ec2-revoke
group
[-P protocol]
(-p port_range | -t icmp_type_code)
[-u source_group_user ...]
[-o source_group ...]
[-s source_subnet ...]
Revokes a rule from the security group named GROUP. To identify the rule to be removed you must provide exactly the same set of options used to create that rule (see ec2-add-group).
| Option | Description | Required |
|---|---|---|
|
|
The group to which this rule will apply. Example: |
Yes |
|
|
The protocol to revoke. Condition: Applies when specifying a CIDR subnet as the source. Valid Values: Example: |
Yes |
|
|
For the TCP or UDP protocols, this specifies the range of ports to revoke. You specify a single integer or a range (min-max). Condition: Applies when specifying a CIDR subnet as the source. Example: |
Yes |
|
|
For the ICMP protocol, you must specify the ICMP type
and code. Use the type:code format, where both are
integers. To specify a wildcard for either or both, enter Condition: Applies when specifying a CIDR subnet as the source. Example: |
Yes |
|
|
The owner of a group specified using Example: |
No |
|
|
The network source from which traffic will be revoked
specified as a security Group. See the description of the
Example: |
No |
|
|
The network source from which traffic is to be revoked specified as a CIDR subnet range. Example: |
No |
A table containing the following information is returned:
-
Output type identifier ("GROUP", "PERMISSION")
-
Group name. Currently, this will report an empty string
-
Type of rule. Currently, only ALLOW rules are supported
-
Protocol to allow
-
Start of port range
-
End of port range
-
FROM -
Source
Amazon EC2 displays errors on stderr.
This example revokes TCP port 80 access from the
205.192.0.0/16 address range for the websrv
security group.
$ec2-revoke websrv -P tcp -p 80 -s 205.192.0.0/16GROUP websrv "" PERMISSION websrv ALLOWS tcp 80 80 FROM CIDR 205.192.0.0/16