         | Did this page help you? Yes No Tell us about it... |
ec2-authorize
Description
This command applies to both EC2 security groups and VPC security groups. For information about VPC security groups and how they differ from EC2 security groups, go to Security Groups in the Amazon Virtual Private Cloud User Guide.
This command adds a rule to a security group. The rule can be for ingress traffic, or for egress traffic (only if this is a VPC security group).
For EC2 security groups and ingress rules: This command either gives one or more CIDR IP address ranges permission to access a security group in your account, or it gives one or more security groups (called the source groups) permission to access a security group in your account. A source group can be in your own AWS account, or another.
For VPC security groups and ingress rules: This command either gives one or more CIDR IP address ranges permission to access a security group in your VPC, or it gives one or more other security groups (called the source groups) permission to access a security group in your VPC. The groups must all be in the same VPC.
For VPC security groups and egress rules: This command permits instances in a VPC security group to send traffic to either one or more destination CIDR IP address ranges, or to one or more destination security groups in the same VPC.
Each rule consists of the protocol (e.g., TCP), plus either a CIDR range, or a source group (for ingress rules) or destination group (for egress rules). For TCP and UDP, you must also specify the destination port or port ranges. You can specify -1 to mean all ports (i.e., port range 0-65535). For ICMP, you must also specify the ICMP type and code. You can use -1 for the type or code to mean all types or all codes.
Permission changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.
![[Important]](http://docs.amazonwebservices.com/docs-common/images/important.png) | Important |
|---|---|
For EC2 security groups: You can have up to 100 rules per group. For VPC security groups: You can have up to 50 rules total per group (covering both ingress and egress). |
The short version of this command is ec2auth.
Syntax
ec2-authorize
group [--egress] [-P protocol] (-p port_range |
-t icmp_type_code) [-u source_or_dest_group_owner ...] [-o
source_or_dest_group ...] [-s source_or_dest_cidr ...]
Options
| Name | Description | Required |
|---|---|---|
|
|
For EC2 groups: Name or ID of the security group to modify. For VPC groups: ID of the security group to modify (e.g., sg-1a2b3c4d). The group must belong to your AWS account. Type: String Default: None Example: websrv |
Yes |
--egress
|
Optional flag applicable only to VPC security groups. The flag designates the rule as an egress rule (i.e., controls traffic leaving the VPC security group). Default: If this is not specified, the rule applies to ingress traffic for the specified security group. | No |
|
|
IP protocol name or number (go to Protocol Numbers). EC2 security groups can have rules only for TCP, UDP, and ICMP, whereas VPC security groups can have rules assigned to any protocol number. When you call Type: String Valid Values for EC2 security groups: Default for EC2 groups: Defaults to TCP if source CIDR is specified (or implied by default), or all three protocols (TCP, UDP, and ICMP) if source group is specified (to ensure backwards compatibility). Valid Values for VPC groups: Condition: Required for VPC security groups. Example: -P udp |
Conditional |
|
|
For TCP or UDP, this specifies the range of ports to allow. Type: String Default: None Valid Values: A single integer or a range (min-max). You can specify -1 to mean all ports (i.e., port range 0-65535). Condition: Required if specifying Example: -p 80-84 |
Conditional |
|
|
For ICMP, this specifies the ICMP type and code. This must be specified in the format Type: String Default: None Condition: Required if specifying Example: -t -1:-1 |
Conditional |
|
|
AWS account ID that owns the source security group. If the group is in your own account, set this to your own AWS account ID. Cannot be used when specifying a CIDR IP address. Type: String Default: None Condition: For EC2 security groups only. Required when adding a rule that gives access to one or more source security groups. Example: -u 999988887777 |
Conditional |
|
|
The source security group (for ingress rules), or destination security group (for egress rules). When adding a rule for a VPC security group, you must specify the group's ID (e.g., sg-9d4e5f6g) instead of its name. Cannot be used when specifying a CIDR IP address with the -s option. Type: String Default: None Condition: Required if giving access to one or more source or destination security groups. Example: -o headoffice |
Conditional |
|
|
CIDR range. Cannot be used when specifying a source or destination security group with the -o option. Type: String Default: 0.0.0.0/0 Constraints: Valid CIDR IP address range. Condition: Required if giving access to one or more IP address ranges. Example: -s 205.192.8.45/24 |
Conditional |
Common Options
| Option | Description |
|---|---|
|
|
Overrides the Region specified in the Default: The Example: |
|
|
Default: The Example: |
|
|
The private key to use when constructing requests to Amazon EC2. Default: The value of the Example: |
|
|
The X.509 certificate to use when constructing requests to Amazon EC2. Default: The value of the Example: |
|
|
Specifies a connection timeout (in seconds). Example: --connection-timeout 30 |
|
|
Specifies a request timeout (in seconds). Example: --request-timeout 45 |
|
|
Displays verbose output by showing the SOAP request and response on the command line. This is particularly useful if you are building tools to talk directly to our SOAP API. |
|
|
Displays column headers in the output. |
|
|
Shows empty columns as |
|
|
Do not display tags for tagged resources. |
|
|
Prints internal debugging information. This is useful to assist us when troubleshooting problems. |
|
|
Displays Help. |
|
|
If Example: |
Output
The command returns a table that contains the following information:
Output type identifier ("GROUP", "PERMISSION")
Group name for EC2 security groups; group ID for VPC security groups
Type of rule; currently, only ALLOW rules are supported
Protocol to allow
Start of port range
End of port range
Source (for ingress rules) or destination (for egress rules)
Amazon EC2 command line tools display errors on stderr.
Examples
Example Request
EC2 security groups: This example grants TCP port 80 access from the 192.0.2.0/24 address range to the EC2 security group called websrv.
PROMPT> ec2-authorize websrv -P tcp -p 80 -s 192.0.2.0/24
GROUP websrv
PERMISSION websrv ALLOWS tcp 80 80 FROM CIDR 192.0.2.0/24 ingressExample Request
EC2 security groups: This example grants TCP port 80 access from the EC2 source group called OtherAccountGroup (in AWS account 999988887777) to your EC2 security group called websrv.
PROMPT> ec2-authorize websrv -P tcp -p 80 -u 999988887777 -o OtherAccountGroup
GROUP websrv
PERMISSION websrv ALLOWS tcp 80 80 FROM USER 999988887777 GRPNAME OtherAccountGroup ingressExample Request
VPC security groups: This example grants TCP port 80 access from the 192.0.2.0/24 address range to the VPC security group with ID sg-eea7b782.
PROMPT> ec2-authorize sg-eea7b782 -P tcp -p 80 -s 192.0.2.0/24
GROUP sg-eea7b782
PERMISSION ALLOWS tcp 80 80 FROM CIDR 192.0.2.0/24 ingressExample Request
VPC security groups: This example grants egress access from the VPC group sg-eea7b782 to the VPC destination group sg-80aebeec on TCP destination port 1433.
PROMPT> ec2-authorize --egress sg-eea7b782 -P tcp -p 1433 -o sg-80aebeec
GROUP sg-eea7b782
PERMISSION ALLOWS tcp 1433 1433 TO USER ID sg-80aebeec egress
