Menu
Amazon Elastic Compute Cloud
CLI Reference (API Version 2015-10-01)

ec2-authorize

Description

Adds a rule to a security group.

Important

EC2-Classic: You can have up to 100 rules per group.

EC2-VPC: You can have up to 50 rules per group (covering both ingress and egress).

Rule changes are propagated to affected instances as quickly as possible. However, a small delay might occur.

A security group is for use with instances either in the EC2-Classic platform or in a specific VPC. EC2-Classic doesn't support rules for egress traffic. For more information, see Amazon EC2 Security Groups in the Amazon EC2 User Guide for Linux Instances and Security Groups for Your VPC in the Amazon VPC User Guide.

EC2-Classic: This command either gives one or more CIDR IP address ranges permission to access a security group for your account, or it gives one or more security groups (called the source groups) permission to access a security group for your account. A source group can be for your own AWS account, or another.

EC2-VPC: For ingress rules, this command either gives one or more CIDR IP address ranges permission to access a security group for your VPC, or it gives one or more other security groups (called the source groups) permission to access a security group for your VPC. The groups must all be in the same VPC. For egress rules, this command permits instances in the VPC to send traffic to either one or more destination CIDR IP address ranges, or to one or more destination security groups for the same VPC.

The short version of this command is ec2auth.

Tip

If you are using the AWS CLI, see authorize-security-group-egress and authorize-security-group-ingress instead.

Syntax

ec2-authorize group [--egress] [-P protocol] (-p port_range | -t icmp_type_code) [-u source_or_dest_group_owner ...] [-o source_or_dest_group ...] [-s source_or_dest_cidr ...] [-r prefix_list ...]

Options

NameDescription

group

[EC2-Classic, default VPC] The name or ID of the security group.

[Nondefault VPC] The ID of the security group.

Type: String

Default: None

Required: Yes

Example: websrv

--egress

[EC2-VPC] Designates the rule as an egress rule (controls traffic leaving the VPC).

Default: If this option is not specified, the rule applies to ingress traffic for the specified security group.

-P, --protocol protocol

The IP protocol name or number (see Protocol Numbers). Security groups for EC2-Classic can have rules only for TCP, UDP, and ICMP, whereas security groups for EC2-VPC can have rules assigned to any protocol number.

When you use ec2-describe-group, the protocol value returned is the number. Exception: For TCP, UDP, and ICMP, the value returned is the name (tcp, udp, or icmp).

Type: String

Valid values for EC2-Classic: tcp | udp | icmp or the corresponding protocol number (6 | 17 | 1).

Default for EC2-Classic: Defaults to TCP if source CIDR is specified (or implied by default), or all three protocols (TCP, UDP, and ICMP) if source group is specified (to ensure backwards compatibility).

Valid values for EC2-VPC: tcp | udp | icmp or any protocol number (see Protocol Numbers). Use all to specify all protocols.

Required: Required for EC2-VPC.

Example: -P udp

-p port_range

For TCP or UDP: The range of ports to allow.

Type: String

Valid values: A single integer or a range (min-max). You can specify -1 to mean all ports (for example, port range 0-65535).

Default: None

Required: Required if specifying tcp or udp (or the equivalent number) for the protocol.

Example: -p 80-84

-t icmp_type_code

For ICMP: The ICMP type and code. Use the format type:code, where both are integers. You can use -1 for the type or code to mean all types or all codes.

Type: String

Default: None

Required: Required if specifying icmp (or the equivalent number) for the protocol.

Example: -t -1:-1

-o source_or_dest_group

The source security group (for ingress rules), or destination security group (for egress rules). You can't use this option when using the -s option.

[Nondefault VPC] You must specify the ID of the group (for example, sg-1a2b3c4d) instead of its name.

Type: String

Default: None

Required: No

Example: -o headoffice

-u, source_or_dest_group_owner

[EC2-Classic] The ID of the AWS account that owns the source security group, if it's not the current AWS account.

Type: String

Default: None

Required: No

Example: -u 111122223333

-s, --cidr source_or_dest_cidr

The CIDR IP address range. You can't use this option when using the -o option.

Type: String

Default: 0.0.0.0/0

Constraints: A valid CIDR IP address range.

Required: No

Example: -s 205.192.8.45/24

-r, --prefix-list prefix_list

[EC2-VPC] One or more prefix list IDs for an AWS service. Valid for egress rules only.

Type: String

Required: No

Example: -r pl-12345678

Common Options

OptionDescription

--region region

The region. Overrides the default region, the region specified by the EC2_URL environment variable, and the URL specified by the -U option.

Default: The region specified by the EC2_URL environment variable, or us-east-1 if EC2_URL isn't set.

-U, --url url

The uniform resource locator (URL) of the Amazon EC2 web service entry point.

Default: The endpoint specified by the EC2_URL environment variable, or https://ec2.amazonaws.com if EC2_URL isn't set.

-O, --aws-access-key aws_access_key_id

Your access key ID. For more information, see Tell the Tools Who You Are.

Default: The value of the AWS_ACCESS_KEY environment variable. If AWS_ACCESS_KEY isn't set, you must specify this option.

Example: -O AKIAIOSFODNN7EXAMPLE

-W, --aws-secret-key aws_secret_access_key

Your secret access key.

