An EFS file system was temporarily setup for use with two EC2 instances in different availability zones. Security groups were automatically created for each subnet within the region to which the EFS was launched. This region has three availability zones so three subnets and thus three security groups. Looking at the security groups description details the SGs' creation:
The EFS and the EC2s to which the EFS was attached have now all been terminated/deleted. However when attempting to delete the security groups I get the following notification for each:
Clicking on the link "1 security group associated" for details the of why security group sg-053f4a90837fda586 cannot be deleted shows that the associated security group is sg-0f481995d4e99ac12. Upon attempting to delete sg-0f481995d4e99ac12, the same information says that it cannot be deleted as it is associated with sg-053f4a90837fda586. So sg-053f4a90837fda586 cannot be deleted because sg-0f481995d4e99ac12 exists and vice-versa.
Attempting to delete both at the same time gives the same issue:
What is the error in my approach?
This error can happen when the security group you are trying to delete is referenced in a rule of another security group.
To fix this, in each security group remove the rule that is referencing the other group.
Then, delete the security groups themselves.
As far as I can see, you might be using default SG, which is unable to be deleted, as mentioned here:
Troubleshoot delete SG
All VPCs have a default security group. If you don't specify a different security group when you launch the instance, a default security group is automatically associated with your instance. You can't delete a default security group. But, you can change the default security group's rules.
Related
I was trying to connect to an RDS Instance from an EC2 instance. This resulted in creation of security groups for both of these resources. Now I do not want this connection and have deleted the RDS instance but the security groups still exist. How can I delete them?
When I try to delete them from console it says:
The following security groups can't be deleted. They are either default security groups, referenced by other security groups, or they are associated with instances or network interfaces.
Reason: 1 security group associated
These security groups were also attached to network interfaces earlier which was also a reason for why I couldn't delete them but I was able to disassociate them from these security groups.
Delete the particular rule referencing the other security group (or edit to something else) first. This removes the dependency and you'll be able to delete the security group itself.
I saw this today and it seemed odd. In one region I have no VPC, but I apparently have a default security group that can't be deleted because "This is a default security group. Default security groups cannot be deleted."
How did this default security group come to exist without a VPC?
At one point there must have been a VPC, which came with this default security group, but I thought if the VPC is deleted the corresponding default security group would be deleted along with it.
All modern AWS accounts are provisioned with a VPC. VPCs can be deleted but the default security group can not.
I believe this dates back to the beginning of the EC2 service (i.e. EC2 Classic). In 2013 and earlier, users were able to create instances on a flat network that was shared with other customers and there was no concept of VPCs. AWS required EC2 instances to be associated with a security group but if none were created/selected by the user, AWS could rely on the default security group being available.
So the reason that we can have a default security group without a VPC is that security groups were actually a concept before VPCs and AWS still keeps this default security group requirement as a side effect of some of those earlier infrastructure requirements.
Ran into this yesterday.
Was using EC2 Classic Resource Finder and came across this resource along with some Security Groups(including the default) and an EIP. Deleted the non-default SG's and released the EIP without issue. Was unable to delete the default SG with the error "The following security groups can't be deleted. They are either default security groups, referenced by other security groups or they are associated with instances or network interfaces".
Ensuring this was not associated with a VPC or any other resources were referencing it, we reached out to support. Support confirmed that this resource will be sunset with EC2 Classic in 2023.
I think that must be it. I remembered deleting a default VPC for security reasons, but the default security group persisted.
Security is one of the key aspects in this term.
It is useful to note that security is always considered a top priority job at AWS. Therefore, Default Security Group cannot be deleted partially because they it is the last line of defense for potentially malicious attack on your Amazon EC2 instances. Amazon relies on Security Groups as virtual firewalls that your instances will be paired-up with exclusively for safety reasons. That is also why default SGs by default block any incoming traffic.
On the hand, protective NACL (Network Access Control Lists) feature is only one aspect of the VPC setup. VPCs are primarily logical networking compartments in your cloud infrastructure and you have absolute freedom to define them in any way you see fit. One use case is that you can have complex routing solutions that define many of the aspects of your cloud infrastructure, and accidentally adding Amazon EC2 instances to a default VPC by your developers can lead to hours of debugging why your resource is not behaving as expected.
In summary, security and the mentioned legacy aspects of the Amazon EC2 Classic instances related to the VPC concept (EC2-Classic and a VPC ) are one of the key reasons why default SGs can not be deleted compared to the default VPCs. Still, if you delete the default VPC, you will not be able to restore it or to provision new Amazon EC2 instances until you create at least one custom VPC in the respective region.
If you delete the default VPC, any running EC2 instances, network interfaces, it will automatically delete the default security group as well.
Can you delete a default VPC for a region?
You can delete a default subnet or default VPC just as you can delete
any other subnet or VPC.
However, if you delete your default subnets or default VPC, you must
explicitly specify a subnet in another VPC in which to launch your
instance, because you can't launch instances into EC2-Classic. If you
do not have another VPC, you must create a nondefault VPC and
nondefault subnet. For more information, see Create a VPC.
Reference: https://docs.aws.amazon.com/vpc/latest/userguide/default-vpc.html
I have a carefully crafted and secure Default Security Group that should be used for this new ec2 instance. However none of my existing SG's are included in the Configure Security Group screen. Instead two new ones are shown that are worse than useless
Port 80 open to the world ??
Why are my existing security group's not displayed? Note I have checked the Region is the correct one containing the properly constructed SG's.
Based on the comments.
Security groups (SGs) are VPC specific. Thus, the issue was caused by launching an instance in a different VPC then intended. Subsequently, expected SGs were not available for the instance.
The solution was to use correct VPC.
I have a running EC2 instance with few security groups added. What I want to do is to remove one of the security group and add a new one.
I think there will be no problem in adding a new security group. But is it possible to remove a security group without terminating existing ec2 instance and creating a new one from the ami ?
yes, it is possible both to add and remove security group. In AWS web console go to EC2 Instances page, right click on instance you want to change -> Networking -> Change Security Group
You can easily check that it is done without terminating or even stopping the instance.
FWIW, you can also change the inbound/outbound rules of the current security group instead of removing it and adding a new one. Changes to inbound/outbound rules also take effect immediately with no need to stop EC2.
From the AWS documentation this is how you can remove a security group from a insance:
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
In the navigation pane, choose Instances.
Select your instance, and then choose Actions, Security, Change
security groups.
For Associated security groups, select a security group from the
list and choose Add security group.
To remove an already associated security group, choose Remove for
that security group.
Choose Save.
When you edit an AWS security group, the changes are automatically applied to any EC2 instances associated with the security group.
When you change the launch configuration for your Auto Scaling group, any new instances are launched using the new configuration parameters, but existing instances are not affected.
So, my question is what happens when you edit the security group used by your Auto Scaling launch config? Are the changes applied only to new instances? Or do existing instances get the new security group rules as well?
Thanks!
Existing instances in the Auto Scaling Group will see any rule changes to the security group.