Why can't I delete a security group that's attached to my Amazon VPC?

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Verify that the security group isn't a default security group

Each Amazon VPC has a default security group. If you launch a new Amazon Elastic Compute Cloud (Amazon EC2) instance and don't specify a default security group, then AWS automatically associates a default security group.

If you attempt to delete a default security group, then you receive the following error:

"error: Client.CannotDelete"

You can't delete a default security group. But, you can modify your default security group's rules.

Make sure that a security group rule doesn't reference your security group

Before you delete your security group, complete the following steps to remove its security group rule:

1. Open the Amazon VPC console.
2. In the navigation pane, choose Security groups.
3. Select the security group that you want to update.
4. Choose Actions, Edit inbound rules or Actions, Edit outbound rules.
5. Choose Delete for the rule that you want to delete.
6. Choose Save rules.

If you try to delete a security group that another security group's rule references, then you receive the following error:

"An error occurred (DependencyViolation) when calling the DeleteSecurityGroup operation: resource sg-xyz has a dependent object"

Remove any rules in other security groups that reference the security group you want to delete.

If a security group in another Amazon VPC with an established peering connection references your security group, then delete either the rule or the connection.

Note: Use the DescribeSecurityGroupReferences API to describe the other end of an Amazon VPC peering connection that references the security group.

Disassociate your security group that associates with an AWS resource

If the security group that you want to delete is associated with an AWS resource, then disassociate it. You can't delete a security group that associates with an AWS resource, such as an Amazon EC2 instance or an Amazon API Gateway VPC link.

Important: After you create a VPC link, you can't change its security groups or subnets.

If you receive the following error, then your security group is associated with an AWS resource:

"Some security groups can't be deleted. The following security groups can't be deleted. These security groups are the default security groups, referenced by other security groups, or are associated with instances or network interfaces." 

To determine what resources use a security group, see How can I find the resources associated with an Amazon EC2 security group? 

Delete a security group that associates with a network interface

You can't delete a security group that associates with a requester-managed network interface.

To delete or detach network interfaces, see Delete a network interface.

You can't delete a security group that associates with a network interface that Amazon VPC endpoints use.

When you attempt to delete a security group that associates with a network interface that Amazon VPC endpoints use, you receive this error:

"An error occurred (DependencyViolation) when calling the DeleteSecurityGroup operation: resource sg-xyz has a dependent object"

To remove or replace the security group from the interface endpoint, complete these steps:

1. Open the Amazon VPC console.
2. In the navigation pane, choose Endpoints.
3. Select the interface endpoint and then choose Actions, Manage security groups.
4. Select or clear the security groups, and then choose Save.

Run the describe-network-interfaces AWS CLI command to find network interfaces that are associated with a security group:

aws ec2 describe-network-interfaces --filters Name=group-id,Values=example-group-id --region example-region --output json

Note: Replace example-group-id with your security group's ID and example-region with your AWS Region.

Review the command output. If the output is empty, then your security group doesn't associate with any AWS resources.

Example command output:

{
    "NetworkInterfaces": []
}

Troubleshoot security groups in an Amazon VPC Lattice Service network

When you delete a security group that you attached to an Amazon VPC Lattice Service network VPC association, you receive the following error:

"errorCode": "Client.DependencyViolation"

Note: If you can't identify the error event's name, then check for a DeleteSecurityGroup event in your CloudTrail logs.

To troubleshoot this error, complete the following steps:

1. Open the Amazon VPC console.
2. Navigate to VPC service.
3. In the left navigation pane choose Service networks.
4. Select a Service network from the list.
5. Choose the VPC association tab, and then check for any VPC associations with an association ID that resembles snva-123b567891t1112a.
6. Choose the VPC association ID that's associated to the security group.
7. In the security groups section, choose Edit. Then, delete the security group.

Set up permissions to perform DeleteSecurityGroup

Set up the appropriate AWS Identity and Access Management (IAM) permissions to use the DeleteSecurityGroup API.

Important: The DeleteSecurityGroup API fails when the security group that you want to delete is associated with an instance or referenced in another security group. In these cases, the operation fails with a DependencyViolation error.

If you attempt to delete a security group when you lack the correct permissions, you receive the following error:

"Failed to delete security groups. An unknown error happened. You are not authorized to perform "DeleteSecurityGroup" operation"

To troubleshoot the DeleteSecurityGroup operation error, complete these steps:

1. Open the AWS CloudTrail console.
2. In the navigation pane, choose Event history.
3. In the Lookup attributes drop-down list, choose Event name.
4. In the search box, enter DeleteSecurityGroup to see the operation's API calls.
   Note: The "You are not authorized to perform this operation" error message in the Event history list indicates that the error is related to IAM permissions.
5. Check that the DeleteSecurityGroup action is added to the policies for the IAM user or role.
   For more information, see Adding and removing IAM identity permissions.
6. In AWS Organizations, change your organization's service control policies (SCPs). Then, change the permissions for the IAM user or role.
   Note: If you're not the primary AWS account owner, then ask the primary account owner to change the SCPs. For more information about SCPs, see SCP effects on permissions.

Check for security groups in shared VPCs

When you attempt to delete a security group in a shared Amazon VPC that you don't own, you receive this error:

"You are not authorized to perform DeleteSecurityGroup operation. A subnet in this vpc is shared but the provided object is not owned by you."

To troubleshoot the DeleteSecurityGroup operation error, complete these steps:

1. Open the AWS CloudTrail console.
2. In the navigation pane, choose Event history.
3. In the Lookup attributes dropdown list, choose Event name.
4. In the search box, enter DeleteSecurityGroup to see the operation's API calls.
5. Confirm that your account doesn't own the security group. If another account in your organization owns the security group, then ask the primary owner to delete the security group.

Related Information

How can I delete my VPC that is shared with another AWS account?

Manage the associations for a VPC Lattice service network