58

Amazon EC2 won't let me delete a security group, complaining that the group still has dependencies. How Can I find what those dependencies are?

aws ec2 describe-security-groups doesn't say.

user14645
  • 1,590
  • 2
  • 13
  • 17

10 Answers10

83

Paste the security group ID in the "Network Interfaces" section of EC2. This will find usage across EC2, EB, RDS, ELB.

CLI: aws ec2 describe-network-interfaces --filters Name=group-id,Values=sg-123abc45

sashoalm
  • 177
  • 1
  • 11
Denys Stroebel
  • 946
  • 7
  • 3
  • 6
    One thing this misses is if the security group is referred to by another security group, so it's also worth searching for it in "Security Groups" too, to see if it is being used there. This has caught me out before. – emorris Nov 18 '20 at 16:09
10

The best way to do this in the AWS EC2 console, is to paste in the security group name in the search field in the EC2->Instances section.

All instances associated with the pasted security group will then populate-those would be the ec2 objects (dependencies).

You can also run this search in ELB section and other AWS offerings that utilize security groups.

If you are trying to delete the security group, you will need to either 'change security group' for each instance (if they are in a VPC) or create an AMI and relaunch using a different security group-then delete the old instance (if using EC2 classic)

Hope that helps-

Scott Moore
  • 561
  • 1
  • 4
  • 11
8

You need to look at your EC2 instance objects, not the groups themselves:

$ aws ec2 describe-instances --output text

Then either look for "sg-*" or use standard unix text stream processing tools to pull out the data you need.

Alternatively, if you have a small number of instances, use --output table for a nicely-formatted list.

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • 2
    `aws ec2 describe-instances --output text | grep sg-` – cdmckay Jun 10 '15 at 18:59
  • Since a security group can refer to other security groups, maybe you need to run that function recursively? – brendan Jan 06 '16 at 02:42
  • 2
    That's quiet incomplete. Security groups can be used in many places besides EC2 instances - ELB's, VPC's, other security groups (as @brendan already mentioned) etc. – Capt. Crunch Mar 09 '17 at 01:35
  • @AmosShapira The OP was asking specifically about EC2. If you'd like, you're always free to edit my answer to improve it. – EEAA Mar 09 '17 at 02:19
  • @AmosShapira It solved the problem the OP was having. SF answers aren't required to be a comprehensive answer to every possible related situation. – EEAA Mar 09 '17 at 02:24
7

You can interrogate the aws cli to get the data you want.

You'll need to:

  • List all security groups looking for references to the group in question
  • List all EC2s and their groups
  • List all ELBs and their groups
  • List all RDSs and their groups

You could also use libraries, like boto https://code.google.com/p/boto/ instead of the raw aws cli.

Drew Khoury
  • 4,637
  • 8
  • 27
  • 28
6

Lambda functions may also have Security Groups. At time of writing, Amazon does not prevent deletion of security groups used by Lambda functions.

I used this:

aws lambda list-functions | jq -c '.Functions[] | {FunctionArn, SecurityGroups: (.VpcConfig.SecurityGroupIds[]? // null) }'
karpada
  • 111
  • 2
  • 2
5

Another issue is SecurityGroups that depend on other SecurityGroups. One may use this command to generate the Adjacency list (direct dependencies):

aws ec2 describe-security-groups --query "SecurityGroups[*].{ID:GroupId,Name:GroupName,dependentOnSGs:IpPermissions[].UserIdGroupPairs[].GroupId}

Ideally, this result should be used to find the Transitive closure (all dependencies, direct & indirect). Unfortunately, i've failed to find a Transitive closure util.

karpada
  • 111
  • 2
  • 2
4

You can use this Python tool to list security groups with their dependencies. It also allows for listing unused (obsolete) security groups:

https://github.com/mingbowan/sgdeps

Ryan Fisher
  • 233
  • 1
  • 9
2

This may have not been available when the question was originally asked but if you go into the AWS Console for Security Groups, select the Group(s) in question and select the Delete Action, the resulting prompt will tell you if it's referenced and by what.

user475203
  • 21
  • 1
1

I wrote a script that can help with this task: https://github.com/dryoni/aws-tools/tree/main/sg-tool

It shows all references to an SG, including all attached resources.

dryoni
  • 11
  • 1
  • I would say this is definitely a better tool as it checks even if SGs is used in ECS etc, compare to sgdeps mentioned above – Steven Yong Jan 05 '22 at 08:02
0

The marked answer is incorrect. If you are seeing a Dependency Violation it is likely that another Security Group is referenced in your IP Permissions (Ingress) configuration. You will need to revoke all of the ingress permissions that contain Security Groups as its source.

MRW
  • 1
  • I guess the original question was what’s referencing some security group. Are there things that are not network interfaces that reference security groups (and their ingress ports)? If not, then the network interfaces list is a good answer, no? – user14645 May 09 '18 at 19:30
  • While there is value in your point, a reference to a security group is not a dependency violation. It is possible to delete a security group that is not attached to any ENI but is referenced in another security group. After a delete takes place, you will get a "You have new stale security group rules" notification in your console to indicate that there is an old reference to a non-existent security group in a rule. It will then give you a "view stale rules" hyperlink to amend the situation thereafter. – Denys Stroebel Aug 08 '18 at 12:10