AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

Table Of Contents

Feedback

[ aws . ec2 ]

revoke-security-group-ingress

Description

Removes one or more ingress rules from a security group. The values that you specify in the revoke request (for example, ports) must match the existing rule's values for the rule to be removed.

Each rule consists of the protocol and the CIDR range or source security group. For the TCP and UDP protocols, you must also specify the destination port or range of ports. For the ICMP protocol, you must also specify the ICMP type and code.

Rule changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.

Note

To specify multiple rules in a single command use the --ip-permissions option

Synopsis

  revoke-security-group-ingress
[--dry-run | --no-dry-run]
[--group-name <value>]
[--group-id <value>]
[--source-security-group-name <value>]
[--source-security-group-owner-id <value>]
[--ip-protocol <value>]
[--from-port <value>]
[--to-port <value>]
[--cidr-ip <value>]
[--ip-permissions <value>]
[--protocol <value>]
[--port <value>]
[--cidr <value>]
[--source-group <value>]
[--group-owner <value>]

Options

--dry-run | --no-dry-run (boolean)

Checks whether you have the required permissions for the action, without actually making the request. Using this option will result in one of two possible error responses. If you have the required permissions, the error response will be DryRunOperation . Otherwise it will be UnauthorizedOperation .

--group-name (string)

[EC2-Classic, default VPC] The name of the security group.

--group-id (string)

The ID of the security group.

--source-security-group-name (string)

[EC2-Classic, default VPC] The name of the source security group. You can't specify a source security group and a CIDR IP address range.

--source-security-group-owner-id (string)

The ID of the source security group. You can't specify a source security group and a CIDR IP address range.

--ip-protocol (string)

The IP protocol name (tcp , udp , icmp ) or number (see Protocol Numbers ). Use -1 to specify all.

--from-port (integer)

The start of port range for the TCP and UDP protocols, or an ICMP type number. For the ICMP type number, use -1 to specify all ICMP types.

--to-port (integer)

The end of port range for the TCP and UDP protocols, or an ICMP code number. For the ICMP code number, use -1 to specify all ICMP codes for the ICMP type.

--cidr-ip (string)

The CIDR IP address range. You can't specify this parameter when specifying a source security group.

--ip-permissions (list)

JSON Syntax:

[
  {
    "IpProtocol": "string",
    "FromPort": integer,
    "ToPort": integer,
    "UserIdGroupPairs": [
      {
        "UserId": "string",
        "GroupName": "string",
        "GroupId": "string"
      }
      ...
    ],
    "IpRanges": [
      {
        "CidrIp": "string"
      }
      ...
    ]
  }
  ...
]

--protocol (string)

The IP protocol of this permission.

Valid protocol values: tcp , udp , icmp

--port (string)

For TCP or UDP: The range of ports to allow. A single integer or a range (min-max). You can specify all to mean all ports

--cidr (string)

The CIDR IP range.

--source-group (string)

The name of the source security group. Cannot be used when specifying a CIDR IP address.

--group-owner (string)

The AWS account ID that owns the source security group. Cannot be used when specifying a CIDR IP address.

Examples

To remove a rule from a security group

This example removes TCP port 22 access for the 203.0.113.0/24 address range from the security group named MySecurityGroup.

Command:

aws ec2 revoke-security-group-ingress --group-name MySecurityGroup --protocol tcp --port 22 --cidr 203.0.113.0/24

Output:

{
    "return": "true"
}

Output

None