I was trying to connect to an RDS Instance from an EC2 instance. This resulted in creation of security groups for both of these resources. Now I do not want this connection and have deleted the RDS instance but the security groups still exist. How can I delete them?
When I try to delete them from console it says:
The following security groups can't be deleted. They are either default security groups, referenced by other security groups, or they are associated with instances or network interfaces.
Reason: 1 security group associated
These security groups were also attached to network interfaces earlier which was also a reason for why I couldn't delete them but I was able to disassociate them from these security groups.
Delete the particular rule referencing the other security group (or edit to something else) first. This removes the dependency and you'll be able to delete the security group itself.
Related
An EFS file system was temporarily setup for use with two EC2 instances in different availability zones. Security groups were automatically created for each subnet within the region to which the EFS was launched. This region has three availability zones so three subnets and thus three security groups. Looking at the security groups description details the SGs' creation:
The EFS and the EC2s to which the EFS was attached have now all been terminated/deleted. However when attempting to delete the security groups I get the following notification for each:
Clicking on the link "1 security group associated" for details the of why security group sg-053f4a90837fda586 cannot be deleted shows that the associated security group is sg-0f481995d4e99ac12. Upon attempting to delete sg-0f481995d4e99ac12, the same information says that it cannot be deleted as it is associated with sg-053f4a90837fda586. So sg-053f4a90837fda586 cannot be deleted because sg-0f481995d4e99ac12 exists and vice-versa.
Attempting to delete both at the same time gives the same issue:
What is the error in my approach?
This error can happen when the security group you are trying to delete is referenced in a rule of another security group.
To fix this, in each security group remove the rule that is referencing the other group.
Then, delete the security groups themselves.
As far as I can see, you might be using default SG, which is unable to be deleted, as mentioned here:
Troubleshoot delete SG
All VPCs have a default security group. If you don't specify a different security group when you launch the instance, a default security group is automatically associated with your instance. You can't delete a default security group. But, you can change the default security group's rules.
In my studies of AWS, multiple times I have seen references to "linking" security groups. I do not understand what this means in practice. My current understanding is that when rules are defined in security groups, they are defined in terms of ports and CIDR ranges, there is no linkage to another group. So, my question is, what is this language referring to? I have a snippet from the Elasticache FAQ below with this language:
"To allow network access to your cluster, create a Security Group and link the desired EC2 security groups (which in turn specify the EC2 instances allowed) to it."
When you edit inboud/outbound rules for a Security Group, you are allowed to reference another Security Group as source/destination. Example:
The benefit of this is that you don't have rely on IP addresses or IP ranges, because these might change (instance is restarted, you want to migrate from one instance to another, etc.).
Moreover, linking a Security Group may simplify the rule table, since more than one entity can have the same Security Group attached, you don't need to specify the IP of each entity.
The security group you made can be created without an EC2 instance in place. It won't have any effect if you do, but you can prepare the groups ahead of time.
Then when you have 1 or more EC2 instances (or any other resource really) you can apply 1 or more of these groups to the instances. Applying them is apparently called "linking" in your training, according to your last sentence.
To allow network access to your cluster, create a Security Group and
link the desired EC2 security groups (which in turn specify the EC2 instances allowed) to it.
(emphasis mine)
Alternatively, like #luk2302 mentioned, you can also provide fine grained security by linking security groups to each other. For example:
Allow traffic on port 80 of my security group only by EC2 instances who belong to <>.
I saw this today and it seemed odd. In one region I have no VPC, but I apparently have a default security group that can't be deleted because "This is a default security group. Default security groups cannot be deleted."
How did this default security group come to exist without a VPC?
At one point there must have been a VPC, which came with this default security group, but I thought if the VPC is deleted the corresponding default security group would be deleted along with it.
All modern AWS accounts are provisioned with a VPC. VPCs can be deleted but the default security group can not.
I believe this dates back to the beginning of the EC2 service (i.e. EC2 Classic). In 2013 and earlier, users were able to create instances on a flat network that was shared with other customers and there was no concept of VPCs. AWS required EC2 instances to be associated with a security group but if none were created/selected by the user, AWS could rely on the default security group being available.
So the reason that we can have a default security group without a VPC is that security groups were actually a concept before VPCs and AWS still keeps this default security group requirement as a side effect of some of those earlier infrastructure requirements.
