidr=\"10.4.1.1/32\",sg_id=\"sg-xxxxx\",errno=\"0\",error=\"\"} 1\n```\nThe following table describes each of the key/value paris:\n\n| Key         | Value |\n|-------------|-------|\n| `name`      | The security group name as specified by `SG*_NAME` |\n| `region`    | The security group region as specified by `SG*_REGION` |\n| `proto`     | The security group rule protocol as specified by `SG*_PROTO` |\n| `from_port` | The security group rule from port as specified by `SG*_FROM_PORT` |\n| `ip`        | IP version of desired/wanted CIDR to be available in your security group by `proto` and `from_port` |\n| `cidr`      | The desired/wanted IP to be available in your security group by `proto` and `from_port` |\n| `sg_id`     | The security group ID found by `name` and `region`. If this is empty then either zero or more multiple security groups were found. |\n| `errno`     | 0: One security group was found (OK)\u003cbr/\u003e1: No security group was found (ERR)\u003cbr/\u003e2: Multiple security groups were found (ERR) |\n| `error`     | The corresponding error message for `errno` |\n\n* A value of `1` means the desired/wanted IP CIDR is applied to the security group\n* A value of `0` means the desired/wanted IP CIDR is not applied to the security group\n\n\n## Examples\n\n### Scenario 1 - Travis\nCheck if your security group named `my-sg` (in us-east-1) allows all inbound IPv4 addresses from Travis-CI via `tcp` on `https`.\n\n#### Desired/wanted IP CIDR\nEnsure you have a working command which can be interpretated by `eval` and that outputs CIDR (with `/[0-9]+` appended) of your desired ranges:\n```bash\n$ eval \"dig +short nat.travisci.net | xargs -n1 -I% echo \\\"%/32\\\"\"\n```\n```bash\n35.184.226.236/32\n35.188.1.99/32\n35.188.73.34/32\n35.192.85.2/32\n35.192.136.167/32\n...\n```\n\n#### Run `aws-ec2-sg-exporter`\n```bash\ndocker run -it --rm \\\n\t-p 9000:8080 \\\n\t\\\n\t-e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \\\n\t-e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \\\n\t\\\n\t-e SG1_NAME=\"my-sg\" \\\n\t-e SG1_REGION=\"us-east-1\" \\\n\t-e SG1_PROTO=\"tcp\" \\\n\t-e SG1_FROM_PORT=\"443\" \\\n\t-e SG1_IP4_CMD=\"dig +short nat.travisci.net | xargs -n1 -I% echo \\\"%/32\\\"\" \\\n\tcytopia/aws-ec2-sg-exporter\n```\n\n#### Check output\nCheck the output via curl:\n```bash\n$ curl localhost:9000`\n```\n```bash\n# HELP aws_ec2_sg_compare Determines If CIDR is applied to security group.\n# TYPE aws_ec2_sg_compare counter\naws_ec2_sg_compare{name=\"my-sg\",region=\"us-east-1\",proto=\"tcp\",from_port=\"443\",ip=\"v4\",cidr=\"35.184.226.236/32\",sg_id=\"sg-xxxxx\",errno=\"0\",error=\"\"} 1\naws_ec2_sg_compare{name=\"my-sg\",region=\"us-east-1\",proto=\"tcp\",from_port=\"443\",ip=\"v4\",cidr=\"35.188.1.99/32\",sg_id=\"sg-xxxxx\",errno=\"0\",error=\"\"} 1\naws_ec2_sg_compare{name=\"my-sg\",region=\"us-east-1\",proto=\"tcp\",from_port=\"443\",ip=\"v4\",cidr=\"35.188.73.34/32\",sg_id=\"sg-xxxxx\",errno=\"0\",error=\"\"} 1\naws_ec2_sg_compare{name=\"my-sg\",region=\"us-east-1\",proto=\"tcp\",from_port=\"443\",ip=\"v4\",cidr=\"35.192.85.2/32\",sg_id=\"sg-xxxxx\",errno=\"0\",error=\"\"} 1\naws_ec2_sg_compare{name=\"my-sg\",region=\"us-east-1\",proto=\"tcp\",from_port=\"443\",ip=\"v4\",cidr=\"35.192.136.167/32\",sg_id=\"sg-xxxxx\",errno=\"0\",error=\"\"} 0\n...\n```\n\nAs you can see, the last line returns a `0`, which means this IP CIDR is missing in your security group.\n\n\n### Scenario 2 - Cloudfront\n\n* Check if your security group named `my-sg4` (in us-east-1) allows all inbound IPv4 addresses from Cloudfront edge-nodes via `tcp` on `https`.\n* Check if your security group named `my-sg6` (in us-east-1) allows all inbound IPv6 addresses from Cloudfront edge-nodes via `tcp` on `https`.