Why can't I delete a security group attached to my Amazon VPC?

Resolution

The security group is a default security group

If you try to delete the default security group, then you get the following error:

"error: Client.CannotDelete"

All VPCs have a default security group. If you don't specify a different security group when you launch the instance, then a default security group is automatically associated with your instance. You can't delete a default security group. But, you can change the default security group's rules. For more information, see Default security groups for your VPCs.

A rule in another security group references the security group

If a rule in another security group references the security group, then you receive the following error:

"An error occurred (DependencyViolation) when calling the DeleteSecurityGroup operation: resource sg-xyz has a dependent object"

You can't delete a security group that's referenced by a security group rule. You must remove the reference to delete the security group. To modify security group rules, see Security group rules.

For example, security group A (sg-A) has a rule that references security group B (sg-B). To delete security group sg-B, you must first remove the rule that references sg-B. Complete the following steps to remove the rule that references the security group that you want to delete:

1.    Open the Amazon VPC console.

2.    In the navigation pane, choose Security Groups.

3.    Select the security group that you want to update.

4.    Choose Actions, Edit inbound rules or Actions, Edit outbound rules, depending on your use case.

5.    Choose Delete for the rule that you want to delete.

6.    Choose Save rules.

A security group that's in another Amazon VPC with an established peering connection might also reference this security group. To delete the security group, either remove the reference or delete the VPC peering connection.

Complete the following steps:

1.    Open the Amazon VPC console.

2.    In the navigation pane, choose Peering Connections.

3.    Select the VPC peering connection, and then choose Actions, Delete VPC Peering Connection.

4.    In the confirmation dialog box, choose Yes, delete.

Note: Use the DescribeSecurityGroupReferences API to describe the VPCs on the other side of a VPC peering connection that reference the security groups that you're deleting.

The security group is associated with an instance that's in the Running or Stopped state

To determine if the security group is assigned to an instance, complete the following steps:

1.    Open the Amazon Elastic Compute Cloud (Amazon EC2) console.

2.    In the navigation pane, choose Instances.

3.    In the search bar that's in the content pane, enter Client filter.

4.    From the dropdown menu, choose Instance state (client).

5.    Choose Instance state (client): running.

6.    Repeat steps 3–5. Then, choose Instance state (client): stopped.

7.    In the filtered list, choose either Security Group ID or Security Group Name. Then, choose the security group ID or security group name. Any instances that are assigned to the security group appear in the filtered instance list.

Note: To change the security group that's assigned to an instance, see Work with security groups.

The security group is associated with a network interface

You can't delete a security group that's associated with a requester-managed network interface. Requester-managed network interfaces are automatically created for managed resources, such as Application Load Balancer nodes. Services and resources, such as AWS Lambda, Amazon FSx, Redis, and Memcached have security groups that are always attached to the elastic network interface. To delete or detach these elastic network interfaces, you must delete the resource that the network interface represents. The AWS service then automatically detaches and deletes the network interface for you.

If your interface is attached to AWS managed resources, then you might receive the following errors when deleting these types of security groups.

Example error message:

"Error detaching network interface. eni-xxxxxxxx:Network interface 'eni-xxxxxxxx' is currently in use"

To resolve this error, complete the following steps :

1.    Open the Amazon EC2 console.

2.    In the navigation pane, choose Network Interfaces.

3.    Search for the ID of the elastic network interface that you're detaching or deleting.

4.    Select the elastic network interface, and then choose the Details tab.

5.    Important: Review the Description to find which resource the elastic network interface is attached to.

6.    If you're no longer using the corresponding AWS service, then first delete the service. The elastic network interface is automatically removed from your VPC.

You can't delete a security group that's associated with a network interface that's used on VPC endpoints. If you try to delete the security group, then the you might get an error similar to the following one:

"An error occurred (DependencyViolation) when calling the DeleteSecurityGroup operation: resource sg-xyz has a dependent object"

To delete the security group, remove or replace the security group from the interface endpoint:

1.    Open the Amazon VPC console.

2.    In the navigation pane, choose Endpoints, and then select the interface endpoint.

3.    Choose Actions, Manage security groups.

4.    Select or deselect the security groups as required, and then choose Save.

Note: Run the following command in the AWS Command Line Interface (AWS CLI) to find network interfaces that are associated with a security group. Replace <group-id> with your security group's ID and <region> with your AWS Region.

aws ec2 describe-network-interfaces --filters Name=group-id,Values=<group-id> --region <region> --output json

Review the command output. If the output is empty as shown in the following example, then no resources are associated with the security group:

Example output:

{

    "NetworkInterfaces": []

}

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

You're not authorized to perform the DeleteSecurityGroup operation

If you receive the following error, then you might not have the correct permissions to delete security groups:

"Failed to delete security groups. An unknown error happened. You are not authorized to perform "DeleteSecurityGroup" operation"

1.    Check the AWS CloudTrail logs for DeleteSecurityGroup API calls. If the following error message appears in the logs, then the error is related to the AWS Identity and Access Management (IAM) permissions:

"errorMessage: You are not authorized to perform this operation."

2.    Verify that the DeleteSecurityGroup action is added in AWS IAM policies.

3.    Check with your organization to make the necessary changes in their security control policies (SCPs), and then change the permission for the user. If you're not the primary account owner, then ask the primary account owner to change the SCPs.

Note: An SCP restricts permissions for IAM users and roles in member accounts, including the member account's root user. Permissions blocked at any level above an account, either implicitly or explicitly (using a Deny), apply to all users and roles in the affected account. If the account administrator attaches the AdministratorAccess IAM policy with */* permissions to the user, then the permission is still blocked.

For more information, see SCP effects on permissions.https://docs.aws.amazon.com/vpc/latest/userguide/security-groups.html#working-with-security-groups