How to _remove_ security groups from launch template version

0

I'm trying to use the CLI to remove security groups (SGs) from a launch template (LT). When updating the LT version, my config JSON looks like so:

{
    "SecurityGroupIds": []
}

... but this isn't removing the SGs from the newly-created LT version. I believe the create-launch-template-version operation is taking the union of the existing SGs and the newly-specified SGs, but I want to replace the existing SGs (in this case with zero SGs).

How can I delete SGs for a new LT version? (Using the Console isn't feasible for me, I have thousands of LTs.)

1 Answer
0

To remove all security groups from a launch template version when creating a new version, you need to use the SecurityGroupIds parameter along with the DefaultSecurityGroupIds parameter in the create-launch-template-version command. Here's the command you can use:

aws ec2 create-launch-template-version \
    --launch-template-id <launch-template-id> \
    --version-description "Remove security groups" \
    --source-version <source-version-number> \
    --launch-template-data '{"SecurityGroupIds": [], "DefaultSecurityGroupIds": []}' \
    --region <region>

Replace the following:

  • <launch-template-id> with the ID of your launch template
  • <source-version-number> with the version number you want to base the new version on
  • <region> with the AWS region where your launch template resides

However, when you create a new EC2 instance using a launch template without any security groups specified, AWS will automatically assign the default security group to the instance.

If your goal is to not allow any inbound/outbound traffic to the instance, I would suggest attaching a security group with no inbound/outbound rules. Alternatively, you could edit the default security group to remove the inbound/outbound rules, but I would not recommend doing this. If you go either of these routes, you will not be able to connect to your instances, and your instances won't be able to connect to anything.

To make sure we're implementing the best solution, may I ask why you want to launch instances without a security group attached?

AWS
answered 5 months ago
  • This returns an error for me:

    Parameter validation failed:
    Unknown parameter in LaunchTemplateData: "DefaultSecurityGroupIds", must be one of: KernelId, EbsOptimized, IamInstanceProfile, BlockDeviceMappings, NetworkInterfaces, ImageId, InstanceType, KeyName, Monitoring, Placement, RamDiskId, DisableApiTermination, InstanceInitiatedShutdownBehavior, UserData, TagSpecifications, ElasticGpuSpecifications, ElasticInferenceAccelerators, SecurityGroupIds, SecurityGroups, InstanceMarketOptions, CreditSpecification, CpuOptions, CapacityReservationSpecification, LicenseSpecifications, HibernationOptions, MetadataOptions, EnclaveOptions, InstanceRequirements, PrivateDnsNameOptions, MaintenanceOptions, DisableApiStop
    

    Versions: aws-cli/1.32.16 Python/3.9.18 Darwin/23.6.0 botocore/1.29.165 aws-cli/2.15.57 Python/3.11.8 Darwin/23.6.0 exe/x86_64

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions