ec2-revoke
Description
Revokes permissions from a security group. The permissions used to revoke must be specified using the same values used to grant the permissions.
Permissions are specified by IP protocol (TCP, UDP, or ICMP), the source of the request (by IP range or an Amazon EC2 user-group pair), the source and destination port ranges (for TCP and UDP), and the ICMP codes and types (for ICMP).
Permission changes are quickly propagated to instances within the security group. However, depending on the number of instances in the group, a small delay is might occur.
Syntax
ec2-revoke
group
[-P protocol]
(-p port_range | -t icmp_type_code)
[-u source_group_user ...]
[-o source_group ...]
[-s source_subnet ...]
Options
| Name | Description | Required |
|---|---|---|
|
Name of the group to modify. Type: String Default: None Example: websrv |
Yes |
Output
The command returns a table that contains the following information:
-
Output type identifier ("GROUP", "PERMISSION")
-
Group name. Currently, this will report an empty string
-
Type of rule. Currently, only ALLOW rules are supported
-
Protocol to allow
-
Start of port range
-
End of port range
-
FROM
-
Source
Amazon EC2 displays errors on stderr.
Examples
Example Request
This example revokes TCP port 80 access from the 205.192.0.0/16 address range for the websrv security group.
PROMPT>ec2-revoke websrv -P tcp -p 80 -s 205.192.0.0/16GROUP websrv "" PERMISSION websrv ALLOWS tcp 80 80 FROM CIDR 205.192.0.0/16