 | Documentation Feedback |  |
Revokes permissions from a security group. The permissions used to revoke must be specified using the same values used to grant the permissions.
Permissions are specified by IP protocol (TCP, UDP, or ICMP), the source of the request (by IP range or an Amazon EC2 user-group pair), the source and destination port ranges (for TCP and UDP), and the ICMP codes and types (for ICMP).
Permission changes are quickly propagated to instances within the security group. However, depending on the number of instances in the group, a small delay is might occur.
ec2-revoke
group [-P protocol] (-p
port_range | -t icmp_type_code)
[-u source_group_user ...] [-o
source_group ...] [-s
source_subnet ...]
| Name | Description | Required |
|---|---|---|
|
|
Name of the group to modify. Type: String Default: None Example: websrv |
Yes |
The command returns a table that contains the following information:
Output type identifier ("GROUP", "PERMISSION")
Group name. Currently, this will report an empty string
Type of rule. Currently, only ALLOW rules are supported
Protocol to allow
Start of port range
End of port range
FROM
Source
Amazon EC2 displays errors on stderr.
This example revokes TCP port 80 access from the 205.192.0.0/16 address range for the
websrv security group.
PROMPT>ec2-revoke websrv -P tcp -p 80 -s 205.192.0.0/16GROUP websrv "" PERMISSION websrv ALLOWS tcp 80 80 FROM CIDR 205.192.0.0/16
