ec2-revoke

Description

This command applies to both EC2 security groups and VPC security groups. For information about VPC security groups and how they differ from EC2 security groups, go to the Security Groups in the Amazon Virtual Private Cloud User Guide.

This command removes a rule from a security group. The rule can be for ingress traffic, or for egress traffic (only if this is a VPC security group).

The values that you specify in the revoke request (e.g., ports, etc.) must match the existing rule's values in order for the rule to be removed.

Each rule consists of the protocol (e.g., TCP), plus either a CIDR range, or a source group (for ingress rules) or destination group (for egress rules). For TCP and UDP, you must also specify the destination port or port ranges. You can specify -1 to mean all ports (i.e., port range 0-65535). For ICMP, you must also specify the ICMP type and code. You can use -1 for the type or code to mean all types or all codes.

Permission changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.

The short version of this command is ec2revoke.

Syntax

ec2-revoke group [--egress] [-P protocol] (-p port_range | -t icmp_type_code) [-u source_or_dest_group_owner ...] [-o source_or_dest_group ...] [-s source_or_dest_cidr ...]

Options

Name	Description	Required
`group`	For EC2 groups: Name or ID of the security group to modify. For VPC groups: ID of the security group to modify (e.g., sg-1a2b3c4d). The group must belong to your AWS account. Type: String Default: None Example: websrv	Yes
`--egress`	Optional flag applicable only to VPC security groups. The flag designates the rule is an egress rule (i.e., controls traffic leaving the VPC security group). Default: If this is not specified, the rule applies to ingress traffic for the specified security group	No
`-P, --protocol` `protocol`	IP protocol name or number to revoke (go to Protocol Numbers). EC2 security groups can have rules only for TCP, UDP, and ICMP, whereas VPC security groups can have rules assigned to any protocol number. When you call `ec2-describe-group`, the protocol value returned is the number. Exception: For TCP, UDP, and ICMP, the value returned is the name (e.g., `tcp`, `udp`, or `icmp`). Type: String Valid Values for EC2 security groups: `tcp` \| `udp` \| `icmp` or the corresponding protocol number (`6` \| `17` \| `1`). Default for EC2 groups: Defaults to TCP if source CIDR is specified (or implied by default), or all three protocols (TCP, UDP, and ICMP) if source group is specified (to ensure backwards compatibility). Valid Values for VPC groups: `tcp` \| `udp` \| `icmp` or any protocol number (go to Protocol Numbers). Use `all` to specify all protocols. Condition: Required for VPC security groups. Example: -P udp	Conditional
`-p` `port_range`	For TCP or UDP, this specifies the range of ports to revoke. Type: String Default: None Valid Values: A single integer or a range (min-max). You can specify -1 to mean all ports (i.e., port range 0-65535). Condition: Required if specifying `tcp` or `udp` (or the equivalent number) for the protocol. Example: -p 80-84	Conditional
`-t` `icmp_type_code`	For ICMP, this specifies the ICMP type and code to revoke. This must be specified in the format type:code where both are integers. You can use -1 for the type or code to mean all types or all codes. Type: String Default: None Condition: Required if specifying `icmp` (or the equivalent number) for the protocol. Example: -t -1:-1	Conditional
`-u,` `source_or_dest_group_owner`	AWS account ID that owns the source security group (for ingress rules) or destination security group (for egress rules). If the group is in your own account, set this to your own AWS account ID. Cannot be used when specifying a CIDR IP address. Type: String Default: None Condition: Required when revoking a rule that gives access to one or more source security groups. Example: -u 999988887777	Conditional
`-o` `source_or_dest_group`	The source security group (for ingress rules), or destination security group (for egress rules). When revoking a rule for a VPC security group, you must specify the group's ID (e.g., sg-9d4e5f6g) instead of its name. Cannot be used when specifying a CIDR IP address with the -s option. Type: String Default: None Condition: Required if revoking access to one or more source or destination security groups. Example: -o headoffice	Conditional
`-s, --cidr` `source_or_dest_cidr`	CIDR range. Cannot be used when specifying a source or destination security group with the -o option. Type: String Default: 0.0.0.0/0 Constraints: Valid CIDR IP address range. Condition: Required if revoking access to one or more IP address ranges. Example: -s 205.192.8.45/24	Conditional

Common Options

Option	Description
`--region` `REGION`	Overrides the Region specified in the `EC2_URL` environment variable and the URL specified by the `-U` option. Default: The `EC2_URL` environment variable, or `us-east-1` if the environment variable is not set. Example: `--region eu-west-1`
`-U, --url` `URL`	`URL` is the uniform resource locator of the Amazon EC2 web service entry point. Default: The `EC2_URL` environment variable, or https://ec2.amazonaws.com if the environment variable is not set. Example: `-U https://ec2.amazonaws.com`
`-K, --private-key` `EC2-PRIVATE-KEY`	The private key to use when constructing requests to Amazon EC2. Default: The value of the `EC2_PRIVATE_KEY` environment variable. Example: `-K pk-HKZYKTAIG2ECMXYIBH3HXV4ZBZQ55CLO.pem`
`-C, --cert` `EC2-CERT`	The X.509 certificate to use when constructing requests to Amazon EC2. Default: The value of the `EC2_CERT` environment variable. Example: `-C cert-HKZYKTAIG2ECMXYIBH3HXV4ZBZQ55CLO.pem`
`--connection-timeout` `TIMEOUT`	Specifies a connection timeout (in seconds). Example: --connection-timeout 30
`--request-timeout` `TIMEOUT`	Specifies a request timeout (in seconds). Example: --request-timeout 45
`-v, --verbose`	Displays verbose output by showing the SOAP request and response on the command line. This is particularly useful if you are building tools to talk directly to our SOAP API.
`-H, --headers`	Displays column headers in the output.
`--show-empty-fields`	Shows empty columns as `(nil)`.
`--hide-tags`	Do not display tags for tagged resources.
`--debug`	Prints internal debugging information. This is useful to assist us when troubleshooting problems.
`-?, --help, -h`	Displays Help.
`-`	If `-` is specified as an argument to one of the parameters, a list of arguments is read from standard input. This is useful for piping the output of one command into the input of another. Example: `ec2-describe-instances \| grep stopped \| cut -f 2 \| ec2-start-instances -`

Output

The command returns a table that contains the following information:

Output type identifier ("GROUP", "PERMISSION")
Group name; currently, this will report an empty string
Type of rule; currently, only ALLOW rules are supported
Protocol to allow
Start of port range
End of port range
FROM
Source

Amazon EC2 command line tools display errors on stderr.

Examples

Example Request

This example revokes TCP port 80 access from the 205.192.0.0/16 address range for the websrv security group.

PROMPT> ec2-revoke websrv -P tcp -p 80 -s 205.192.0.0/16
GROUP websrv 
PERMISSION websrv ALLOWS tcp 80 80 FROM CIDR 205.192.0.0/16