Amazon Elastic Compute Cloud
CLI Reference (API Version 2013-02-01)
AWS Documentation » Amazon EC2 » Command Line Reference » Commands (CLI Tools) » ec2-authorize
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Did this page help you?  Yes | No |  Tell us about it...

ec2-authorize

Description

Adds a rule to a security group.

Important

EC2-Classic: You can have up to 100 rules per group.

EC2-VPC: You can have up to 50 rules per group (covering both ingress and egress).

A security group is for use with instances either in the EC2-Classic platform or in a specific VPC. EC2-Classic doesn't support rules for egress traffic. For more information, see Amazon EC2 Security Groups in the Amazon Elastic Compute Cloud User Guide and Security Groups for Your VPC in the Amazon Virtual Private Cloud User Guide.

Each rule consists of the protocol (for example, TCP), plus either a CIDR range, or a source group (for ingress rules) or destination group (for egress rules). For TCP and UDP, you must also specify the destination port or port ranges. You can specify -1 to mean all ports (i.e., port range 0-65535). For ICMP, you must also specify the ICMP type and code. You can use -1 for the type or code to mean all types or all codes.

EC2-Classic: This command either gives one or more CIDR IP address ranges permission to access a security group for your account, or it gives one or more security groups (called the source groups) permission to access a security group for your account. A source group can be for your own AWS account, or another.

EC2-VPC: For ingress rules, this command either gives one or more CIDR IP address ranges permission to access a security group for your VPC, or it gives one or more other security groups (called the source groups) permission to access a security group for your VPC. The groups must all be in the same VPC. For egress rules, this command permits instances in the VPC to send traffic to either one or more destination CIDR IP address ranges, or to one or more destination security groups for the same VPC.

Rule changes are propagated to affected instances as quickly as possible. However, a small delay might occur.

The short version of this command is ec2auth.

Syntax

ec2-authorize group [--egress] [-P protocol] (-p port_range | -t icmp_type_code) [-u source_or_dest_group_owner ...] [-o source_or_dest_group ...] [-s source_or_dest_cidr ...]

Options

NameDescription

group

[EC2-Classic, default VPC] The name or ID of the security group.

[nondefault VPC] The ID of the security group.

The group must belong to your AWS account.

Type: String

Default: None

Required: Yes

Example: websrv

--egress

[EC2-VPC] Designates the rule as an egress rule (controls traffic leaving the VPC).

Default: If this option is not specified, the rule applies to ingress traffic for the specified security group.

-P, --protocol protocol

The IP protocol name or number (see Protocol Numbers). Security groups for EC2-Classic can have rules only for TCP, UDP, and ICMP, whereas security groups for EC2-VPC can have rules assigned to any protocol number.

When you use ec2-describe-group, the protocol value returned is the number. Exception: For TCP, UDP, and ICMP, the value returned is the name (tcp, udp, or icmp).

Type: String

Valid values for EC2-Classic: tcp | udp | icmp or the corresponding protocol number (6 | 17 | 1).

Default for EC2-Classic: Defaults to TCP if source CIDR is specified (or implied by default), or all three protocols (TCP, UDP, and ICMP) if source group is specified (to ensure backwards compatibility).

Valid values for EC2-VPC: tcp | udp | icmp or any protocol number (see Protocol Numbers). Use all to specify all protocols.

Required: Conditional

Condition: Required for EC2-VPC.

Example: -P udp

-p port_range

For TCP or UDP: The range of ports to allow.

Type: String

Default: None

Valid values: A single integer or a range (min-max). You can specify -1 to mean all ports (for example, port range 0-65535).

Required: Conditional

Condition: Required if specifying tcp or udp (or the equivalent number) for the protocol.

Example: -p 80-84

-t icmp_type_code

For ICMP: The ICMP type and code. Use the format type:code, where both are integers. You can use -1 for the type or code to mean all types or all codes.

Type: String

Default: None

Required: Conditional

Condition: Required if specifying icmp (or the equivalent number) for the protocol.

Example: -t -1:-1

-u, source_or_dest_group_owner

The ID of the AWS account that owns the source security group. If the group is in your own account, set this to your own AWS account ID. Cannot be used when specifying a CIDR IP address.

Type: String

Default: None

Required: Conditional

Condition: For EC2-Classic: Required when adding a rule that gives access to one or more source security groups.

Example: -u 111122223333

-o source_or_dest_group

The source security group (for ingress rules), or destination security group (for egress rules). You can't use this option when specifying a CIDR IP address with the -s option.

[nondefault VPC] You must specify the ID of the group (for example, sg-1a2b3c4d) instead of its name.

Type: String

Default: None

Required: Conditional

Condition: Required if giving access to one or more source or destination security groups.

Example: -o headoffice

-s, --cidr source_or_dest_cidr

The CIDR range. Cannot be used when specifying a source or destination security group with the -o option.

Type: String

Default: 0.0.0.0/0

Constraints: Valid CIDR IP address range.

Required: Conditional

Condition: Required if giving access to one or more IP address ranges.

Example: -s 205.192.8.45/24

Common Options

OptionDescription

--region REGION

Overrides the region specified by the EC2_URL environment variable and the URL specified by the -U option.

Default: The value of the EC2_URL environment variable, or us-east-1 if EC2_URL isn't set.

Example: --region eu-west-1

-U, --url URL

The uniform resource locator (URL) of the Amazon EC2 web service entry point.

Default: The value of the EC2_URL environment variable, or https://ec2.amazonaws.com if EC2_URL isn't set.

Example: -U https://ec2.amazonaws.com

-K, --private-key EC2-PRIVATE-KEY

The private key that identifies you to Amazon EC2. For more information, see Tell the Tools Who You Are.