\n\n#### Desired/wanted IP CIDR\nEnsure you have a working command which can be interpretated by `eval` and that outputs CIDR (with `/[0-9]+` appended) of your desired ranges:\n```bash\n$ eval \"curl -sS https://ip-ranges.amazonaws.com/ip-ranges.json \\\n\t| jq -r '.prefixes \\\n\t\t| sort_by(.ip_prefix)[] \\\n\t\t| select( .service | contains(\\\"CLOUDFRONT\\\")) \\\n\t\t| select ( .region | test(\\\"^(GLOBAL|us-|eu-)\\\")) \\\n\t\t| .ip_prefix'\"\n```\n```bash\n13.224.0.0/14\n13.249.0.0/16\n13.32.0.0/15\n13.35.0.0/16\n13.52.204.0/23\n...\n```\n```bash\n$ eval \"curl -sS https://ip-ranges.amazonaws.com/ip-ranges.json \\\n\t| jq -r '.ipv6_prefixes \\\n\t\t| sort_by(.ipv6_prefixes)[] \\\n\t\t| select( .service | contains(\\\"CLOUDFRONT\\\")) \\\n\t\t| select ( .region | test(\\\"^(GLOBAL|us-|eu-)\\\")) \\\n\t\t| .ipv6_prefix'\"\n```\n```bash\n2600:9000:eee::/48\n2600:9000:4000::/36\n2600:9000:3000::/36\n2600:9000:f000::/36\n2600:9000:fff::/48\n...\n```\n\n#### Run `aws-ec2-sg-exporter`\n```bash\ndocker run -it --rm \\\n\t-p 9000:8080 \\\n\t\\\n\t-e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \\\n\t-e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \\\n\t\\\n\t-e SG1_NAME=\"my-sg4\" \\\n\t-e SG1_REGION=\"us-east-1\" \\\n\t-e SG1_PROTO=\"tcp\" \\\n\t-e SG1_FROM_PORT=\"443\" \\\n\t-e SG1_IP4_CMD=\"curl -sS https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes | sort_by(.ip_prefix)[] | select( .service | contains(\\\"CLOUDFRONT\\\")) | select ( .region | test(\\\"^(GLOBAL|us-|eu-)\\\")) | .ip_prefix'\" \\\n\t\\\n\t-e SG2_NAME=\"my-sg6\" \\\n\t-e SG2_REGION=\"us-east-1\" \\\n\t-e SG2_PROTO=\"tcp\" \\\n\t-e SG2_FROM_PORT=\"443\" \\\n\t-e SG2_IP6_CMD=\"curl -sS https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.ipv6_prefixes | sort_by(.ipv6_prefixes)[] | select( .service | contains(\\\"CLOUDFRONT\\\")) | select ( .region | test(\\\"^(GLOBAL|us-|eu-)\\\")) | .ipv6_prefix'\" \\\n\tcytopia/aws-ec2-sg-exporter\n```\n\n#### Check output\nCheck the output via curl:\n```bash\n$ curl localhost:9000`\n```\n```bash\n# HELP aws_ec2_sg_compare Determines If CIDR is applied to security group.\n# TYPE aws_ec2_sg_compare counter\naws_ec2_sg_compare{name=\"my-sg4\",region=\"us-east-1\",proto=\"tcp\",from_port=\"443\",ip=\"v4\",cidr=\"13.224.0.0/14\",sg_id=\"sg-xxxxx\",errno=\"0\",error=\"\"} 1\naws_ec2_sg_compare{name=\"my-sg4\",region=\"us-east-1\",proto=\"tcp\",from_port=\"443\",ip=\"v4\",cidr=\"13.249.0.0/16\",sg_id=\"sg-xxxxx\",errno=\"0\",error=\"\"} 0\naws_ec2_sg_compare{name=\"my-sg4\",region=\"us-east-1\",proto=\"tcp\",from_port=\"443\",ip=\"v4\",cidr=\"13.32.0.0/15\",sg_id=\"sg-xxxxx\",errno=\"0\",error=\"\"} 1\naws_ec2_sg_compare{name=\"my-sg4\",region=\"us-east-1\",proto=\"tcp\",from_port=\"443\",ip=\"v4\",cidr=\"13.35.0.0/16\",sg_id=\"sg-xxxxx\",errno=\"0\",error=\"\"} 1\naws_ec2_sg_compare{name=\"my-sg4\",region=\"us-east-1\",proto=\"tcp\",from_port=\"443\",ip=\"v4\",cidr=\"13.52.204.0/23\",sg_id=\"sg-xxxxx\",errno=\"0\",error=\"\"} 1\n...\naws_ec2_sg_compare{name=\"my-sg6\",region=\"us-east-1\",proto=\"tcp\",from_port=\"443\",ip=\"v6\",cidr=\"2600:9000:eee::/48\",sg_id=\"sg-yyyyy\",errno=\"0\",error=\"\"} 1\naws_ec2_sg_compare{name=\"my-sg6\",region=\"us-east-1\",proto=\"tcp\",from_port=\"443\",ip=\"v6\",cidr=\"2600:9000:4000::/36\",sg_id=\"sg-yyyyy\",errno=\"0\",error=\"\"} 1\naws_ec2_sg_compare{name=\"my-sg6\",region=\"us-east-1\",proto=\"tcp\",from_port=\"443\",ip=\"v6\",cidr=\"2600:9000:3000::/36\",sg_id=\"sg-yyyyy\",errno=\"0\",error=\"\"} 1\naws_ec2_sg_compare{name=\"my-sg6\",region=\"us-east-1\",proto=\"tcp\",from_port=\"443\",ip=\"v6\",cidr=\"2600:9000:f000::/36\",sg_id=\"sg-yyyyy\",errno=\"0\",error=\"\"} 1\naws_ec2_sg_compare{name=\"my-sg6\",region=\"us-east-1\",proto=\"tcp\",from_port=\"443\",ip=\"v6\",cidr=\"2600:9000:fff::/48\",sg_id=\"sg-yyyyy\",errno=\"0\",error=\"\"} 0\n...\n```\n\nAs you can see, the second line ipv4 address returns a `0` and the last ipv6 address returns a `0`, which means these IP CIDR are missing in your security groups.\n\n\n## Grafana setup\n\n### Graphs\n\n* Align the `Min time interval` with what you have set `UPDATE_TIME` to.