I saw this today and it seemed odd. In one region I have no VPC, but I apparently have a default security group that can't be deleted because "This is a default security group. Default security groups cannot be deleted."
How did this default security group come to exist without a VPC?
At one point there must have been a VPC, which came with this default security group, but I thought if the VPC is deleted the corresponding default security group would be deleted along with it.
All modern AWS accounts are provisioned with a VPC. VPCs can be deleted but the default security group can not.
I believe this dates back to the beginning of the EC2 service (i.e. EC2 Classic). In 2013 and earlier, users were able to create instances on a flat network that was shared with other customers and there was no concept of VPCs. AWS required EC2 instances to be associated with a security group but if none were created/selected by the user, AWS could rely on the default security group being available.
So the reason that we can have a default security group without a VPC is that security groups were actually a concept before VPCs and AWS still keeps this default security group requirement as a side effect of some of those earlier infrastructure requirements.
Ran into this yesterday.
Was using EC2 Classic Resource Finder and came across this resource along with some Security Groups(including the default) and an EIP. Deleted the non-default SG's and released the EIP without issue. Was unable to delete the default SG with the error "The following security groups can't be deleted. They are either default security groups, referenced by other security groups or they are associated with instances or network interfaces".
Ensuring this was not associated with a VPC or any other resources were referencing it, we reached out to support. Support confirmed that this resource will be sunset with EC2 Classic in 2023.
I think that must be it. I remembered deleting a default VPC for security reasons, but the default security group persisted.
Security is one of the key aspects in this term.
It is useful to note that security is always considered a top priority job at AWS. Therefore, Default Security Group cannot be deleted partially because they it is the last line of defense for potentially malicious attack on your Amazon EC2 instances. Amazon relies on Security Groups as virtual firewalls that your instances will be paired-up with exclusively for safety reasons. That is also why default SGs by default block any incoming traffic.
On the hand, protective NACL (Network Access Control Lists) feature is only one aspect of the VPC setup. VPCs are primarily logical networking compartments in your cloud infrastructure and you have absolute freedom to define them in any way you see fit. One use case is that you can have complex routing solutions that define many of the aspects of your cloud infrastructure, and accidentally adding Amazon EC2 instances to a default VPC by your developers can lead to hours of debugging why your resource is not behaving as expected.
In summary, security and the mentioned legacy aspects of the Amazon EC2 Classic instances related to the VPC concept (EC2-Classic and a VPC ) are one of the key reasons why default SGs can not be deleted compared to the default VPCs. Still, if you delete the default VPC, you will not be able to restore it or to provision new Amazon EC2 instances until you create at least one custom VPC in the respective region.
If you delete the default VPC, any running EC2 instances, network interfaces, it will automatically delete the default security group as well.
Can you delete a default VPC for a region?
You can delete a default subnet or default VPC just as you can delete any other subnet or VPC.
However, if you delete your default subnets or default VPC, you must explicitly specify a subnet in another VPC in which to launch your instance, because you can't launch instances into EC2-Classic. If you do not have another VPC, you must create a nondefault VPC and nondefault subnet. For more information, see Create a VPC.
Reference: https://docs.aws.amazon.com/vpc/latest/userguide/default-vpc.html
