Why can't I delete a security group that's attached to my Amazon VPC?

6 minute read
0

I'm getting errors when I try to delete a security group for my Amazon Virtual Private Cloud (Amazon VPC).

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

When you try to delete a security group, you might receive errors for these reasons.

The security group is a default security group

All Amazon VPCs have a default security group. When you don't specify a security group, a default security group is automatically associated with a newly launched Amazon Elastic Compute Cloud (Amazon EC2) instance.

When you try to delete a default security group, you receive this error:

"error: Client.CannotDelete"

You can't delete a default security group. But, you can change the default security group's rules. For more information, see Default security groups for your VPCs.

The security group rule references its own security group or another security group's rule references it

You might get an error because the security group's own rule references the security group. To resolve this issue, remove the rule before you delete the security group.

To remove a rule that references the security group, complete these steps:

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose Security groups.
  3. Select the security group that you want to update.
  4. Choose Actions, Edit inbound rules or Actions, Edit outbound rules.
  5. Choose Delete for the rule that you want to delete.
  6. Choose Save rules.

For more information about updates to security group rules, see Security group rules.

When you try to delete a security group that another security group's rule references, you receive this error:

"An error occurred (DependencyViolation) when calling the DeleteSecurityGroup operation: resource sg-xyz has a dependent object"

If another security group's rule references the security group that you want to delete, then remove the rule before you delete the security group.

A security group in another Amazon VPC with an established peering connection might reference the security group that you want to delete. Before you delete the security group, either remove the rule or delete the Amazon VPC peering connection.

Note: Use the DescribeSecurityGroupReferences API to describe the other end of an Amazon VPC peering connection that references the security group.

The security group is associated with an AWS resource

You can't delete a security group that's associated with an AWS resource, such as an Amazon EC2 instance, or Amazon API Gateway VPC link.

You receive the following error:

"Some security groups can't be deleted. The following security groups can't be deleted. These security groups are the default security groups, referenced by other security groups, or are associated with instances or network interfaces."

To determine what resources use a security group, see How can I find the resources associated with an Amazon EC2 security group?

Important: After you create a VPC link, you can't change its security groups or subnets.

To change the security group that's assigned to an instance, see Work with security groups.

The security group is associated with a network interface

You can't delete a security group that's associated with a requester-managed network interface. Requester-managed network interfaces are automatically created for managed resources, such as Application Load Balancer nodes. Some AWS services and resources have security groups that are always attached to the elastic network interface. Examples include AWS Lambda, Amazon FSx, Amazon ElastiCache for Redis, and ElastiCache for Memcached.

To delete or detach network interfaces, see Delete a network interface.

You can't delete a security group that's associated with a network interface that's used for Amazon VPC endpoints.

When you try to delete a security group, you receive this error:

"An error occurred (DependencyViolation) when calling the DeleteSecurityGroup operation: resource sg-xyz has a dependent object"

To remove or replace the security group from the interface endpoint, complete these steps:

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose Endpoints.
  3. Select the interface endpoint and then choose Actions, Manage security groups.
  4. Select or clear the security groups, and then choose Save.

Run the describe-network-interfaces AWS CLI command to find network interfaces that are associated with a security group. Replace <group-id> with your security group's ID and <region> with your AWS Region:

aws ec2 describe-network-interfaces --filters Name=group-id,Values=<group-id> --region <region> --output json

Review the command output. If the output is empty, then no resources are associated with the security group.

Example command output:

{
    "NetworkInterfaces": []
}

You're not authorized to perform the DeleteSecurityGroup operation

You must set up appropriate AWS Identity and Access Management (IAM) permissions to use the DeleteSecurityGroup API.

Important: The DeleteSecurityGroup API fails when the security group that you want to delete is associated with an instance or referenced in another security group. In these cases, the operation fails with a DependencyViolation error.

When you try to delete a security group, but you don't have the correct permissions, you receive this error:

"Failed to delete security groups. An unknown error happened. You are not authorized to perform "DeleteSecurityGroup" operation"

To troubleshoot the DeleteSecurityGroup operation error, complete these steps:

  1. Open the AWS CloudTrail console.
  2. In the navigation pane, choose Event history.
  3. In the Lookup attributes dropdown list, choose Event name.
  4. In the search box, enter DeleteSecurityGroup to see the operation's API calls.
  5. This error message in the Event history list indicates that the error is related to IAM permissions:
    "You are not authorized to perform this operation."
  6. Check that the DeleteSecurityGroup action is added to the necessary AWS IAM policies for the user or role that deletes the action.
    For more information, see Adding and removing IAM identity permissions.
  7. In AWS Organizations, change your organization's service control policies (SCPs). Then, change the permissions for the IAM user or role.
    Note: If you're not the primary account owner, then ask the primary account owner to change the SCPs.

For more information about SCPs, see SCP effects on permissions.

Users can't delete security groups created by VPC owners

When you try to delete a security group that's in a shared Amazon VPC that you don't own, you receive this error:

"You are not authorized to perform DeleteSecurityGroup operation. A subnet in this vpc is shared but the provided object is not owned by you."

To troubleshoot the DeleteSecurityGroup operation error, complete these steps:

  1. Open the AWS CloudTrail console.
  2. In the navigation pane, choose Event history.
  3. In the Lookup attributes dropdown list, choose Event name.
  4. In the search box, enter DeleteSecurityGroup to see the operation's API calls.
  5. Confirm that your account doesn't own the security group. If another account in your organization owns the security group, then ask the primary owner to delete the security group.

Related Information

How can I delete my VPC that is shared with another AWS account?

AWS OFFICIAL
AWS OFFICIALUpdated 9 months ago
1 Comment

I am a full admin but I get this error when trying to delete an SG from a network interface

You do not have permission to access the specified resource.
Ahmad
replied 10 months ago