Ran into this yesterday.
Was using EC2 Classic Resource Finder and came across this resource along with some Security Groups(including the default) and an EIP. Deleted the non-default SG's and released the EIP without issue. Was unable to delete the default SG with the error "The following security groups can't be deleted. They are either default security groups, referenced by other security groups or they are associated with instances or network interfaces".
Ensuring this was not associated with a VPC or any other resources were referencing it, we reached out to support. Support confirmed that this resource will be sunset with EC2 Classic in 2023.
I think that must be it. I remembered deleting a default VPC for security reasons, but the default security group persisted.
Security is one of the key aspects in this term.
It is useful to note that security is always considered a top priority job at AWS. Therefore, Default Security Group cannot be deleted partially because they it is the last line of defense for potentially malicious attack on your Amazon EC2 instances. Amazon relies on Security Groups as virtual firewalls that your instances will be paired-up with exclusively for safety reasons. That is also why default SGs by default block any incoming traffic.
On the hand, protective NACL (Network Access Control Lists) feature is only one aspect of the VPC setup. VPCs are primarily logical networking compartments in your cloud infrastructure and you have absolute freedom to define them in any way you see fit. One use case is that you can have complex routing solutions that define many of the aspects of your cloud infrastructure, and accidentally adding Amazon EC2 instances to a default VPC by your developers can lead to hours of debugging why your resource is not behaving as expected.
In summary, security and the mentioned legacy aspects of the Amazon EC2 Classic instances related to the VPC concept (EC2-Classic and a VPC ) are one of the key reasons why default SGs can not be deleted compared to the default VPCs. Still, if you delete the default VPC, you will not be able to restore it or to provision new Amazon EC2 instances until you create at least one custom VPC in the respective region.
If you delete the default VPC, any running EC2 instances, network interfaces, it will automatically delete the default security group as well.
Can you delete a default VPC for a region?
You can delete a default subnet or default VPC just as you can delete
any other subnet or VPC.
However, if you delete your default subnets or default VPC, you must
explicitly specify a subnet in another VPC in which to launch your
instance, because you can't launch instances into EC2-Classic. If you
do not have another VPC, you must create a nondefault VPC and
nondefault subnet. For more information, see Create a VPC.
Reference: https://docs.aws.amazon.com/vpc/latest/userguide/default-vpc.html
I want to delete a security group, sg-d578d9ab, in my AWS account.
I got the following message when trying to delete it.
These security groups are associated with one or more network
interfaces. Delete the network interfaces, or associate them with
different security groups. View your network interfaces.
In order to solve the problem, I opened the Network Interfaces page to see which network interface is using sg-d578d9ab.
It turns out there's 1 network interface that's using the security group.
Then I use Change Security Groups option to dissociate the security group from the network interface.
Then I got a message saying
You do not have permission to access the specified resource.
Why can't I change the security group of the network interface?
My AWS account has AdministratorAccess permission.
The Attachment owner and Owner ID properties of the network interface are amazon-rds. This seems to be the reason I can't change its security group.
Does this mean that the network interface is created when someone else sets up an AWS RDS?
The security group, sg-d578d9ab, is used by one of my RDS instances.
After dissociating the RDS instance and the security group. I'm able to delete the security group.
Saw the same error, but from a VPC endpoint. After dissociating the VPC endpoint from the security group, I was able to delete the security group.
I have a running EC2 instance with few security groups added. What I want to do is to remove one of the security group and add a new one.
I think there will be no problem in adding a new security group. But is it possible to remove a security group without terminating existing ec2 instance and creating a new one from the ami ?
yes, it is possible both to add and remove security group. In AWS web console go to EC2 Instances page, right click on instance you want to change -> Networking -> Change Security Group
You can easily check that it is done without terminating or even stopping the instance.
FWIW, you can also change the inbound/outbound rules of the current security group instead of removing it and adding a new one. Changes to inbound/outbound rules also take effect immediately with no need to stop EC2.
From the AWS documentation this is how you can remove a security group from a insance:
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
In the navigation pane, choose Instances.
Select your instance, and then choose Actions, Security, Change
security groups.
For Associated security groups, select a security group from the
list and choose Add security group.
To remove an already associated security group, choose Remove for
that security group.
Choose Save.