\n* Add you metrics by the name of your specified security group name\n* Set the legend to `{{ cidr }}` to have only the CIDR displayed\n\n![Grafana](https://raw.githubusercontent.com/cytopia/aws-ec2-sg-exporter/master/doc/grafana-graph-setup.png \"Grafana Graph Setup Example\")\n\nOnce this is done, your graph will look similar to this one:\n\n![Grafana](https://raw.githubusercontent.com/cytopia/aws-ec2-sg-exporter/master/doc/grafana-graph.png \"Grafana Graph Example\")\n\n### Single Stat\n\n* Align the `Min time interval` with what you have set `UPDATE_TIME` to.\n* Add you metrics by the name of your specified security group name\n* `sum()` gives your the total sum of values (`0` and `1`) and `count()` will give you the total number of available IP addresses\n\n![Grafana](https://raw.githubusercontent.com/cytopia/aws-ec2-sg-exporter/master/doc/grafana-single-stat-setup.png \"Grafana Single Stat Setup Example\")\n\nOnce this is done, your single stat will look similar to this one:\n\n![Grafana](https://raw.githubusercontent.com/cytopia/aws-ec2-sg-exporter/master/doc/grafana-single-stat.png \"Grafana Single Stat Example\")\n\n\n## Usage without Docker\n\nDocker is not necessarily required and you can simply use the exporter bash script: [aws-ec2-sg-exporter](data/src/aws-ec2-sg-exporter).\n\nBy doing so, you need to ensure you have all requirements installed on your system (`aws` and `jq` binary as well as `bash` itself).\n\nAdditionally you will have to make sure the script's `stdout` will somehow be served by a webserver.\nThe recommended method is to have some mechanism which writes the script's output atomically to a static html file and a web server will simply serve it.\n\n[aws-ec2-sg-exporter](data/src/aws-ec2-sg-exporter) will read all configuration from the shell's environment, so in order to use this script you need to export\nall values to your env. See [Environment variables](#environment-variables) for possible values.\n\n\n## Error handling\n\nThe exporter writes all errors to `stderr` regardless of using Docker or the standalone [aws-ec2-sg-exporter](data/src/aws-ec2-sg-exporter) script.\n\n### Expected errors\n\n**`An error occurred (RequestExpired) when calling the DescribeSecurityGroups operation: Request has expired.`**\n\nIn case you are using IAM roles, your session has simply been expired and needs to be renewed. It\nis recommended to user IAM users instead without session.\n\n\n**`[ERR] 2019-08-18 10:55:11 (aws-ec2-sg-exporter): No sg found by name: sg-name22 in region: us-east-1`**\n\nA security group could not be found by name and region. The exporter will continue to run and output\nPrometheus metrics, but will mark all desired/wanted IP CIDR as not found in your security group.\n\n\n**`[ERR] 2019-08-18 10:56:17 (aws-ec2-sg-exporter): Multiple sg found by name: sg-name-* in region: us-east-1: sg-xxxxx,sg-yyyyy`**\n\nMultiple security groups have been found by the specified name and region. The exporter will continue to run and output\nPrometheus metrics, but will mark all desired/wanted IP CIDR as not found in your security group.\n\n\n### Unexpected errors\n\n**`write error: Broken pipe`**\n\nThis is a very rare condition and will most likely be caused by using broken shell pipes (`|`)\nin your commands specified via `SG*_IP4_CMD` or `SG*_IP6_CMD`.\n\nIn case you are using something like this:\n```bash\ncurl http://some-page.tld | grep -E '^[.0-9]+/[0-9]+$';\n```\nConsider to add a buffer in between:\n```\ncurl http://some-page.tld | dd obs=1M 2\u003e/dev/null | grep -E '^[.0-9]+/[0-9]+$';\n```\n\nSee here: https://superuser.com/a/642932/705357\n\n\n## License\n\n**[MIT License](LICENSE)**\n\nCopyright (c) 2019 [cytopia](https://github.com/cytopia)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcytopia%2Faws-ec2-sg-exporter","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcytopia%2Faws-ec2-sg-exporter","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcytopia%2Faws-ec2-sg-exporter/lists"}