Removes an instance from a specified security group.


When you call this operation, note that:

  • Before you remove an instance from a security group, the instance must be in the Stopped or Running state.
  • An instance must belong to at least one security group. You cannot perform the LeaveSecurityGroup operation to remove an instance from the only security group it belongs to.


You can use API Explorer to perform debugging. API Explorer allows you to perform various operations to simplify API usage. For example, you can retrieve APIs, call APIs, and dynamically generate SDK example code.

Request parameters

Name Type Required Example Description
InstanceId String Yes i-instanceid1

The ID of an instance.

SecurityGroupId String Yes sg-securitygroupid1

The ID of the security group to which the instance belongs.

Action String No LeaveSecurityGroup

The operation that you want to perform. Set the value to LeaveSecurityGroup.

Response parameters

Name Type Example Description
RequestId String 473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E

The ID of the request.


Sample requests
&<Common request parameters>

Successful response examples

XML format


JSON format


Error codes

HTTP status code Error code Error message Description
404 InvalidSecurityGroupId.NotFound The specified SecurityGroupId does not exist. The error message returned when the specified security group does not exist under this account. Check whether the security group ID is correct.
403 IncorrectInstanceStatus The current status of the resource does not support this operation. The error message returned when this operation is not supported under the current instance state.
504 RequestTimeout The request encounters an upstream server timeout. The error message returned when the request encounters an upstream server timeout.

View error codes