ec2-authorize

Amazon Elastic Compute Cloud: 2009-07-15

previous page next page

ec2-authorize

Description

Adds permissions to a security group.

Permissions are specified by the IP protocol (TCP, UDP or ICMP), the source of the request (by IP range or an Amazon EC2 user-group pair), the source and destination port ranges (for TCP and UDP), and the ICMP codes and types (for ICMP). When authorizing ICMP, -1 can be used as a wildcard in the type and code fields.

Permission changes are propagated to instances within the security group as quickly as possible. However, depending on the number of instances, a small delay might occur.

When authorizing a user/group pair permission, GroupName, SourceSecurityGroupName and SourceSecurityGroupOwnerId must be specified. When authorizing a CIDR IP permission, GroupName, IpProtocol, FromPort, ToPort and CidrIp must be specified. Mixing these two types of parameters is not allowed.

Syntax

ec2-authorize group [-P protocol] (-p port_range | -t icmp_type_code) [-u source_group_user ...] [-o source_group ...] [-s source_subnet ...]

Options

Name Description Required

group

Name of the group to modify. The name must be valid and belong to the account

Type: String

Default: None

Example: websrv

Yes

-P "protocol

IP protocol.

Type: String

Default: None

Valid Values: tcp | udp | icmp

Example: udp

Yes

-u "source_group_user

AWS User ID of an account.

Type: String

Default: None

Example: 495219933132

Yes

-o "source_group

Name of the security group.

Type: String

Default: None

Example: headoffice

Yes

-s "source_subnet

CIDR range.

Type: String

Default: None

Constraints: Valid CIDR IP address range.

Example: 205.192.8.45/24

Yes

-t "icmp_type_code

For the ICMP protocol, the ICMP type and code must be specified. This must be specified in the format type:code where both are integers. Type, code, or both can be specified as -1, which is a wildcard.

Type: String

Default: None

Valid Values: tcp | udp | icmp

Example: 2:5

Yes

-p "port_range

For the TCP or UDP protocols, this specifies the range of ports to allow.

Type: String

Default: None

Constraints: A single integer or a range (min-max).

Example: 80-84

Yes

Output

The command returns a table that contains the following information:

  • Output type identifier ("GROUP", "PERMISSION")

  • Group name. Currently, this will report an empty string

  • Type of rule. Currently, only ALLOW rules are supported

  • Protocol to allow

  • Start of port range

  • End of port range

  • FROM

  • Source

Amazon EC2 displays errors on stderr.

Examples

Example Request

This example grants TCP port 80 access from the 205.192.0.0/16 address range to the websrv security group.

PROMPT> ec2-authorize websrv -P tcp -p 80 -s 205.192.0.0/16
GROUP websrv "" PERMISSION websrv ALLOWS tcp 80 80 FROM CIDR 205.192.0.0/16

ec2-add-group

  • ec2-describe-group

  • ec2-revoke

  • ec2-delete-group

    • previous page start next page