Amazon Elastic Compute Cloud
API Reference (API Version 2013-02-01)
AWS Documentation » Amazon EC2 » API Reference » Actions » RevokeSecurityGroupIngress
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Did this page help you?  Yes | No |  Tell us about it...

RevokeSecurityGroupIngress

Description

Removes one or more ingress rules from a security group. The values that you specify in the revoke request (for example, ports) must match the existing rule's values for the rule to be removed.

A security group is for use with instances either in the EC2-Classic platform or in a specific VPC. For more information, see Amazon EC2 Security Groups in the Amazon Elastic Compute Cloud User Guide and Security Groups for Your VPC in the Amazon Virtual Private Cloud User Guide.

Each rule consists of the protocol and the CIDR range or source security group. For the TCP and UDP protocols, you must also specify the destination port or range of ports. For the ICMP protocol, you must also specify the ICMP type and code.

Rule changes are propagated to instances within the security group as quickly as possible. However, depending on the number of instances, a small delay might occur.

Request Parameters

UserId

Deprecated

Required: No

GroupId

The ID of the security group to modify. The security group must belong to your account.

Type: String

Default: None

Required: Conditional

Condition: Required for EC2-VPC; can be used instead of GroupName otherwise

GroupName

The name of the security group to modify.

Type: String

Default: None

Required: Conditional

Condition: For EC2-Classic, can be used instead of GroupId.

IpPermissions.n.IpProtocol

The IP protocol name or number (see Protocol Numbers). For EC2-Classic, security groups can have rules only for TCP, UDP, and ICMP. For EC2-VPC, security groups can have rules assigned to any protocol number.

When you call DescribeSecurityGroups, the protocol value returned is the number. Exception: For TCP, UDP, and ICMP, the value returned is the name (for example, tcp, udp, or icmp).

Type: String

Valid values for EC2-Classic: tcp | udp | icmp or the corresponding protocol number (6 | 17 | 1).

Valid values for EC2-VPC: tcp | udp | icmp or any protocol number (see Protocol Numbers). Use -1 to specify all.

Required: Yes

IpPermissions.n.FromPort

The start of port range for the TCP and UDP protocols, or an ICMP type number. For the ICMP type number, you can use -1 to specify all ICMP types.

Type: Integer

Default: None

Required: Conditional

Condition: Required for ICMP and any protocol that uses ports

IpPermissions.n.ToPort

The end of port range for the TCP and UDP protocols, or an ICMP code number. For the ICMP code number, you can use -1 to specify all ICMP codes for the given ICMP type.

Type: Integer

Default: None

Required: Conditional

Condition: Required for ICMP and any protocol that uses ports

IpPermissions.n.Groups.m.UserId

The AWS account ID that owns the source security group. Cannot be used when specifying a CIDR IP address.

Type: String

Default: None

Required: Conditional

Condition: For security groups in EC2-Classic only. Required if modifying access for one or more source security groups.

IpPermissions.n.Groups.m.GroupName

The name of the source security group. Cannot be used when specifying a CIDR IP address.

Type: String

Default: None

Required: Conditional

Condition: Required if modifying access for one or more source security groups.

IpPermissions.n.Groups.m.GroupId

The ID of the source security group. Cannot be used when specifying a CIDR IP address.

Type: String

Default: None

Required: Conditional

Condition: For EC2-VPC only. Required if modifying access for one or more source security groups.

IpPermissions.n.IpRanges.m.CidrIp

The CIDR range. Cannot be used when specifying a source security group.

Type: String

Default: None

Constraints: Valid CIDR IP address range.

Required: Conditional

Condition: Required if modifying access for one or more IP address ranges.

Response Elements

The following elements are returned in a RevokeSecurityGroupIngressResponse element.

requestId

The ID of the request.

Type: xsd:string

return

Returns true if the request succeeds. Otherwise, returns an error.

Type: xsd:boolean

Examples

Example Request

This example revokes TCP port 80 access from the 205.192.0.0/16 address range for the security group named websrv. If the security group were for a VPC, you'd specify the ID of the security group instead of the name.

https://ec2.amazonaws.com/?Action=RevokeSecurityGroupIngress
&GroupName=websrv
&IpProtocol=tcp
&FromPort=80
&ToPort=80
&CidrIp=205.192.0.0/16
&AUTHPARAMS

Example Response

<RevokeSecurityGroupIngressResponse xmlns="http://ec2.amazonaws.com/doc/2013-02-01/">
  <requestId>59dbff89-35bd-4eac-99ed-be587EXAMPLE</requestId> 
  <return>true</return>
</RevokeSecurityGroupIngressResponse>
Document Conventions« PreviousNext »
Terms of UseDid this page help you?  Yes | No |  Tell us about it...