Awesome Open Source
Awesome Open Source


This ansible role gets information from an aws VPC and generate a graphical representation of security groups through a dot file rendered by Graphviz.

This role is inspired by which do the same for Openstack Tenants.


Ansible, of course, because it's an Ansible role.

Boto library needs to be installed, as that is required by the EC2 Ansible modules.

To render (i.e. to draw and obtain a graphic file), Graphviz needs to be installed.

Role Variables

Variable Content
asggrapherAwsRegion Name of aws region where your VPC is deployed. (mandatory)
asggrapherAwsVPC Name of your VPC. (mandatory)
asggrapherShowDefault Do you want to see default security group, default value: false
asggrapherShowInstances Do you want to see instances with their security groups, default value: false
asggrapherServerLabel Label for instances, used when asggrapherShowInstances = true, default value: Servers
asggrapherRankdir See, default value: LR
asggrapherDotFileToRender Path and name of generated dot file , default value: "./"
asggrapherFileToRender Path and name of generated image file, default value: "./awsCloudGrapher.png"

Example Playbook


  - name: AWS Security group grapher
    hosts: localhost
    connection: local
    gather_facts: false
      - role: aws-securitygroup-grapher
        asggrapherAwsRegion: "eu-west-1"
        asggrapherAwsVPC: "TEST-VPC"

Run it with:

ansible-playbook aws-sg-grapher.yml

After some time, you'll have a awsCloudGrapher.png file with your sg graph.

Examples of generated images

How to read the graph

Ellipses are security groups.

The red arrows represent egress flows: for example, the UDP stream 53 is authorized as output of SG-VPC-INTERNAL to

The blue arrows represent ingress flows: for example, tcp stream 443 is allowed as input of SG-VPC-LB from any (

The arrow head is always on the security group which contains the rule represented by the arrow.

Full example

It shows a tenant with several security groups corresponding to the different functions of the machines present in the project.


Simpler example

It shows in particular a SG that accepts any input from any source and a SG that allows any output to any destination.



With asggrapherShowDefault: true, you'll have on your graph all the SGs, included the default AWS SG:



With asggrapherShowInstances: true, you'll have on your graph all the instances (VM) within SGs used by these instances.



With asggrapherRankdir: LR, left to right, RL, right to left, TB, top to bottom, BT, bottom to top, you can change the way to draw the graph.

LR example


TB example


Author Information

Jean-Louis FEREY

Stargazers over time

Stargazers over time

Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
html (10,725
security (1,805
aws (1,038
ansible (406
security-tools (385
graph (380
security-audit (132
role (49
vpc (18
group (16

Find Open Source By Browsing 7,000 Topics Across 59 Categories