Remove Security Group Rules with AWS CLI
Borislav Hadzhiev
Thu Sep 16 2021·3 min read
Photo by Justin Kauffman
Table of Contents #
Remove a Security Group Inbound Rule with AWS CLI #
To remove an inbound rule from a security group, we need to:
- Get the security group ID
- Run the
revoke-security-group-ingresscommand, passing in details that identify the rule to be removed
To get the security group ID, open your AWS console, or if you've named the
security groups in that specific region uniquely, run the
describe-security-groups command:
Copied!aws ec2 describe-security-groups --query 'SecurityGroups[*].{sgName:GroupName,sgId:GroupId,vpcId:VpcId}'
The command returns a list of the security group names, IDs and VPC IDs:
Next, run the revoke-security-group-ingress command passing in the details
that identify the rule to be removed:
Copied!aws ec2 revoke-security-group-ingress --group-id sg-ABC123 --protocol tcp --port 80 --cidr 0.0.0.0/0
In the code snippet above, we've removed an inbound rule that allows http traffic on port 80 from anywhere.
All, use the -1 value for those parameters in your call to the revoke-security-group-ingress command.To verify that the rule has been removed, run the describe-security-groups
command:
Copied!aws ec2 describe-security-groups --group-ids sg-ABC123
--group-name parameter to identify the security group. Note that you can only use the --group-name parameter when the security group is in your default VPC in that region.If the security group you're trying to remove a rule from, is not in your
default VPC, you must use the --group-id parameter.
If the rule is not found in the security group, the AWS CLI throws an error: "The specified rule does not exist in this security group".
If your inbound rule specifies a port range or you want to remove multiple
inbound rules, use the --ip-permissions parameter in the call to
revoke-security-group-ingress:
Copied!aws ec2 revoke-security-group-ingress --group-id sg-ABC123 --ip-permissions "[{\"IpProtocol\": \"tcp\", \"FromPort\": 80, \"ToPort\": 90, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]"
In the code snippet we've removed an inbound rule that allows TCP traffic from
anywhere to a port range of 80-90.
The syntax with the --ip-permission parameter is quite tricky, make sure you
escape the double quotes in the json input.
If you need to remove multiple inbound rules with a single command pass multiple
objects in the list of the --ip-permission parameter.
Remove a Security Group Outbound Rule with AWS CLI #
To remove a security group outbound rule with the AWS CLI, run the
revoke-security-group-egress command, passing in parameters that identify the
rule you're trying to remove.
Copied!aws ec2 revoke-security-group-egress --group-id sg-ABC123 --protocol icmp --port -1 --cidr 0.0.0.0/0
The command above removes an outbound rule that allows icmp traffic on all ports to everywhere.
All ports by passing in the -1 value to the --port parameter.To verify that the rule has been removed, run the describe-security-groups
command:
Copied!aws ec2 describe-security-groups --group-ids sg-ABC123
If your outbound rule specifies a port range or you want to remove multiple
outbound rules, use the --ip-permissions parameter in the call to
revoke-security-group-egress:
Copied!aws ec2 revoke-security-group-egress --group-id sg-ABC123 --ip-permissions "[{\"IpProtocol\": \"tcp\", \"FromPort\": 80, \"ToPort\": 90, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]"
In the command above, we removed an outbound rule that allows TCP traffic on
ports 80-90 to everywhere.
To remove multiple inbound rules in a single call to
revoke-security-group-egress, pass multiple objects in the list of the
--ip-permissions parameter.
Further Reading #
Join my newsletter
I'll send you 1 email a week with links to all of the articles I've written that week
