Menu
Amazon Elastic Compute Cloud
API Reference (API Version 2016-11-15)

RevokeSecurityGroupIngress

Removes one or more ingress rules from a security group. The values that you specify in the revoke request (for example, ports) must match the existing rule's values for the rule to be removed.

Note

[EC2-Classic security groups only] If the values you specify do not match the existing rule's values, no error is returned. Use DescribeSecurityGroups to verify that the rule has been removed.

Each rule consists of the protocol and the CIDR range or source security group. For the TCP and UDP protocols, you must also specify the destination port or range of ports. For the ICMP protocol, you must also specify the ICMP type and code.

Rule changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.

Request Parameters

The following parameters are for this specific action. For more information about required and optional parameters that are common to all actions, see Common Query Parameters.

CidrIp

The CIDR IP address range. You can't specify this parameter when specifying a source security group.

Type: String

Required: No

DryRun

Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.

Type: Boolean

Required: No

FromPort

The start of port range for the TCP and UDP protocols, or an ICMP type number. For the ICMP type number, use -1 to specify all ICMP types.

Type: Integer

Required: No

GroupId

The ID of the security group. Required for a security group in a nondefault VPC.

Type: String

Required: No

GroupName

[EC2-Classic, default VPC] The name of the security group.

Type: String

Required: No

IpPermissions.N

A set of IP permissions. You can't specify a source security group and a CIDR IP address range.

Type: Array of IpPermission objects

Required: No

IpProtocol

The IP protocol name (tcp, udp, icmp) or number (see Protocol Numbers). Use -1 to specify all.

Type: String

Required: No

SourceSecurityGroupName

[EC2-Classic, default VPC] The name of the source security group. You can't specify this parameter in combination with the following parameters: the CIDR IP address range, the start of the port range, the IP protocol, and the end of the port range. For EC2-VPC, the source security group must be in the same VPC. To revoke a specific rule for an IP protocol and port range, use a set of IP permissions instead.

Type: String

Required: No

SourceSecurityGroupOwnerId

[EC2-Classic] The AWS account ID of the source security group, if the source security group is in a different account. You can't specify this parameter in combination with the following parameters: the CIDR IP address range, the IP protocol, the start of the port range, and the end of the port range. To revoke a specific rule for an IP protocol and port range, use a set of IP permissions instead.

Type: String

Required: No

ToPort

The end of port range for the TCP and UDP protocols, or an ICMP code number. For the ICMP code number, use -1 to specify all ICMP codes for the ICMP type.

Type: Integer

Required: No

Response Elements

The following elements are returned by the service.

requestId

The ID of the request.

Type: String

return

Is true if the request succeeds, and an error otherwise.

Type: Boolean

Errors

For information about the errors that are common to all actions, see Common Errors.

Examples

Example 1

This example revokes TCP port 80 access from the 205.192.0.0/16 IPv4 address range for the security group named websrv. If the security group is for a VPC, specify the ID of the security group instead of the name.

Sample Request

Copy
https://ec2.amazonaws.com/?Action=RevokeSecurityGroupIngress &GroupName=websrv &IpPermissions.1.IpProtocol=tcp &IpPermissions.1.FromPort=80 &IpPermissions.1.ToPort=80 &IpPermissions.1.IpRanges.1.CidrIp=205.192.0.0/16 &AUTHPARAMS

Sample Response

Copy
<RevokeSecurityGroupIngressResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/"> <requestId>59dbff89-35bd-4eac-99ed-be587EXAMPLE</requestId> <return>true</return> </RevokeSecurityGroupIngressResponse>

Example 2

[EC2-VPC] This example revokes TCP port 22 (SSH) access from IPv6 range 2001:db8:1234:1a00::/64.

Sample Request

Copy
https://ec2.amazonaws.com/?Action=RevokeSecurityGroupIngress &GroupName=websrv &IpPermissions.1.IpProtocol=tcp &IpPermissions.1.FromPort=80 &IpPermissions.1.ToPort=80 &IpPermissions.1.Ipv6Ranges.1.CidrIpv6=2001:db8:1234:1a00::/64 &AUTHPARAMS

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: