All Products
Search
Document Center

Elastic Compute Service:LeaveSecurityGroup

Last Updated:May 06, 2026

Removes an Elastic Compute Service (ECS) instance or an elastic network interface (ENI) from a security group.

Operation description

Note

This operation is not recommended. We recommend that you call the ModifyInstanceAttribute operation to add an instance to or remove an instance from a security group, and call the ModifyNetworkInterfaceAttribute operation to add an ENI to or remove an ENI from a security group.

Note

Alibaba Cloud modified verification rules for the LeaveSecurityGroup operation on July 8, 2024. When you remove an ECS instance or ENI that does not belong to a security group from the security group, the "InvalidSecurityGroupAssociation.NotFound" error code is returned instead of a success response. Update the LeaveSecurityGroup operation to use the new verification rules with the new error code based on your business requirements.

  • You cannot remove an instance and an ENI from a security group at the same time. This indicates that you cannot specify InstanceId and NetworkInterfaceId in one request.

  • Before you remove an instance from a security group, the instance must be in the Stopped (Stopped) or Running (Running) state.

  • An instance or ENI must be added to at least one security group. If you remove an instance or ENI from the only security group, the removal request fails and an error is returned.

  • When you remove an instance or ENI that is not in a security group from the security group, the removal request fails and an error is returned.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

ecs:LeaveSecurityGroup

update

*Instance

acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}

*SecurityGroup

acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}

None None

Request parameters

Parameter

Type

Required

Description

Example

SecurityGroupId

string

Yes

The security group ID.

sg-bp67acfmxazb4p****

InstanceId

string

No

The instance ID.

Note

If you configure this parameter, you cannot configure NetworkInterfaceId.

i-bp67acfmxazb4p****

NetworkInterfaceId

string

No

The ENI ID.

Note

If you configure this parameter, you cannot configure InstanceId.

eni-bp13kd656hxambfe****

RegionId

string

No

The region ID. You can call the DescribeRegions operation to query the most recent region list.

  • If you want to remove an instance from a security group, you do not need to specify a region ID.

  • If you want to remove an ENI from a security group, you must specify the ID of the region in which the ENI resides.

cn-hangzhou

Response elements

Element

Type

Description

Example

object

RequestId

string

The request ID.

473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E

Examples

Success response

JSON format

{
  "RequestId": "473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E"
}

Error response

JSON format

{
    "RequestId": "473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E"
}

Error codes

HTTP status code

Error code

Error message

Description

400 InvalidInstanceId.Malformed The specified parameter "InstanceId" is not valid.
400 MissingParameter.RegionId The specified RegionId should not be null. The RegionId parameter is required.
400 InvalidOperation.InvalidEniState %s
400 InvalidSecurityGroupAssociation.NotFound %s. The specified ECS or ENI is not associated with the specified security group.
403 InstanceLastSecurityGroup The specified security group is the last security group for the instance. The specified security group is the only security group to which the instance belongs.
403 IncorrectInstanceStatus The current status of the resource does not support this operation.
403 InstanceLockedForSecurity The specified operation is denied as your instance is locked for security reasons.
403 InstanceNotInSecurityGroup The instance not in the group.
403 InvalidOperation.ResourceManagedByCloudProduct %s You cannot modify security groups managed by cloud services.
403 InvalidOperation.AtLeastInOneGroup %s
403 InvalidOperation.EniServiceManaged %s The operation is invalid.
403 InvalidOperation.InvalidEniType %s
403 InvalidParam.Malformed %s Invalid parameter
403 InvalidParam.EniIdAndInstanceId.Conflict %s The InstanceId and NetworkInterfaceId parameters are mutually exclusive and cannot be both specified.
404 InvalidInstanceId.NotFound The specified InstanceId does not exist. The specified instanceId is invalid.
404 InvalidSecurityGroupId.NotFound The specified SecurityGroupId does not exist. The specified security group does not exist in this account. Check whether the security group ID is correct.
404 InvalidEniId.NotFound %s
404 InvalidVSwitchId.NotFound The specified virtual switch %s does not exist. The specified switch does not exist.
504 RequestTimeout The request encounters an upstream server timeout.
409 InvalidOperation.Conflict Request was denied due to conflict with a previous request, please try again later.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.