diff --git a/aws/list-unused-sg.sh b/aws/list-unused-sg.sh
new file mode 100755
index 0000000..4365b3c
--- /dev/null
+++ b/aws/list-unused-sg.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+aws ec2 describe-network-interfaces --query NetworkInterfaces[].Groups --output text > /tmp/enisg.lst
+for sg in $(aws ec2 describe-security-groups --query 'SecurityGroups[*].GroupId' --output text); do
+echo -n "$sg : "
+grep -c $sg /tmp/enisg.lst
+done | sort -k3 -n
+
+rm -f /tmp/enisg.lst