Default: The value of the EC2_PRIVATE_KEY environment variable. If EC2_PRIVATE_KEY isn't set, you must specify this option.

Example: -K pk-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem

-C, --cert EC2-CERT

The X.509 certificate that identifies you to Amazon EC2.

Default: The value of the EC2_CERT environment variable. If EC2_CERT isn't set, you must specify this option.

Example: -C cert-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem

-O, --aws-access-key AWS_ACCESS_KEY

The access key ID associated with your AWS account. For more information, see Tell the Tools Who You Are.

Default: The value of the AWS_ACCESS_KEY environment variable. If AWS_ACCESS_KEY isn't set, you must specify this option.

Example: -O AKIAIOSFODNN7EXAMPLE

Note

For more information, see the following section, Deprecated Options.

-W, --aws-secret-key AWS_SECRET_KEY

The secret access key associated with your AWS account.

Default: The value of the AWS_SECRET_KEY environment variable. If AWS_SECRET_KEY isn't set, you must specify this option.

Example: -W wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

Note

For more information, see the following section, Deprecated Options.

-T, --security-token TOKEN AWS_DELEGATION_TOKEN

The AWS delegation token.

Default: The value of the environment variable (if set).

--connection-timeout TIMEOUT

The connection timeout, in seconds.

Example: --connection-timeout 30

--request-timeout TIMEOUT

The request timeout, in seconds.

Example: --request-timeout 45

-v, --verbose

Displays verbose output, including the API request and response on the command line. This is useful if you are building tools to talk directly to our Query API.

-H, --headers

Includes column headers in the command output.

--show-empty-fields

Shows empty columns as (nil).

--hide-tags

Omits tags for tagged resources.

--debug

Displays internal debugging information. This can assist us when helping you troubleshooting problems.

-?, --help, -h

Displays usage information for the command.

-

Reads arguments from standard input. This is useful when piping the output from one command to the input of another.

Example: ec2-describe-instances | grep stopped | cut -f 2 | ec2-start-instances -

Deprecated Options

For a limited time, you can still use the private key and X.509 certificate instead of your access key ID and secret access key. However, we recommend that you start using your access key ID (-O, --aws-access-key) and secret access key (-W, --aws-secret-key) now, as the private key (-K, --private-key) and X.509 certificate (-C, --cert) won't be supported after the transition period elapses. For more information, see Tell the Tools Who You Are.

OptionDescription

-K, --private-key EC2-PRIVATE-KEY

The private key to use when constructing requests to Amazon EC2.

Default: The value of the EC2_PRIVATE_KEY environment variable.

Example: -K pk-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem

-C, --cert EC2-CERT

The X.509 certificate to use when constructing requests to Amazon EC2.

Default: The value of the EC2_CERT environment variable.

Example: -C cert-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem

Output

This command returns a table that contains the following information:

A line containing the group information. Some of these fields may be blank.

  • The GROUP identifier

  • The ID of the security group

  • The AWS account ID of the owner of the security group

  • The name of the security group

  • A description of the security group

  • [VPC only] The ID of the VPC the group belongs to

One of each of the following lines for each permission defined by the group:

  • The PERMISSION identifier

  • The AWS account ID of the owner of the group

  • The name of the group granting permission

  • The type of rule. Currently, only ALLOWS rules are supported

  • The protocol to allow (e.g. tcp, udp, etc)

  • The start of port range

  • The end of port range

  • FROM for an ingress rule or TO for an egress rule

  • The source type (for ingress rules) or destination type (for egress rules)

  • The source (for ingress rules) or destination (for egress rules)

  • [USER only] The name of the source or destination entity

  • [USER only] The group ID

  • Whether the rule is ingress rule or an egress rule

Amazon EC2 command line tools display errors on stderr.

Examples

Example Request

EC2 security groups: This example grants TCP port 80 access from the 192.0.2.0/24 address range to the EC2 security group called websrv.

PROMPT> ec2-authorize websrv -P tcp -p 80 -s 192.0.2.0/24
GROUP			websrv		
PERMISSION		websrv	ALLOWS	tcp	80	80	FROM	CIDR	192.0.2.0/24	ingress

Example Request

EC2 security groups: This example grants TCP port 80 access from the EC2 source group called OtherAccountGroup (in AWS account 111122223333) to your EC2 security group called websrv.

PROMPT> ec2-authorize websrv -P tcp -p 80 -u 111122223333 -o OtherAccountGroup
GROUP			websrv
PERMISSION		websrv	ALLOWS	tcp	80	80	FROM	USER	111122223333	NAME OtherAccountGroup		ingress

Example Request

[EC2-VPC] This example grants TCP port 80 access from the 192.0.2.0/24 address range to the security group with ID sg-1a2b3c4d.

PROMPT> ec2-authorize sg-1a2b3c4d -P tcp -p 80 -s 192.0.2.0/24
GROUP			sg-1a2b3c4d
PERMISSION			ALLOWS	tcp	80	80	FROM	CIDR	192.0.2.0/24	ingress

Example Request

[EC2-VPC] This example grants egress access from the group sg-1a2b3c4d to the destination group sg-2a2b3c4d on TCP destination port 1433.

PROMPT> ec2-authorize --egress sg-1a2b3c4d -P tcp -p 1433 -o sg-2a2b3c4d
GROUP			sg-1a2b3c4d
PERMISSION			ALLOWS	tcp	1433	1433	TO	USER			ID sg-2a2b3c4d	egress

Related Topics

Download

Related Actions

Document Conventions« PreviousNext »
Terms of UseDid this page help you?  Yes | No |  Tell us about it...