Why can't I delete a security group attached to my Amazon VPC?

Last updated: 2022-03-23

You might be unable to delete the security group for the following reasons:

• The security group is a default security group.
• The security group is referenced by its own rule or a rule in another security group.
• The security group is associated with an instance that's in the running or stopped state.
• The security group is associated with a network interface.
• You're not authorized to perform the DeleteSecurityGroup operation.

If you try to delete the default security group, you get the following error:

error: Client.CannotDelete

All VPCs have a default security group. If you don't specify a different security group when you launch the instance, a default security group is automatically associated with your instance. You can't delete a default security group. But, you can change the default security group's rules. For more information, see Default security groups for your VPCs.

If the security group is referenced by its own rule or a rule in another security group, you receive the following error:

error: sg-A This security group has a rule that references sg-B and itself

You can't delete a security group if it's referenced by a security group rule. If the security group is referenced in one of its own rules, then you must remove the rule before deleting the security group. If the security group is referenced in another security group's rules, you must remove the reference to delete the security group. To modify security group rules, see Work with security group rules.

For example, security group A (sg-A) has a rule that references security group B (sg-B) and itself. If you want to delete one of these groups, you must first:

• Remove the rule associated with sg-B to delete sg-B.
• Delete the self-referenced rule to delete sg-A.

Follow the steps below to remove the rule associated with the security group you want to delete (sg-B in the preceding example):

1.    Open the Amazon VPC console.

2.    In the navigation pane, choose Security Groups.

3.    Select the security group that you want to update.

4.    Choose Actions, Edit inbound rules or Actions, Edit outbound rules, depending on your use case.

5.    Choose Delete for the rule that you want to delete.

6.    Choose Save rules.

The security group might also be referenced in a security group within another Amazon VPC where a peering connection is established. To delete the security group, you can either remove the reference or delete the VPC peering connection.

Follow the steps below if the security group is referenced in a security group within another Amazon VPC:

1.    Open the Amazon VPC console.

2.    In the navigation pane, choose Peering Connections.

3.    Select the VPC peering connection, and then choose Actions, Delete VPC Peering Connection.

4.    In the confirmation dialog box, choose Yes, delete.

Note: You can use the DescribeSecurityGroupReferences API to describe the VPCs on the other side of a VPC peering connection that reference the security groups that you're deleting.

You can't delete a security group if it's assigned to a running or stopped instance. To determine if the security group is assigned to an instance:

1.    Open the Amazon Elastic Compute Cloud (Amazon EC2) console.

2.    In the navigation pane, choose Instances.

3.    In the search bar in the content pane, enter Client filter.

4.    Select Instance state (client) from the drop-down.

5.    Select Instance state (client): running.

6.    Repeat steps 3-5. Then, select Instance state (client): stopped.

7.    In the filtered list, select either Security Group ID or Security Group Name. Then, select the security group ID or security group name. Any instances assigned to the security group appear in the filtered instance list.

Note: To change the security group assigned to an instance, see Work with security groups.

You can't delete a security group that's associated with a requester-managed network interface. Requester-managed network interfaces are automatically created for managed resources, such as Application Load Balancer nodes. Services and resources such as AWS Lambda, Amazon Elastic File System (Amazon EFS), FSx, Redis, Memcached, and Amazon DynamoDB have security groups that are always attached to the Elastic Network Interface. In order to delete or detach these Elastic Network Interfaces, you must delete the resource that the network interface represents. After this is done, the AWS service automatically detaches and deletes the network interface for you

If you try to delete these types of security groups you might receive the following errors if your interface is attached to resources managed by other AWS services. These services might be Elastic Load Balancing (ELB) or Lambda, for example. The following is an example error message:

Error detaching network interface. eni-xxxxxxxx:Network interface 'eni-xxxxxxxx' is currently in use

To resolve these errors, do the following:

1.    Open the Amazon EC2 console.

2.    In the navigation pane, choose Network Interfaces.

3.    Search for the Elastic Network Interface ID of the elastic network interface you're detaching or deleting.

4.    Select the elastic network interface and choose the Details tab.

5.    Important: Review the Description to find which resource the elastic network interface is attached to.

6.    If you're no longer using the corresponding AWS service, delete the service first. The elastic network interface is automatically removed from your VPC.

You can't delete a security group if it's associated with a network interface used on VPC endpoints. If you try to delete a security group associated with a network interface used on VPC endpoints, then the you might see errors similar to the following:

An error occurred (DependencyViolation) when calling the DeleteSecurityGroup operation: resource sg-xyz has a dependent object

To delete the security group, remove or replace the security group from the modify-interface-endpoint.

1.    Open the Amazon VPC console.

2.    In the navigation pane, choose Endpoints and select the interface endpoint.

3.    Choose Actions, Manage security groups.

4.    Select or deselect the security groups as required, and then choose Save.

Note: Run the following command in the AWS Command Line Interface (AWS CLI) to find network interfaces associated with a security group based on the security group ID. The output of the command shows the network interfaces associated with the security group.

aws ec2 describe-network-interfaces --filters Name=group-id,Values=<group-id> --region <region> --output json

Example:

aws ec2 describe-network-interfaces --filters Name=group-id,Values=sg-07abcd9f0e12345495 --region us-east-1 --output json

Review the command output. If the output is empty as shown in the following example, then there are no resources associated with the security group:

Example output

{

    "NetworkInterfaces": []

}

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

If you receive the following error, you might not have the correct permission to delete security groups:

Failed to delete security groups. An Unknown error happened". You are not authorized to perform "DeleteSecurityGroup" operation

1.    Check the AWS CloudTrail logs for DeleteSecurityGroup API calls. The errors are related to the permissions associated with IAM role if the following appears in the logs:

"errorMessage": You are not authorized to perform this operation” is seen in the Cloudtrail logs

2.    Verify that the DeleteSecurityGroup action is added in AWS Identity and Access Management (IAM) policies.

3.    Check with your organization to make the necessary changes in their security control policies (SCP) and change the permission for the user. You might have to ask the master account to change the SCP.

Note: An SCP restricts permissions for IAM users and roles in member accounts, including the member account's root user. If a permission is blocked at any level above the account, either implicitly or explicitly (using a Deny), a user or role in the affected account can't use that permission, even if the account administrator attaches the AdministratorAccess IAM policy with */* permissions to the user.

For more information, see SCP effects on permissions.