All Products
Search
Document Center

Elastic Compute Service:DescribeSecurityGroupAttribute

Last Updated:Jun 29, 2026

Queries the details of a specified security group, including the list of security group rules.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

ecs:DescribeSecurityGroupAttribute

get

*SecurityGroup

acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}

  • ecs:tag
None

Request parameters

Parameter

Type

Required

Description

Example

SecurityGroupId

string

Yes

The security group ID.

sg-bp1gxw6bznjjvhu3****

RegionId

string

Yes

The region ID of the security group. You can call DescribeRegions to query the most recent region list.

cn-hangzhou

NicType

string

No

The network type of the security group rule.

  • For security groups in a VPC, the only valid value is intranet (default), which indicates internal network.

    Note

    If you set this parameter to internet or leave it empty, the value is automatically set to intranet.

  • Valid values for security groups in the classic network:

    • internet (default): Internet.

    • intranet: internal network.

    Note

    The classic network feature has been offline. For details, see Retirement announcement.

intranet

Direction

string

No

The direction of the security group rule. Valid values:

  • egress: outbound.

  • ingress: inbound.

  • all: both inbound and outbound.

Default value: all.

all

NextToken

string

No

The pagination token. Set this parameter to the NextToken value returned in the previous call. You do not need to set this parameter for the first request.

AAAAAdDWBF2****

MaxResults

integer

No

The maximum number of entries per page for a paged query.

  • Minimum value: 10.

  • Maximum value: 1000.

Default value: 500.

500

Attribute

string

No

The security group attribute. Valid values:

  • snapshotPolicyIds: queries the snapshot policies associated with the security group.

snapshotPolicyIds

Response elements

Element

Type

Description

Example

object

VpcId

string

The VPC ID. If a VPC ID is returned, the network type of the security group is VPC. Otherwise, the security group belongs to the classic network.

Note

The classic network feature has been offline. For details, see Retirement announcement.

vpc-bp1opxu1zkhn00gzv****

RequestId

string

The request ID.

473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E

InnerAccessPolicy

string

The internal network connectivity policy of the security group. Valid values:

  • Accept: service interconnection.

  • Drop: internal isolation.

Accept

Description

string

The description of the security group.

This is description.

SecurityGroupId

string

The security group ID.

sg-bp1gxw6bznjjvhu3****

SecurityGroupName

string

The name of the security group.

SecurityGroupName Sample

RegionId

string

The region ID.

cn-hangzhou

Permissions

object

Permission

array<object>

The collection of security group rules.

object

SecurityGroupRuleId

string

The ID of the security group rule.

sgr-bp12kewq32dfwrdi****

Direction

string

The direction in which the security group rule is applied.

ingress

SourceGroupId

string

The source security group for inbound access control.

sg-bp12kc4rqohaf2js****

DestGroupOwnerAccount

string

The ID of the Alibaba Cloud account to which the destination security group belongs.

1234567890

DestPrefixListId

string

The ID of the destination prefix list for outbound access control.

pl-x1j1k5ykzqlixabc****

DestPrefixListName

string

The name of the destination prefix list.

DestPrefixListName Sample

SourceCidrIp

string

The source CIDR block for inbound access control.

0.0.0.0/0

Ipv6DestCidrIp

string

The destination IPv6 CIDR block.

2001:db8:1233:1a00::***

CreateTime

string

The time when the security group rule was created. The time is displayed in UTC.

2018-12-12T07:28:38Z

Ipv6SourceCidrIp

string

The source IPv6 CIDR block.

2001:db8:1234:1a00::***

DestGroupId

string

The ID of the destination security group for outbound access control.

sg-bp1czdx84jd88i7v****

DestCidrIp

string

The destination CIDR block for outbound access control.

0.0.0.0/0

IpProtocol

string

The transport layer protocol.

TCP

Priority

string

The priority of the rule.

1

DestGroupName

string

The name of the destination security group.

testDestGroupName

NicType

string

The network type.

intranet

Policy

string

The access control policy.

Accept

Description

string

The description of the security group.

Description Sample 01

PortRange

string

The port range.

80/80

SourcePrefixListName

string

The name of the source prefix list.

