AWSConfigRemediation-DeleteUnusedSecurityGroup - Amazon Systems Manager Automation runbook reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).



The AWSConfigRemediation-DeleteUnusedSecurityGroup runbook deletes the security group you specify in the GroupId parameter. If you attempt to delete a security group that is associated with an Amazon Elastic Compute Cloud (Amazon EC2) instance, or is referenced by another security group, the automation fails. This automation does not delete a default security group.

Run this Automation (console)

Document type





Linux, macOS, Windows


  • AutomationAssumeRole

    Type: String

    Allowed values: ^arn:(?:aws|aws-us-gov|aws-cn):iam::\d{12}:role\/[\w+=,.@/-]+$

    Description: (Required) The Amazon Resource Name (ARN) of the Amazon Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.

  • GroupId

    Type: String

    Description: (Required) The ID of the security group that you want to delete.

Required IAM permissions

The AutomationAssumeRole parameter requires the following actions to successfully use the runbook.

  • ssm:StartAutomationExecution

  • ssm:GetAutomationExecution

  • ec2:DescribeSecurityGroups

  • ec2:DeleteSecurityGroup

Document Steps

  • aws:executeAwsApi - Returns the security group name using the value you provide in the GroupId parameter.

  • aws:branch - Confirms that the group name is not "default".

  • aws:executeAwsApi - Deletes the security group specified in the GroupId parameter.

  • aws:executeScript - Confirms the security group was deleted.