InvalidGroup.NotFound - Security Group Not Found (InvalidGroup.NotFound)
Amazon EC2 returns `InvalidGroup.NotFound` when the referenced security group ID or name cannot be found in the target VPC scope.
Last reviewed: February 7, 2026|Editorial standard: source-backed technical guidance
What Does Security Group Not Found (InvalidGroup.NotFound) Mean?
EC2 could not resolve one or more security group references in current VPC/account/region scope, so launches and network mutations fail until valid SG IDs are supplied.
Common Causes
- -Security group ID/name is incorrect, stale, or references another VPC/account.
- -Group was deleted/replaced and launch templates still point to old identifier.
- -A recently created security group has not fully propagated across EC2 control-plane reads yet.
- -Request runs in wrong region where group ID does not exist.
- -Automation uses group name where group ID is required in VPC-scoped APIs.
How to Fix Security Group Not Found (InvalidGroup.NotFound)
- 1Resolve security group IDs from current VPC inventory in target region.
- 2Verify caller account and VPC context match expected security group ownership.
- 3Update launch templates/ASGs with active SG IDs instead of stale names/IDs.
- 4If the group was just created, wait briefly and retry after propagation checks complete.
- 5Re-run operation only after SG existence and VPC scope checks pass.
Step-by-Step Diagnosis for Security Group Not Found (InvalidGroup.NotFound)
- 1Capture SG reference, VPC ID, account, region, and request ID from failure logs.
- 2Correlate SG create/delete/replace operations with failure window in CloudTrail.
- 3Diff launch/runtime SG references against
DescribeSecurityGroupsoutput. - 4Check API usage for group-name vs group-id requirements in VPC-scoped calls.
Security Group Scope and Existence Checks
- -Validate SG IDs exist in the same VPC/account/region as the target resource (example: SG from old VPC used after network migration).
- -Inspect cross-account role assumptions that may point to different SG inventory (example: deploy role resolves to shared account without target SG).
Template Drift and Network Refactor Alignment
- -Audit launch templates for stale SG references after VPC refactors (example: template version still pins deleted SG ID).
- -Add pre-launch SG validation gates in CI/CD (example: block rollout when SG reference is missing from target VPC).
How to Verify the Fix
- -Run
DescribeSecurityGroups --group-idsand confirm every referenced SG exists in the intended VPC. - -Replay the failing launch or network operation and verify InvalidGroup.NotFound is resolved.
- -Confirm deployment logs no longer include removed security-group identifiers.
How to Prevent Recurrence
- -Resolve SG IDs from live VPC inventories rather than hard-coded launch defaults.
- -Add CI checks enforcing SG-to-VPC/account alignment for every deployment target.
- -Coordinate VPC refactors with atomic launch-template SG updates.
Pro Tip
- -maintain environment-scoped SG manifests and require launch configs to reference manifest entries instead of raw hard-coded IDs.
Decision Support
Compare Guide
403 Forbidden vs 404 Not Found: When to Hide Resources
Use 403 for explicit access denial, or 404 to conceal resource existence when security policy requires reducing endpoint and object enumeration risk.
Compare Guide
404 Not Found vs 410 Gone: Missing vs Permanent Removal
Learn when to return 404 (missing or temporary absence) versus 410 (intentional permanent removal), including redirect and cache implications.
Playbook
Resource State Playbook (404 / 410 / ResourceNotFound)
Use this playbook to separate temporary missing-resource lookups from permanent removals, then fix scope, lifecycle, and identifier drift safely.
Official References
Provider Context
This guidance is specific to AWS services. Always validate implementation details against official provider documentation before deploying to production.