Please tell me the solution for errors caused by deleting security groups associated with an Elastic Beanstalk environment.
The issue
I had added a custom security group to my Elastic Beanstalk environment.
When the custom security group was no longer needed, I deleted it from the security group console, which caused the following error in the Elastic Beanstalk environment, and I can no longer make configuration changes to the environment.
Failed Environment update activity. Reason: Configuration validation exception: Invalid option value: ‘sg-xxx’ (Namespace: ‘aws:autoscaling:launchconfiguration’, OptionName: ‘SecurityGroups’): The security group having id ‘sg-xxx’ does not exist
Please tell me the solution for the above error.
The solution
Please run the update-environment command with the following options.
$ aws elasticbeanstalk update-environment \
--environment-name your-environment-name \
--option-settings Namespace=aws:autoscaling:launchconfiguration,OptionName=SecurityGroups,Value=""
The launch configuration or launch template before the update has the deleted custom security group configured, causing a mismatch with the actual environment.
By executing the above command, the launch configuration or launch template associated with the Elastic Beanstalk environment will be updated, and the old custom security group configuration will be removed.
This will bring it into a state that is consistent with the actual environment.
I tried it
I will actually generate the error and confirm that the error is resolved with update-environment.
Note that I will use CloudShell and EB CLI for verification.
Environment preparation
First, I will create a security group in the console.
I will install the EB CLI on CloudShell.
$ git clone https://github.com/aws/aws-elastic-beanstalk-cli-setup.git
$ python ./aws-elastic-beanstalk-cli-setup/scripts/ebcli_installer.py
$ echo 'export PATH="/home/ec2-user/.ebcli-virtual-env/executables:$PATH"' >> ~/.bash_profile && source ~/.bash_profile
$ eb --version
EB CLI 3.21.0 (Python 3.9.20 (main, Dec 11 2024, 00:00:00)
[GCC 11.4.1 20230605 (Red Hat 11.4.1-2)])
I will obtain the Node.js sample application from the AWS official documentation.
$ mkdir nodejs
$ cd nodejs
$ wget https://docs.aws.amazon.com/ja_jp/elasticbeanstalk/latest/dg/samples/nodejs.zip
$ unzip nodejs.zip
$ rm nodejs.zip
I will add the custom security group configuration by referring to the AWS Knowledge Center.
I will enter the security group name created from the console in the custom-sg part.
$ nano .ebextensions/securitygroup.config
option_settings:
- namespace: aws:autoscaling:launchconfiguration
option_name: SecurityGroups
value: custom-sg
I will create an Elastic Beanstalk environment and deploy.
$ eb init -i
# Region selection
Select a default region
1) us-east-1 : US East (N. Virginia)
2) us-west-1 : US West (N. California)
3) us-west-2 : US West (Oregon)
4) eu-west-1 : EU (Ireland)
5) eu-central-1 : EU (Frankfurt)
6) ap-south-1 : Asia Pacific (Mumbai)
7) ap-southeast-1 : Asia Pacific (Singapore)
8) ap-southeast-2 : Asia Pacific (Sydney)
9) ap-northeast-1 : Asia Pacific (Tokyo)
10) ap-northeast-2 : Asia Pacific (Seoul)
11) sa-east-1 : South America (Sao Paulo)
12) cn-north-1 : China (Beijing)
13) cn-northwest-1 : China (Ningxia)
14) us-east-2 : US East (Ohio)
15) ca-central-1 : Canada (Central)
16) eu-west-2 : EU (London)
17) eu-west-3 : EU (Paris)
18) eu-north-1 : EU (Stockholm)
19) eu-south-1 : EU (Milano)
20) ap-east-1 : Asia Pacific (Hong Kong)
21) me-south-1 : Middle East (Bahrain)
22) af-south-1 : Africa (Cape Town)
23) ap-southeast-3 : Asia Pacific (Jakarta)
24) ap-northeast-3 : Asia Pacific (Osaka)
(default is 3): 9
# Application name configuration
Enter Application Name
(default is "nodejs"):
Application nodejs has been created.
