Unable to Delete a Security Group


Hi. I've been working on Archiving a webserver and have deleted most of the infrastructure apart from a remaining Security Group which is giving a strange/incorrect error. Not sure how to get around it. The SG is only used by the archived website

Basically when I try to delete the SG, it gives this error: Failed to change security groups for network interface .You do not have permission to access the specified resource

So from what i can tell the NIC has the SG associated with it and is preventing me from deleting the SG. So I looked into if I am missing permissions but the role I'm using to delete the SG has AdministratorAccess policy, which in turn has ec2:ModifyNetworkInterfaceAttribute so I think this mean I have sufficient permissions to delete it?

I checked the NIC to see what it was used for and if I could delete it. It appears that the NIC has no "Instance ID's" associated with it but it does have an "Instance Owner" of amazon-elasticache. So maybe Elasticache (Memcached specifically) is blocking this somehow?

So I looked into the Memcached configuration and I can see it's got a couple of other SGs associated with is and is being used by live servers, so i can't delete the cluster (and possibly it's NIC - not sure)...

Not sure what to try next to get rid of this SG! Any help greatly appreciated :¬)

Kind Regards Sunil

asked a year ago485 views
2 Answers

Thanks for your reply @Manu :)

I took a look at the command you mentioned, looks like it replaces all the currently associated SGs with a list of SGs, as specified like this:

aws ec2 modify-network-interface-attribute --network-interface-id <NIC ID> --groups <SG ID 1> <SG ID 2> <SG ID 3>

Is that right? i'm not sure how I'd 'replace' the old SG with a new one using the command as I wouldn't be specifying the <old SG ID>.... However, looks like I could use the command to associate all the SGs I want to keep... Question is, would this work better than trying to remove the SG from the NIC via the console!? What do you think?

Ideally want to avoid having to stop any live Elasticache instances. Hmm, I'm not sure if that's supported?

answered a year ago
  • Yes, you are correct. The modify-network-interface-attribute command replaces all the currently associated security groups with a new list of security groups. You won't be specifying the old security group ID directly.

    If you want to remove a specific security group from the network interface, you can do so by specifying all the other security groups except for the one you want to remove, like this:

    aws ec2 modify-network-interface-attribute --network-interface-id <NIC ID> --groups <SG ID 1> <SG ID 2> ... <SG ID n>

    This will replace the current set of security groups on the network interface with the new list you specify, without including the security group that you want to remove.

    Regarding whether it's better to remove the security group from the network interface via the console or via the command line, both options should work. It ultimately depends on your preference and what you are comfortable with.

    You can detach the security group without stopping the Elasticache instances. Under the Network and Security tab of Elasticache (Redis), you have the option to add or remove security groups.


You can try removing the association between the security group and the network interface by modifying the network interface's attributes.

aws ec2 modify-network-interface-attribute --network-interface-id <NIC ID> --groups <new SG ID>

This command removes the specified security group from the network interface and replaces it with a new security group. You can create a new temporary security group and use its ID in place of <new SG ID> to replace the original security group.

You can try stopping or terminating any Elasticache instances associated with the network interface, which should release the network interface and allow you to delete the security group.

Once you have resolved any dependencies on the network interface, you should be able to delete the security group without encountering any errors.

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions