All Products
Document Center

Elastic Compute Service:LeaveSecurityGroup

Last Updated:Jun 13, 2024

Removes an Elastic Compute Service (ECS) instance or an elastic network interface (ENI) from a security group.

Operation description

Note This operation is not recommended. We recommend that you call the ModifyInstanceAttribute operation to add an instance to or remove an instance from a security group, and call the ModifyNetworkInterfaceAttribute operation to add an ENI to or remove an ENI from a security group.

When you call this operation, take note of the following items:

  • Before you remove an instance from a security group, the instance must be in the Stopped or Running state.
  • An instance must belong to at least one security group. Therefore, if the instance that you want to remove belongs to only one security group, the LeaveSecurityGroup operation fails.
  • You cannot remove an instance and an ENI from a security group at the same time. This indicates that you cannot configure both InstanceId and NetworkInterfaceId in a request.


OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Authorization information

There is currently no authorization information disclosed in the API.

Request parameters


The security group ID.


The instance ID.

Note If you configure this parameter, you cannot configure NetworkInterfaceId.


Note If you configure this parameter, you cannot configure InstanceId.

The region ID. You can call the DescribeRegions operation to query the most recent region list.

  • If you want to remove an instance from a security group, you do not need to specify a region ID.
  • If you want to remove an ENI from a security group, you must specify the ID of the region in which the ENI resides.

Response parameters


The request ID.



Sample success responses


  "RequestId": "473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E"

Error codes

HTTP status codeError codeError messageDescription
400InvalidInstanceId.MalformedThe specified parameter "InstanceId" is not valid.-
400MissingParameter.RegionIdThe specified RegionId should not be null.The RegionId parameter is required.
400InvalidSecurityGroupAssociation.NotFound%s.The specified ECS or ENI is not associated with the specified security group.
403InstanceLastSecurityGroupThe specified security group is the last security group for the instance.The specified security group is the only security group to which the instance belongs.
403IncorrectInstanceStatusThe current status of the resource does not support this operation.The resource is in a state that does not support the current operation.
403InstanceLockedForSecurityThe specified operation is denied as your instance is locked for security reasons.-
403InstanceNotInSecurityGroupThe instance not in the group.The specified instance does not belong to the security group.
403InvalidOperation.ResourceManagedByCloudProduct%sYou cannot modify security groups managed by cloud services.
403InvalidOperation.EniServiceManaged%sThe operation is invalid.
403InvalidParam.EniIdAndInstanceId.Conflict%sThe InstanceId and NetworkInterfaceId parameters are mutually exclusive and cannot be both specified.
404InvalidInstanceId.NotFoundThe specified InstanceId does not exist.The specified instance does not exist.
404InvalidSecurityGroupId.NotFoundThe specified SecurityGroupId does not exist.The specified security group does not exist in this account. Check whether the security group ID is correct.
404InvalidEniId.NotFound%sThe specified ENI ID does not exist.
504RequestTimeoutThe request encounters an upstream server timeout.The request is denied due to a timeout error of the upstream server.

For a list of error codes, visit the Service error codes.

Change history

Change timeSummary of changesOperation
2024-06-03The Error code has changedsee changesets
Change itemChange content
Error CodesThe Error code has changed.
    Error Codes 400 change
    delete Error Codes: 403
    delete Error Codes: 404
    delete Error Codes: 504