         | Did this page help you? Yes No Tell us about it... |
RevokeSecurityGroupIngress
Description
This action applies to both EC2 security groups and VPC security groups. For information about VPC security groups and how they differ from EC2 security groups, go to Security Groups in the Amazon Virtual Private Cloud User Guide.
This action removes one or more ingress rules from a security group. The values that you specify in the revoke request (e.g., ports, etc.) must match the existing rule's values for the rule to be removed.
Each rule consists of the protocol and the CIDR range or source security group. For the TCP and UDP protocols, you must also specify the destination port or range of ports. For the ICMP protocol, you must also specify the ICMP type and code.
Rule changes are propagated to instances within the security group as quickly as possible. However, depending on the number of instances, a small delay might occur.
Request Parameters
| Name | Description | Required |
|---|---|---|
|
|
Deprecated |
No |
|
|
ID of the EC2 or VPC security group to modify. The group must belong to your account. Type: String Default: None Condition: Required for VPC security groups; can be used instead of |
Conditional |
|
|
Name of the EC2 security group to modify. Type: String Default: None Condition: Can be used instead of |
Conditional |
|
|
IP protocol name or number (go to Protocol Numbers). EC2 security groups can have rules only for TCP, UDP, and ICMP, whereas VPC security groups can have rules assigned to any protocol number. When you call Type: String Valid Values for EC2 security groups: Valid Values for VPC groups: |
Required |
|
|
Start of port range for the TCP and UDP protocols, or an ICMP type number. For the ICMP type number, you can use -1 to specify all ICMP types. Type: Integer Default: None Default: Required for ICMP and any protocol that uses ports |
Conditional |
|
|
End of port range for the TCP and UDP protocols, or an ICMP code number. For the ICMP code number, you can use -1 to specify all ICMP codes for the given ICMP type. Type: Integer Default: None Default: Required for ICMP and any protocol that uses ports |
Conditional |
|
|
AWS account ID that owns the source security group. Cannot be used when specifying a CIDR IP address. Type: String Default: None Condition: For EC2 security groups only. Required if modifying access for one or more source security groups. |
Conditional |
|
|
Name of the source security group. Cannot be used when specifying a CIDR IP address. Type: String Default: None Condition: Required if modifying access for one or more source security groups. |
Conditional |
|
|
ID of the source security group. Cannot be used when specifying a CIDR IP address. Type: String Default: None Condition: For VPC security groups only. Required if modifying access for one or more source security groups. |
Conditional |
|
|
CIDR range. Cannot be used when specifying a source security group. Type: String Default: None Constraints: Valid CIDR IP address range. Condition: Required if modifying access for one or more IP address ranges. |
Conditional |
Response Elements
The elements in the following table are wrapped in a
RevokeSecurityGroupIngressResponse structure.
| Name | Description |
|---|---|
|
|
The ID of the request. Type: xsd:string |
|
|
Returns true if the request succeeds. Otherwise, returns an error. Type: xsd:boolean |
Examples
Example Request
This example revokes TCP port 80 access from the 205.192.0.0/16 address range for the websrv security group. Note that if the security group were a VPC security group, the ID of the security group would instead be required in the request.
https://ec2.amazonaws.com/?Action=RevokeSecurityGroupIngress &GroupName=websrv &IpProtocol=tcp &FromPort=80 &ToPort=80 &CidrIp=205.192.0.0/16 &AUTHPARAMS
Example Response
<RevokeSecurityGroupIngressResponse xmlns="http://ec2.amazonaws.com/doc/2011-12-15/"> <requestId>59dbff89-35bd-4eac-99ed-be587EXAMPLE</requestId> <return>true</return> </RevokeSecurityGroupIngressResponse>
