Scenario / Questions

Amazon EC2 won’t let me delete a security group, complaining that the group still has dependencies. How Can I find what those dependencies are?

aws ec2 describe-security-groups doesn’t say.

Find below all possible solutions or suggestions for the above questions..

Suggestion: 1

Paste the security group ID in the “Network Interfaces” section of EC2. This will find usage across EC2, EB, RDS, ELB.

CLI: aws ec2 describe-network-interfaces --filters Name=group-id,Values=sg-123abc45

Suggestion: 2

The best way to do this in the AWS EC2 console, is to paste in the security group name in the search field in the EC2->Instances section.

All instances associated with the pasted security group will then populate-those would be the ec2 objects (dependencies).

You can also run this search in ELB section and other AWS offerings that utilize security groups.

If you are trying to delete the security group, you will need to either ‘change security group’ for each instance (if they are in a VPC) or create an AMI and relaunch using a different security group-then delete the old instance (if using EC2 classic)

Hope that helps-

Suggestion: 3

You need to look at your EC2 instance objects, not the groups themselves:

$ aws ec2 describe-instances --output text

Then either look for “sg-*” or use standard unix text stream processing tools to pull out the data you need.

Alternatively, if you have a small number of instances, use --output table for a nicely-formatted list.

Suggestion: 4

You can interrogate the aws cli to get the data you want.

You’ll need to:

  • List all security groups looking for references to the group in question
  • List all EC2s and their groups
  • List all ELBs and their groups
  • List all RDSs and their groups

You could also use libraries, like boto instead of the raw aws cli.

Suggestion: 5

Lambda functions may also have Security Groups. At time of writing, Amazon does not prevent deletion of security groups used by Lambda functions.

I used this:

aws lambda list-functions | jq -c '.Functions[] | {FunctionArn, SecurityGroups: (.VpcConfig.SecurityGroupIds[]? // null) }'

Suggestion: 6

Another issue is SecurityGroups that depend on other SecurityGroups. One may use this command to generate the Adjacency list (direct dependencies):

aws ec2 describe-security-groups --query "SecurityGroups[*].{ID:GroupId,Name:GroupName,dependentOnSGs:IpPermissions[].UserIdGroupPairs[].GroupId}

Ideally, this result should be used to find the Transitive closure (all dependencies, direct & indirect). Unfortunately, i’ve failed to find a Transitive closure util.

Suggestion: 7

You can use this Python tool to list security groups with their dependencies. It also allows for listing unused (obsolete) security groups:

Suggestion: 8

This may have not been available when the question was originally asked but if you go into the AWS Console for Security Groups, select the Group(s) in question and select the Delete Action, the resulting prompt will tell you if it’s referenced and by what.

Suggestion: 9

The marked answer is incorrect. If you are seeing a Dependency Violation it is likely that another Security Group is referenced in your IP Permissions (Ingress) configuration. You will need to revoke all of the ingress permissions that contain Security Groups as its source.