SourcePrefixListName Sample

SourcePrefixListId

string

The ID of the source prefix list for inbound access control.

pl-x1j1k5ykzqlixdcy****

SourceGroupOwnerAccount

string

The ID of the Alibaba Cloud account to which the source security group belongs.

1234567890

SourceGroupName

string

The name of the source security group.

testSourceGroupName1

SourcePortRange

string

The source port range.

80/80

PortRangeListId

string

The ID of the port list.

prl-2ze9743****

PortRangeListName

string

The name of the port list.

PortRangeListNameSample

NextToken

string

The paging token returned in this call. When you use MaxResults and NextToken for paging query, if this value is empty, no more data is available.

AAAAAdDWBF2****

SnapshotPolicyIds

object

SnapshotPolicyId

array

The list of snapshot policy IDs associated with the security group.

string

The snapshot policy ID associated with the security group.

sgsp-mj74****

Examples

Success response

JSON format

{
  "VpcId": "vpc-bp1opxu1zkhn00gzv****",
  "RequestId": "473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E",
  "InnerAccessPolicy": "Accept",
  "Description": "This is description.",
  "SecurityGroupId": "sg-bp1gxw6bznjjvhu3****",
  "SecurityGroupName": "SecurityGroupName Sample",
  "RegionId": "cn-hangzhou",
  "Permissions": {
    "Permission": [
      {
        "SecurityGroupRuleId": "sgr-bp12kewq32dfwrdi****",
        "Direction": "ingress",
        "SourceGroupId": "sg-bp12kc4rqohaf2js****",
        "DestGroupOwnerAccount": "1234567890",
        "DestPrefixListId": "pl-x1j1k5ykzqlixabc****",
        "DestPrefixListName": "DestPrefixListName Sample",
        "SourceCidrIp": "0.0.0.0/0",
        "Ipv6DestCidrIp": "2001:db8:1233:1a00::***",
        "CreateTime": "2018-12-12T07:28:38Z",
        "Ipv6SourceCidrIp": "2001:db8:1234:1a00::***",
        "DestGroupId": "sg-bp1czdx84jd88i7v****",
        "DestCidrIp": "0.0.0.0/0",
        "IpProtocol": "TCP",
        "Priority": "1",
        "DestGroupName": "testDestGroupName",
        "NicType": "intranet",
        "Policy": "Accept",
        "Description": "Description Sample 01",
        "PortRange": "80/80",
        "SourcePrefixListName": "SourcePrefixListName Sample",
        "SourcePrefixListId": "pl-x1j1k5ykzqlixdcy****",
        "SourceGroupOwnerAccount": "1234567890",
        "SourceGroupName": "testSourceGroupName1",
        "SourcePortRange": "80/80",
        "PortRangeListId": "prl-2ze9743****",
        "PortRangeListName": "PortRangeListNameSample"
      }
    ]
  },
  "NextToken": "AAAAAdDWBF2****",
  "SnapshotPolicyIds": {
    "SnapshotPolicyId": [
      "sgsp-mj74****"
    ]
  }
}

Error codes

HTTP status code

Error code

Error message

Description

400 InvalidNicType.ValueNotSupported The specified NicType does not exist. The specified NicType parameter does not exist.
400 InvalidParamter Invalid Parameter. The specified parameter is invalid.
400 InvalidSecurityGroupId.Malformed The specified parameter "SecurityGroupId" is not valid. The specified parameter SecurityGroupId is illegal.
400 MissingParameter.RegionId The parameter RegionId is missing.
400 InvalidParameter.AttributeNotSupported The specified value for parameter Attribute is not supported. Valid values: snapshotPolicyIds. The specified value for the parameter Attribute is not supported. Valid values are: snapshotPolicyIds.
500 InternalError The request processing has failed due to some unknown error.
500 ServiceUnavailable The service is unavailable, please try again later.
404 InvalidRegionId.NotFound The specified RegionId does not exist. The specified region ID does not exist.
404 InvalidSecurityGroupId.NotFound The specified SecurityGroupId does not exist. The specified security group does not exist in this account. Check whether the security group ID is correct.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.