Why can't I delete a security group for my Amazon VPC?

Last updated: 2021-02-15

I'm getting errors when I try to delete a security group for my Amazon Virtual Private Cloud (Amazon VPC). What can I do to delete it?

Short description

You might be unable to delete the security group because:

  • It's a default security group
  • It's associated with a network interface
  • It's associated with an instance that's in the running or stopped state
  • It's referenced by its own rule or a rule in another security group

You can delete the security group only when it does not meet any of these scenarios.

Note: To delete two or more security groups at the same time, use the AWS Management Console. You can delete only one security group at a time when you use the AWS Command Line Interface (AWS CLI) or API.

Resolution

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.

Default security group

Default security groups can't be deleted. To determine if a security group is a default resource:

  1. Open the Amazon VPC console.
  2. In the navigation pane, under Security, choose Security Groups.
  3. In the security group list, the default security groups are those with the Group Name shown as default.

Associated with a network interface

You can't delete a security group if it's associated with a network interface or a requester-managed network interface. Requester-managed network interfaces are automatically created for managed resources, such as Application Load Balancer nodes. If you try to delete this type of security group using the following command:

$ aws ec2 delete-security-group --group-id sg-xyz --profile <profile value> --region <Region value>

You receive an error similar to:

"An error occurred (DependencyViolation) when calling the DeleteSecurityGroup operation: resource sg-xyz has a dependent object."

Associated with an instance in the running or stopped state

You can't delete a security group if it's assigned to a running or stopped instance. To determine if the security group is assigned to an instance:

  1. Open the Amazon Elastic Compute Cloud (Amazon EC2) console.
  2. In the navigation pane, choose Instances.
  3. In the search bar in the content pane, enter Client filter.
  4. Select Instance state (client) from the drop-down.
  5. Select Instance state (client): running.
  6. Repeat steps 3-5. Then, select Instance state (client): stopped.
  7. In the filtered list, select either Security Group ID or Security Group Name. Then, select the security group ID or security group name. Any instances assigned to the security group appear in the filtered instance list.

Note: To change the security group assigned to an instance, see Changing an instance's security groups.

Referenced by its own rule or a rule in another security group

You can't delete a security group if it's referenced by a security group rule. If the security group is referenced in one of its own rules, then you must remove the rule before deleting the security group. If the security group is referenced in another security group's rules, you must remove the reference to delete the security group. To modify security group rules, see Adding, removing, and updating rules.

The security group might also be referenced in a security group within another Amazon VPC where a peering connection is established. To delete the security group, you can either remove the reference or delete the VPC peering connection.


Did this article help?


Do you need billing or technical support?