AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

Table Of Contents


[ aws . ec2 ]



To specify multiple rules in a single command use the --ip-permissions option


Removes one or more ingress rules from a security group. The values that you specify in the revoke request (for example, ports) must match the existing rule's values for the rule to be removed.

Each rule consists of the protocol and the CIDR range or source security group. For the TCP and UDP protocols, you must also specify the destination port or range of ports. For the ICMP protocol, you must also specify the ICMP type and code.

Rule changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.


[--dry-run | --no-dry-run]
[--group-name <value>]
[--group-id <value>]
[--ip-permissions <value>]
[--protocol <value>]
[--port <value>]
[--cidr <value>]
[--source-group <value>]
[--group-owner <value>]
[--cli-input-json <value>]


--dry-run | --no-dry-run (boolean)

Checks whether you have the required permissions for the action, without actually making the request. Using this option will result in one of two possible error responses. If you have the required permissions, the error response will be DryRunOperation . Otherwise it will be UnauthorizedOperation .

--group-name (string)

[EC2-Classic, default VPC] The name of the security group.

--group-id (string)

The ID of the security group.

--ip-permissions (list)

A set of IP permissions. You can't specify a source security group and a CIDR IP address range.

JSON Syntax:

    "IpProtocol": "string",
    "FromPort": integer,
    "ToPort": integer,
    "UserIdGroupPairs": [
        "UserId": "string",
        "GroupName": "string",
        "GroupId": "string"
    "IpRanges": [
        "CidrIp": "string"

--protocol (string)

The IP protocol of this permission.

Valid protocol values: tcp , udp , icmp

--port (string)

For TCP or UDP: The range of ports to allow. A single integer or a range (min-max ).

For ICMP: A single integer or a range (type-code ) representing the ICMP type number and the ICMP code number respectively. A value of -1 indicates all ICMP codes for all ICMP types. A value of -1 just for type indicates all ICMP codes for the specified ICMP type.

--cidr (string)

The CIDR IP range.

--source-group (string)

The name or ID of the source security group. Cannot be used when specifying a CIDR IP address.

--group-owner (string)

The AWS account ID that owns the source security group. Cannot be used when specifying a CIDR IP address.

--cli-input-json (string) Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, the CLI values will override the JSON-provided values.

--generate-cli-skeleton (boolean) Prints a sample input JSON to standard output. Note the specified operation is not run if this argument is specified. The sample input can be used as an argument for --cli-input-json.


To remove a rule from a security group

This example removes TCP port 22 access for the address range from the security group named MySecurityGroup. If the command succeeds, no output is returned.


aws ec2 revoke-security-group-ingress --group-name MySecurityGroup --protocol tcp --port 22 --cidr