All Products
Search
Document Center

Elastic Compute Service:DescribeSecurityGroups

Last Updated:Jun 29, 2026

Queries the basic information about security groups. You can filter results by region, security group ID, security group type, and other parameters through parameter query.

Operation description

  • Paging query: Use MaxResults and NextToken for paging query.
    • If NextToken is not returned, the current page is the last page.

    • For the first page, set only MaxResults to limit the number of entries to return. The NextToken value in the response is used to query subsequent pages.

    • For subsequent pages, set NextToken to the NextToken value returned in the previous response and set MaxResults to limit the number of entries to return.

  • When you invoke an API operation by using Cloud Assistant CLI, specify request parameters in the required format. For more information, see Parameter format of CLI commands.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

ecs:DescribeSecurityGroups

get

SecurityGroup

acs:ecs:{#regionId}:{#accountId}:securitygroup/*

SecurityGroup

acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}

  • ecs:tag
  • ecs:tag
  • ecs:tag
  • ecs:tag
None

Request parameters

Parameter

Type

Required

Description

Example

RegionId

string

Yes

The region ID. You can call DescribeRegions to query the most recent region list.

cn-hangzhou

SecurityGroupIds

string

No

The IDs of security groups. You can specify up to 100 security group IDs. Separate multiple IDs with commas (,) in a JSON array format.

["sg-bp67acfmxazb4p****", "sg-bp67acfmxazb4p****", "sg-bp67acfmxazb4p****",....]

VpcId

string

No

The ID of the virtual private cloud (VPC) to which the security group belongs.

vpc-bp67acfmxazb4p****

SecurityGroupType

string

No

The type of the security group. Valid values:

  • normal: basic security group.

  • enterprise: advanced security group.

Note

If you do not specify this parameter, security groups of all types are queried.

normal

NextToken

string

No

The pagination token. Set this parameter to the NextToken value returned in the previous request. You do not need to set this parameter for the first request.

e71d8a535bd9cc11

MaxResults

integer

No

The maximum number of entries per page for paging query. If you set this parameter, the MaxResults and NextToken paging method is used.

Maximum value: 100.

Default value: 10.

10

NetworkType

string

No

The network type of the security group. Valid values:

  • vpc: VPC.

  • classic: classic network. The classic network is deprecated. For more information, see Deprecation notice.

vpc

SecurityGroupName

string

No

The name of the security group.

SGTestName

IsQueryEcsCount

boolean

No

Specifies whether to query the capacity information of the security group. If you set this parameter to True, the EcsCount and AvailableInstanceAmount values in the response are valid.

Note

This parameter is deprecated.

null

ResourceGroupId

string

No

The ID of the resource group to which the security group belongs. When you use this parameter to filter resources, the resource count cannot exceed 1,000. You can invoke ListResourceGroups to query resource groups.

Note

Filtering by the default resource group is not supported.

rg-bp67acfmxazb4p****

Tag

array<object>

No

The tags.

object

No

The tags.

key

string

No

The tag key of the security group.

Note

For better compatibility, use the Tag.N.Key parameter.

testkey

Key

string

No

The tag key of the security group. Valid values of N: 1 to 20.

If you use a single tag to filter resources, the resource count with the specified tag cannot exceed 1,000. If you use multiple tags to filter resources, the resource count that have all specified tags attached cannot exceed 1,000. If the resource count exceeds 1,000, call ListTagResources to query resources.

TestKey

Value

string

No

The tag value of the security group. Valid values of N: 1 to 20.

TestValue

value

string

No

The tag value of the security group.

Note

For better compatibility, use the Tag.N.Value parameter.

testvalue

DryRun

boolean

No

Specifies whether to perform only a dry run. Valid values:

  • true: performs only a dry run. The system checks the request for potential issues, including invalid AccessKey pairs, unauthorized Resource Access Management (RAM) users, and missing parameter values. If the request fails the dry run, an error message is returned. If the request passes the dry run, the DryRunOperation error code is returned.

  • false: performs a dry run and sends the Normal request. If the request passes the dry run, a 2xx HTTP status code is returned and the authorization is verified.

Default value: false.

false

SecurityGroupId

string

No

The ID of the security group.

sg-bp67acfmxazb4p****

FuzzyQuery

boolean

No

Note

This parameter is deprecated.

null

PageNumber

integer

No

Note

This parameter will be offline. Use NextToken and MaxResults for paging.

1

PageSize

integer

No

Note

This parameter will be offline. Use NextToken and MaxResults for paging.

10

ServiceManaged

boolean

No

Specifies whether managed security group is managed. Valid values:

  • true: Managed security group is managed.

  • false: Managed security group is not managed.

false

Response elements

Element

Type

Description

Example

object

RequestId

string

The request ID.

