Why can't I delete a security group attached to my Amazon VPC?

Resolution

When you try to delete a security group, you might receive the errors for the following reasons.

The security group is a default security group

All Amazon VPCs have a default security group. When a different security group isn't specified, a default security group is automatically associated with a newly launched Amazon Elastic Compute Cloud (Amazon EC2) instance.

When you try to delete a default security group, you receive the following error:

Example error:

"error: Client.CannotDelete"

You can't delete a default security group. But, you can change the default security group's rules. For more information, see Default security groups for your VPCs.

The security group is referenced by its own rule or by another security group

Perform the following actions to delete a security group that's referenced by a security group rule:

• When a security group is referenced in one of its own rules, you must remove the rule before you can delete the security group.
• When a security group is referenced in another security group's rules, you must remove the reference before you can delete the security group.

When you try to delete a security group that has a rule that's referenced by another security group, you receive the following error:

Example error:

"An error occurred (DependencyViolation) when calling the DeleteSecurityGroup operation: resource sg-xyz has a dependent object"

For example, security group A has a rule that references security group B. To delete security group B, you must first remove the rule that references security group B.

To remove a rule that references the security group that you want to delete, complete the following steps:

1. Open the Amazon VPC console.
2. In the navigation pane, choose Security groups.
3. Select the security group that you want to update.
4. Depending on your use case, choose Actions, Edit inbound rules or Actions, Edit outbound rules.
5. Choose Delete for the rule that you want to delete.
6. Choose Save rules.

For more information about modifying security group rules, see Security group rules.

A security group in another Amazon VPC with an established peering connection might reference the security group that you want to delete. To delete the security group, either remove the reference or delete the Amazon VPC peering connection.

To delete an Amazon VPC peering connection, complete the following steps:

1. Open the Amazon VPC console.
2. In the navigation pane, choose Peering connections.
3. Select the Amazon VPC peering connection that you want to update, and then choose Actions, Delete peering connection.
4. In the confirmation dialog box, enter delete and then choose Delete.

Note: Use the DescribeSecurityGroupReferences API to describe the other end of an Amazon VPC peering connection that references the security group that you want to delete.

The security group is associated with an EC2 instance that's running or stopped

You can't delete a security group that's associated with an Amazon EC2 instance that's in the running or stopped state.

To determine if the security group is assigned to an instance, complete the following steps:

1. Open the Amazon EC2 console.
2. In the navigation pane, choose Instances.
3. In the search box, enter Security to see client filters.
4. In the Client filters dropdown list, choose either Security group IDs or Security group name. In the Operators dropdown list, choose the Equals option. Then, in the values dropdown list, select the security group ID or the security group name of the security group that you're investigating.
5. Any instances that are assigned to the security group appear in the filtered instance list. Scroll through the instance details to review the security groups assigned to instances.
6. To remove a security group for an instance, select the instance, and then choose Actions, Security, Change security groups.
7. In the Associated security groups section, choose Remove to remove a security group, and then save your changes.

To change the security group that's assigned to an instance, see Work with security groups.

The security group is associated with a network interface

You can't delete a security group that's associated with a requester-managed network interface. Requester-managed network interfaces are automatically created for managed resources, such as Application Load Balancer nodes. Some AWS services and resources have security groups that are always attached to the elastic network interface. Examples include AWS Lambda, Amazon FSx, Amazon ElastiCache for Redis, and ElastiCache for Memcached.

To delete or detach network interfaces, see Delete a network interface.

You can't delete a security group that's associated with a network interface that's used for Amazon VPC endpoints. When you try to delete a security group, you receive the following error:

Example error:

"An error occurred (DependencyViolation) when calling the DeleteSecurityGroup operation: resource sg-xyz has a dependent object"

To remove or replace the security group from the interface endpoint, complete the following steps:

1. Open the Amazon VPC console.
2. In the navigation pane, choose Endpoints.
3. Select the interface endpoint and then choose Actions, Manage security groups.
4. Select or clear the security groups as required, and then choose Save.

Run the following AWS Command Line Interface (AWS CLI) command to find network interfaces that are associated with a security group:

Note: Replace <group-id> with your security group's ID and <region> with your AWS Region.

Example command:

aws ec2 describe-network-interfaces --filters Name=group-id,Values=<group-id> --region <region> --output json

Note: If you receive errors when running AWS CLI commands, then make sure that you're using the most recent version of the AWS CLI.

Review the command output. If the output is empty as shown in the following example, then no resources are associated with the security group.

Example command output:

{
    "NetworkInterfaces": []
}

You're not authorized to perform the DeleteSecurityGroup operation

You must set up appropriate AWS Identity and Access Management (IAM) permissions to use the DeleteSecurityGroup operation.

Important: The DeleteSecurityGroup operation fails when the security group you want to delete is associated with an instance or referenced in another security group. In these cases, the operation fails with a DependencyViolation error described in earlier sections.

When you try to delete a security group, but you don't have the correct permissions, you receive the following error:

Example error:

"Failed to delete security groups. An unknown error happened. You are not authorized to perform "DeleteSecurityGroup" operation"

To investigate the DeleteSecurityGroup operation error, complete the following steps:

1. Open the AWS CloudTrail console.
2. In the navigation pane, choose Event history.
3. In the Lookup attributes dropdown list, choose Event name.
4. In the search box, enter DeleteSecurityGroup to see the operation's API calls.
5. The following error message in the Event history list indicates that the error is related to IAM permissions:
   "You are not authorized to perform this operation."
6. Verify that the DeleteSecurityGroup action is added to the necessary AWS IAM policies for the user or role that deletes the action.
   For more information, see Adding and removing IAM identity permissions.
7. In AWS Organizations, make the necessary changes in your organization's security control policies (SCPs). Then change the permissions for the IAM user or role.
   Note: When you're not the primary account owner, ask the primary account owner to change the SCPs.

For more information about SCPs, see SCP effects on permissions.