Prev Documentation Feedback Next
Welcome » API Command Line Tools Reference » ec2-authorize

ec2-authorize

Description

Adds permissions to a security group.

Permissions are specified by the IP protocol (TCP, UDP or ICMP), the source of the request (by IP range or an Amazon EC2 user-group pair), the source and destination port ranges (for TCP and UDP), and the ICMP codes and types (for ICMP). When authorizing ICMP, -1 can be used as a wildcard in the type and code fields.

Permission changes are propagated to instances within the security group as quickly as possible. However, depending on the number of instances, a small delay might occur.

When authorizing a user/group pair permission, GroupName, SourceSecurityGroupName and SourceSecurityGroupOwnerId must be specified. When authorizing a CIDR IP permission, GroupName, IpProtocol, FromPort, ToPort and CidrIp must be specified.

Syntax

ec2-authorize group [-P protocol] (-p port_range | -t icmp_type_code) [-u source_group_user ...] [-o source_group ...] [-s source_subnet ...]

Options

NameDescriptionRequired

group

Name of the group to modify. The name must be valid and belong to the account

Type: String

Default: None

Example: websrv

Yes

-P protocol

IP protocol.

Type: String

Valid Values: tcp | udp | icmp

Default: None

Example: udp

Yes

-u source_group_user

AWS Account ID for the account. Cannot be used when specifying a CIDR IP address.

Type: String

Default: None

Example: 495219933132

Yes

-o source_group

Name of the security group. Cannot be used when specifying a CIDR IP address.

Type: String

Default: None

Example: headoffice

Yes

-s source_subnet

CIDR range.

Type: String

Default: None

Constraints: Valid CIDR IP address range.

Example: 205.192.8.45/24

Yes

-t icmp_type_code

For the ICMP protocol, the ICMP type and code must be specified. This must be specified in the format type:code where both are integers. Type, code, or both can be specified as -1, which is a wildcard.

Type: String

Valid Values: tcp | udp | icmp

Default: None

Example: 2:5

Yes

-p port_range

For the TCP or UDP protocols, this specifies the range of ports to allow.

Type: String

Default: None

Constraints: A single integer or a range (min-max).

Example: 80-84

Yes

Output

The command returns a table that contains the following information:

  • Output type identifier ("GROUP", "PERMISSION")

  • Group name. Currently, this will report an empty string

  • Type of rule. Currently, only ALLOW rules are supported

  • Protocol to allow

  • Start of port range

  • End of port range

  • FROM

  • Source

Amazon EC2 displays errors on stderr.

Examples

Example Request

This example grants TCP port 80 access from the 205.192.0.0/16 address range to the websrv security group.

PROMPT> ec2-authorize websrv -P tcp -p 80 -s 205.192.0.0/16
GROUP websrv "" PERMISSION websrv ALLOWS tcp 80 80 FROM CIDR
							205.192.0.0/16
Prev Copyright Information Next
 Home