473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E

RegionId

string

The region ID of the security group.

cn-hangzhou

NextToken

string

The pagination token returned in this call. If this value is empty when you use MaxResults and NextToken for paging, no more data is available.

e71d8a535bd9cc11

SecurityGroups

object

SecurityGroup

array<object>

The collection of security group information.

array<object>

The security group information.

SecurityGroupId

string

The security group ID.

sg-bp67acfmxazb4p****

SecurityGroupName

string

The name of the security group.

SGTestName

Description

string

The description of the security group.

TestDescription

SecurityGroupType

string

The type of the security group. Valid values:

  • normal: basic security group.

  • enterprise: advanced security group.

normal

VpcId

string

The VPC to which the security group belongs.

vpc-bp67acfmxazb4p****

CreationTime

string

The time when the security group was created. The time follows the ISO 8601 standard in UTC. Format: yyyy-MM-ddThh:mmZ.

2021-08-31T03:12:29Z

EcsCount

integer

The number of private IP addresses accommodated in the security group. For more information, see Security group capacity.

This parameter is valid only when the IsQueryEcsCount request parameter is set to True.

Note

This parameter is deprecated. The quantity in the response is for reference only and is not consistent in real time.

0

AvailableInstanceAmount

integer

The number of private IP addresses that can still be added to the security group. For more information, see Security group capacity.

This parameter is valid only when the IsQueryEcsCount request parameter is set to True.

Note

This parameter is deprecated. The quantity in the response is for reference only and is not consistent in real time.

0

ResourceGroupId

string

The ID of the resource group to which the security group belongs.

rg-bp67acfmxazb4p****

ServiceManaged

boolean

Indicates whether the security group is used by a cloud service or a distributor.

false

ServiceID

integer

The distributor ID associated with the security group.

12345678910

Tags

object

Tag

array<object>

The collection of tags for the security group.

object

The tag of the security group.

TagValue

string

The tag value of the security group.

TestValue

TagKey

string

The tag key of the security group.

TestKey

RuleCount

integer

The number of rules in the security group.

100

GroupToGroupRuleCount

integer

The number of rules that authorize access from other security groups.

5

TotalCount

integer

The total number of security groups. This parameter is not returned when you use MaxResults and NextToken for parameter query.

20

PageNumber

integer

The current page number.

Note

This parameter will be offline. Use NextToken and MaxResults for paging.

1

PageSize

integer

The number of entries per page.

Note

This parameter will be offline. Use NextToken and MaxResults for paging.

10

Examples

Success response

JSON format

{
  "RequestId": "473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E",
  "RegionId": "cn-hangzhou",
  "NextToken": "e71d8a535bd9cc11",
  "SecurityGroups": {
    "SecurityGroup": [
      {
        "SecurityGroupId": "sg-bp67acfmxazb4p****",
        "SecurityGroupName": "SGTestName",
        "Description": "TestDescription",
        "SecurityGroupType": "normal",
        "VpcId": "vpc-bp67acfmxazb4p****",
        "CreationTime": "2021-08-31T03:12:29Z",
        "EcsCount": 0,
        "AvailableInstanceAmount": 0,
        "ResourceGroupId": "rg-bp67acfmxazb4p****",
        "ServiceManaged": false,
        "ServiceID": 12345678910,
        "Tags": {
          "Tag": [
            {
              "TagValue": "TestValue",
              "TagKey": "TestKey"
            }
          ]
        },
        "RuleCount": 100,
        "GroupToGroupRuleCount": 5
      }
    ]
  },
  "TotalCount": 20,
  "PageNumber": 1,
  "PageSize": 10
}

Error codes

HTTP status code

Error code

Error message

Description

400 NotSupported.PageNumberAndPageSize The parameters PageNumber and PageSize are currently not supported, please use NextToken and MaxResults instead.
400 InValidParameter.NextToken The parameter NextToken is invalid. The specified NextToken parameter is invalid.
400 MissingParameter.RegionId The input parameter RegionId that is mandatory for processing this request is not supplied. The RegionId parameter is required.
400 InvalidParameter.SecurityGroupType The specified SecurityGroupType is not valid. The specified SecurityGroupType parameter is invalid.
400 InvalidSecurityGroupId.Malformed The specified parameter SecurityGroupId is not valid. The specified SecurityGroupId parameter is invalid.
400 InvalidSecurityGroupName.Malformed The specified parameter SecurityGroupName is not valid. The specified SecurityGroupName parameter is not valid. This parameter is empty by default. If you specify a security group name, the name must be 2 to 128 characters in length and start with a letter. It can contain letters, digits, periods (.), underscores (_), and hyphens (-) and cannot start with http:// or https. The security group name is displayed in the ECS console.
500 InternalError The request processing has failed due to some unknown error.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.