Remove Security Group Rules with AWS CLI

Table of Contents #

1. Remove a Security Group Inbound Rule with AWS CLI
2. Remove a Security Group Outbound Rule with AWS CLI

Remove a Security Group Inbound Rule with AWS CLI #

To remove an inbound rule from a security group, we need to:

1. Get the security group ID
2. Run the revoke-security-group-ingress command, passing in details that identify the rule to be removed

To get the security group ID, open your AWS console, or if you've named the security groups in that specific region uniquely, run the describe-security-groups command:

Copied!
aws ec2 describe-security-groups --query 'SecurityGroups[*].{sgName:GroupName,sgId:GroupId,vpcId:VpcId}'

The command returns a list of the security group names, IDs and VPC IDs:

Next, run the revoke-security-group-ingress command passing in the details that identify the rule to be removed:

Copied!
aws ec2 revoke-security-group-ingress --group-id sg-ABC123 --protocol tcp --port 80 --cidr 0.0.0.0/0

In the code snippet above, we've removed an inbound rule that allows http traffic on port 80 from anywhere.

To verify that the rule has been removed, run the describe-security-groups command:

Copied!
aws ec2 describe-security-groups --group-ids sg-ABC123

If the rule is not found in the security group, the AWS CLI throws an error: "The specified rule does not exist in this security group".

If your inbound rule specifies a port range or you want to remove multiple inbound rules, use the --ip-permissions parameter in the call to revoke-security-group-ingress:

Copied!
aws ec2 revoke-security-group-ingress --group-id sg-ABC123 --ip-permissions "[{\"IpProtocol\": \"tcp\", \"FromPort\": 80, \"ToPort\": 90, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]"

In the code snippet we've removed an inbound rule that allows TCP traffic from anywhere to a port range of 80-90.

The syntax with the --ip-permission parameter is quite tricky, make sure you escape the double quotes in the json input.

If you need to remove multiple inbound rules with a single command pass multiple objects in the list of the --ip-permission parameter.

Remove a Security Group Outbound Rule with AWS CLI #

To remove a security group outbound rule with the AWS CLI, run the revoke-security-group-egress command, passing in parameters that identify the rule you're trying to remove.

Copied!
aws ec2 revoke-security-group-egress --group-id sg-ABC123 --protocol icmp --port -1 --cidr 0.0.0.0/0

The command above removes an outbound rule that allows icmp traffic on all ports to everywhere.

To verify that the rule has been removed, run the describe-security-groups command:

Copied!
aws ec2 describe-security-groups --group-ids sg-ABC123

If your outbound rule specifies a port range or you want to remove multiple outbound rules, use the --ip-permissions parameter in the call to revoke-security-group-egress:

Copied!
aws ec2 revoke-security-group-egress --group-id sg-ABC123 --ip-permissions "[{\"IpProtocol\": \"tcp\", \"FromPort\": 80, \"ToPort\": 90, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]"

In the command above, we removed an outbound rule that allows TCP traffic on ports 80-90 to everywhere.

To remove multiple inbound rules in a single call to revoke-security-group-egress, pass multiple objects in the list of the --ip-permissions parameter.

Further Reading #

• Create a Role with AWS CLI - Complete Guide
• Create a Lambda Function with AWS CLI - Complete Guide
• Invoke Lambda Functions with AWS CLI - Complete Guide
• How to Get your Account Id with AWS CLI
• How to Get your Default Profile with AWS CLI
• Manage Multiple Accounts with the AWS CLI
• Set your Default Profile's Name in AWS CLI
• How to Clear your AWS CLI Credentials
• View your AWS CLI logs in Real Time (tail)
• How to turn off the Pager in AWS CLI
• Tag an S3 Bucket with AWS CLI
• AWS CDK Tutorial for Beginners - Step-by-Step Guide
• How to use Parameters in AWS CDK