We've all encountered this AWS error when trying to clean up security groups:
An error occurred (DependencyViolation) when calling the DeleteSecurityGroup operation: resource sg-12345678 has a dependent object
While the error is clear about dependencies existing, AWS doesn't specify exactly what's referencing your security group. Let's explore several methods to uncover these dependencies.
Network interfaces are the most common dependency. Run this command:
aws ec2 describe-network-interfaces --filters Name=group-id,Values=sg-12345678 --region us-west-2
This will return any ENIs using your security group, including:
- EC2 instances
- Lambda functions (when using VPC)
- RDS instances
- ElastiCache clusters
For ALBs/NLBs, use:
aws elbv2 describe-load-balancers --query 'LoadBalancers[*].LoadBalancerArn' --output text |
xargs -I {} aws elbv2 describe-load-balancer-attributes --load-balancer-arn {} |
grep -A5 "SecurityGroups"
For Classic ELBs:
aws elb describe-load-balancers --query 'LoadBalancerDescriptions[?SecurityGroups[0]==sg-12345678].LoadBalancerName' --output text
Security groups can be referenced in VPC peering connection rules:
aws ec2 describe-vpc-peering-connections --query 'VpcPeeringConnections[?RequesterVpcInfo.SecurityGroupId==sg-12345678 || AccepterVpcInfo.SecurityGroupId==sg-12345678]'
For Lambda functions using your VPC:
aws lambda list-functions --query 'Functions[?VpcConfig.SecurityGroupIds[0]==sg-12345678].FunctionName' --output text
The default security group has unique dependencies. Check for:
aws ec2 describe-instances --filters Name=instance.group-id,Values=sg-12345678 --query 'Reservations[*].Instances[*].InstanceId' --output text
Here's a Python script to check multiple dependency types:
import boto3
def find_sg_dependencies(sg_id, region):
ec2 = boto3.client('ec2', region_name=region)
# Check ENIs
enis = ec2.describe_network_interfaces(
Filters=[{'Name': 'group-id', 'Values': [sg_id]}]
)
# Check instances directly (for default SG case)
instances = ec2.describe_instances(
Filters=[{'Name': 'instance.group-id', 'Values': [sg_id]}]
)
# Check security group rules referencing this SG
referencing_sgs = []
all_sgs = ec2.describe_security_groups()['SecurityGroups']
for sg in all_sgs:
for rule in sg['IpPermissions'] + sg['IpPermissionsEgress']:
for pair in rule.get('UserIdGroupPairs', []):
if pair['GroupId'] == sg_id:
referencing_sgs.append(sg['GroupId'])
return {
'network_interfaces': enis['NetworkInterfaces'],
'instances': [i for r in instances['Reservations'] for i in r['Instances']],
'referencing_security_groups': list(set(referencing_sgs))
}
To avoid this situation:
- Implement naming conventions for security groups
- Use AWS Config to track security group relationships
- Regularly audit unused security groups with AWS Trusted Advisor
- Consider using AWS Firewall Manager for enterprise environments
When attempting to delete an AWS security group, you might encounter the frustrating error: "The specified group has dependencies and cannot be deleted." This occurs when other AWS resources are still referencing the security group, but AWS doesn't provide clear visibility into these dependencies through basic commands like aws ec2 describe-security-groups.
Here are several approaches to uncover these hidden dependencies:
1. Using AWS Console
The AWS Management Console provides some visibility:
1. Navigate to EC2 → Security Groups
2. Select the problematic security group
3. Check the "Inbound rules" and "Outbound rules" tabs
4. Look for references in other security groups' rules2. AWS CLI Commands
These CLI commands can help identify dependencies:
# Check network interfaces using the security group
aws ec2 describe-network-interfaces --filters Name=group-id,Values=sg-12345678
# Check instances using the security group
aws ec2 describe-instances --filters Name=instance.group-id,Values=sg-12345678
# Check security group rules referencing this group
aws ec2 describe-security-groups --query 'SecurityGroups[?IpPermissions[?UserIdGroupPairs[?GroupId==sg-12345678]]].GroupId'
3. Checking Other AWS Services
Many AWS services can reference security groups:
- RDS DB instances
- Elastic Load Balancers
- Elasticache clusters
- Redshift clusters
- Lambda functions in VPC
Here's a Python script using Boto3 to check multiple resource types:
import boto3
def check_sg_dependencies(sg_id):
ec2 = boto3.client('ec2')
rds = boto3.client('rds')
elbv2 = boto3.client('elbv2')
print(f"Checking dependencies for security group: {sg_id}")
# EC2 instances
instances = ec2.describe_instances(
Filters=[{'Name': 'instance.group-id', 'Values': [sg_id]}]
)
print(f"EC2 Instances: {len(instances['Reservations'])} found")
# Network interfaces
interfaces = ec2.describe_network_interfaces(
Filters=[{'Name': 'group-id', 'Values': [sg_id]}]
)
print(f"Network Interfaces: {len(interfaces['NetworkInterfaces'])} found")
# RDS instances
rds_instances = rds.describe_db_instances()
rds_count = sum(1 for instance in rds_instances['DBInstances']
if sg_id in [sg['VpcSecurityGroupId'] for sg in instance['VpcSecurityGroups']])
print(f"RDS Instances: {rds_count} found")
# ELBs
elbs = elbv2.describe_load_balancers()
elb_count = sum(1 for lb in elbs['LoadBalancers']
if sg_id in lb.get('SecurityGroups', []))
print(f"Load Balancers: {elb_count} found")
check_sg_dependencies('sg-12345678')
Once you've identified the dependencies, you can:
- Update the dependent resources to use a different security group
- Delete the dependent resources if they're no longer needed
- For security group rules, modify the referencing security groups
To avoid this situation:
- Implement naming conventions and tags for better tracking
- Use AWS Config to monitor security group usage
- Create documentation for security group dependencies
- Consider using infrastructure as code (Terraform, CloudFormation)