# Platform confirmation
It appears you are using Node.js. Is this correct?
(Y/n):
Select a platform branch.
1) Node.js 22 running on 64bit Amazon Linux 2023
2) Node.js 20 running on 64bit Amazon Linux 2023
3) Node.js 18 running on 64bit Amazon Linux 2023
4) Node.js 18 running on 64bit Amazon Linux 2
(default is 1):
# SSH key pair configuration
Cannot setup CodeCommit because there is no Source Control setup, continuing with initialization
Do you want to set up SSH for your instances?
(Y/n): n
# Creating Elastic Beanstalk environment
$ eb create --single
Enter Environment Name
(default is nodejs-dev):
Enter DNS CNAME prefix
(default is nodejs-dev):
Would you like to enable Spot Fleet requests for this environment? (y/N):
2025-09-24 02:24:08 INFO Successfully launched environment: nodejs-dev
After deployment is complete, checking the Auto Scaling group configuration shows that custom-sg has been added.
Delete the custom security group
Now that the environment is ready, I will try deleting the custom security group to generate an error.
To delete it, I need to remove the security group from the ENI, so I will first delete the custom security group by changing the ENI configuration.
After deleting from the ENI, I will delete the custom security group itself.
In this state, if I try to make configuration changes from the Elastic Beanstalk environment, an error will occur.
Configuration validation exception: Invalid option value: 'custom-sg' (Namespace: 'aws:autoscaling:launchconfiguration', OptionName: 'SecurityGroups'): The security group 'custom-sg' does not exist
By deleting the custom security group associated with the Elastic Beanstalk environment, a mismatch with the actual environment has occurred.
Execute the update-environment command
To resolve the error, I will run update-environment from CloudShell.
$ aws elasticbeanstalk update-environment \
--environment-name nodejs-dev \
--option-settings Namespace=aws:autoscaling:launchconfiguration,OptionName=SecurityGroups,Value=""
{
"EnvironmentName": "nodejs-dev",
"EnvironmentId": "e-ab4fa2c2pd",
"ApplicationName": "nodejs",
"VersionLabel": "app-250924_022131889490",
"SolutionStackName": "64bit Amazon Linux 2023 v6.6.5 running Node.js 22",
"PlatformArn": "arn:aws:elasticbeanstalk:ap-northeast-1::platform/Node.js 22 running on 64bit Amazon Linux 2023/6.6.5",
"Description": "Environment created from the EB CLI using \"eb create\"",
"EndpointURL": "35.74.194.200",
"CNAME": "nodejs-dev.ap-northeast-1.elasticbeanstalk.com",
"DateCreated": "2025-09-24T02:21:33.782000+00:00",
"DateUpdated": "2025-09-24T02:35:43.236000+00:00",
"Status": "Updating",
"AbortableOperationInProgress": true,
"Health": "Grey",
"Tier": {
"Name": "WebServer",
"Type": "Standard",
"Version": "1.0"
},
"EnvironmentArn": "arn:aws:elasticbeanstalk:ap-northeast-1:012345678901:environment/nodejs/nodejs-dev"
}
After executing the command, the Elastic Beanstalk environment will be updated.
Checking the Auto Scaling group configuration again, I can see that the custom security group has been removed.
In this state, the previous error will not occur in the Elastic Beanstalk environment, and configuration changes are possible.
Supplementary information
By setting Value="" when executing the update-environment command, I was able to change the situation so that only the security group automatically created by Elastic Beanstalk is used.
If you have multiple custom security groups and want to delete only one of them, please specify the security group ID you want to keep in the Value.
$ aws elasticbeanstalk update-environment \
--environment-name your-environment-name \
--option-settings Namespace=aws:autoscaling:launchconfiguration,OptionName=SecurityGroups,Value="sg-xxx"
