Remove Security Group Rules with AWS CLI

avatar

Borislav Hadzhiev

Thu Sep 16 20213 min read

Table of Contents #

  1. Remove a Security Group Inbound Rule with AWS CLI
  2. Remove a Security Group Outbound Rule with AWS CLI

Remove a Security Group Inbound Rule with AWS CLI #

To remove an inbound rule from a security group, we need to:

  1. Get the security group ID
  2. Run the revoke-security-group-ingress command, passing in details that identify the rule to be removed

To get the security group ID, open your AWS console, or if you've named the security groups in that specific region uniquely, run the describe-security-groups command:

shell
aws ec2 describe-security-groups --query 'SecurityGroups[*].{sgName:GroupName,sgId:GroupId,vpcId:VpcId}'

The command returns a list of the security group names, IDs and VPC IDs:

describe security groups

Next, run the revoke-security-group-ingress command passing in the details that identify the rule to be removed:

shell
aws ec2 revoke-security-group-ingress --group-id sg-ABC123 --protocol tcp --port 80 --cidr 0.0.0.0/0

remove inbound rule

In the code snippet above, we've removed an inbound rule that allows http traffic on port 80 from anywhere.

If the rule has a protocol or port of All, use the -1 value for those parameters in your call to the revoke-security-group-ingress command.

To verify that the rule has been removed, run the describe-security-groups command:

shell
aws ec2 describe-security-groups --group-ids sg-ABC123
You might have seen that in the AWS CLI docs, the first example uses the--group-name parameter to identify the security group. Note that you can only use the --group-name parameter when the security group is in your default VPC in that region.

If the security group you're trying to remove a rule from, is not in your default VPC, you must use the --group-id parameter.

If the rule is not found in the security group, the AWS CLI throws an error: "The specified rule does not exist in this security group".

If your inbound rule specifies a port range or you want to remove multiple inbound rules, use the --ip-permissions parameter in the call to revoke-security-group-ingress:

shell
aws ec2 revoke-security-group-ingress --group-id sg-ABC123 --ip-permissions "[{\"IpProtocol\": \"tcp\", \"FromPort\": 80, \"ToPort\": 90, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]"

remove inbound rule ip permissions parameter

In the code snippet we've removed an inbound rule that allows TCP traffic from anywhere to a port range of 80-90.

The syntax with the --ip-permission parameter is quite tricky, make sure you escape the double quotes in the json input.

If you need to remove multiple inbound rules with a single command pass multiple objects in the list of the --ip-permission parameter.

Remove a Security Group Outbound Rule with AWS CLI #

To remove a security group outbound rule with the AWS CLI, run the revoke-security-group-egress command, passing in parameters that identify the rule you're trying to remove.

shell
aws ec2 revoke-security-group-egress --group-id sg-ABC123 --protocol icmp --port -1 --cidr 0.0.0.0/0

remove outbound rule

The command above removes an outbound rule that allows icmp traffic on all ports to everywhere.

Note that we've specified All ports by passing in the -1 value to the --port parameter.

To verify that the rule has been removed, run the describe-security-groups command:

shell
aws ec2 describe-security-groups --group-ids sg-ABC123

If your outbound rule specifies a port range or you want to remove multiple outbound rules, use the --ip-permissions parameter in the call to revoke-security-group-egress:

shell
aws ec2 revoke-security-group-egress --group-id sg-ABC123 --ip-permissions "[{\"IpProtocol\": \"tcp\", \"FromPort\": 80, \"ToPort\": 90, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]"

remove outbound rule with ip permissions parameter

In the command above, we removed an outbound rule that allows TCP traffic on ports 80-90 to everywhere.

To remove multiple inbound rules in a single call to revoke-security-group-egress, pass multiple objects in the list of the --ip-permissions parameter.

Further Reading #

Join my newsletter

I'll send you 1 email a week with links to all of the articles I've written that week

Buy Me A Coffee