Default: The value of the AWS_SECRET_KEY environment variable. If AWS_SECRET_KEY isn't set, you must specify this option.

Example: -W wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

-T, --security-token delegation_token

The delegation token to pass along to the AWS request. This is only required when you are using temporary security credentials. For more information, see Using Temporary Security Credentials.

Default: The value of the AWS_DELEGATION_TOKEN environment variable (if set).

Example: -T AQoDYXdzEJr...<remainder of security token>

--connection-timeout timeout

The connection timeout, in seconds.

Example: --connection-timeout 30

--request-timeout timeout

The request timeout, in seconds.

Example: --request-timeout 45

-H, --headers

Includes column headers in the command output.

--show-empty-fields

Shows empty columns as (nil).

--hide-tags

Omits tags for tagged resources.

--debug

Displays internal debugging information. This can assist us when helping you troubleshooting problems.

-D, --auth-dry-run

Checks whether you have the required permissions for the command, without actually running the command. If you have the required permissions, the command returns DryRunOperation; otherwise, it returns UnauthorizedOperation.

-v, --verbose

Displays verbose output, including the API request and response on the command line. This is useful if you are building tools to talk directly to the Query API.

-

Reads arguments from standard input. This is useful when piping the output from one command to the input of another.

Example: ec2-describe-instances | grep stopped | cut -f 2 | ec2-start-instances -

-?, --help, -h

Displays usage information for the command.

Deprecated Options

We have deprecated the SOAP API for Amazon EC2. For more information, see SOAP Requests. From version 1.6.14.0 onwards of the Amazon EC2 CLI tools, the private key (-K, --private-key) and X.509 certificate (-C, --cert) options are not supported. Use your access key ID (-O, --aws-access-key) and secret access key (-W, --aws-secret-key) instead. For more information, see Setting Up the Amazon EC2 CLI and AMI Tools.

OptionDescription

-K, --private-key ec2_private_key

The private key to use when constructing requests to Amazon EC2.

Default: The value of the EC2_PRIVATE_KEY environment variable.

Example: -K pk-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem

-C, --cert ec2_cert

The X.509 certificate to use when constructing requests to Amazon EC2.

Default: The value of the EC2_CERT environment variable.

Example: -C cert-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem

Output

This command returns a table that contains the following information:

A line containing the group information. Some of these fields may be blank.

  • The GROUP identifier

  • The ID of the security group

  • The AWS account ID of the owner of the security group

  • The name of the security group

  • A description of the security group

  • [EC2-VPC] The ID of the VPC the group belongs to

One of each of the following lines for each permission defined by the group:

  • The PERMISSION identifier

  • The AWS account ID of the owner of the security group

  • The name of the security group granting permission

  • The type of rule. Currently, only ALLOWS rules are supported

  • The protocol to allow (for example, tcp and udp)

  • The start of port range

  • The end of port range

  • FROM for an ingress rule or TO for an egress rule

  • The source type (for ingress rules) or destination type (for egress rules)

  • The source (for ingress rules) or destination (for egress rules)

  • [USER only] The name of the source or destination entity

  • [USER only] The ID of the security group

  • Whether the rule is ingress rule or an egress rule

Amazon EC2 command line tools display errors on stderr.

Examples

Example 1

This example command grants TCP port 80 access from the 192.0.2.0/24 address range to the security group for EC2-Classic named websrv.

PROMPT> ec2-authorize websrv -P tcp -p 80 -s 192.0.2.0/24
GROUP			websrv		
PERMISSION		websrv	ALLOWS	tcp	80	80	FROM	CIDR	192.0.2.0/24	ingress

Example 2

This example command grants TCP port 80 access from the source group for EC2-Classic named OtherAccountGroup (in AWS account 111122223333) to the security group for EC2-Classic named websrv.

PROMPT> ec2-authorize websrv -P tcp -p 80 -u 111122223333 -o OtherAccountGroup
GROUP			websrv
PERMISSION		websrv	ALLOWS	tcp	80	80	FROM	USER	111122223333	NAME OtherAccountGroup		ingress

Example 3

This example command grants TCP port 80 access from the 192.0.2.0/24 address range to the security group for EC2-VPC with the ID sg-1a2b3c4d.

PROMPT> ec2-authorize sg-1a2b3c4d -P tcp -p 80 -s 192.0.2.0/24
GROUP			sg-1a2b3c4d
PERMISSION			ALLOWS	tcp	80	80	FROM	CIDR	192.0.2.0/24	ingress

Example 4

This example command grants egress access from the security group for EC2-VPC with the ID sg-1a2b3c4d to the destination security group with the ID sg-2a2b3c4d on TCP port 1433.

PROMPT> ec2-authorize --egress sg-1a2b3c4d -P tcp -p 1433 -o sg-2a2b3c4d
GROUP			sg-1a2b3c4d
PERMISSION			ALLOWS	tcp	1433	1433	TO	USER			ID sg-2a2b3c4d	egress

Related Topics

Setting Up

IAM Policies

You can create an IAM policy to grant users permission to use this command. For more information, see IAM Policies for Amazon EC2 in the Amazon EC2 User Guide for Linux Instances.