Borislav Hadzhiev
Thu Sep 16 2021·3 min read
Photo by Justin Kauffman
To remove an inbound rule from a security group, we need to:
revoke-security-group-ingress
command, passing in details that
identify the rule to be removedTo get the security group ID, open your AWS console, or if you've named the
security groups in that specific region uniquely, run the
describe-security-groups
command:
aws ec2 describe-security-groups --query 'SecurityGroups[*].{sgName:GroupName,sgId:GroupId,vpcId:VpcId}'
The command returns a list of the security group names, IDs and VPC IDs:
Next, run the revoke-security-group-ingress
command passing in the details
that identify the rule to be removed:
aws ec2 revoke-security-group-ingress --group-id sg-ABC123 --protocol tcp --port 80 --cidr 0.0.0.0/0
In the code snippet above, we've removed an inbound rule that allows http traffic on port 80 from anywhere.
All
, use the -1
value for those parameters in your call to the revoke-security-group-ingress
command.To verify that the rule has been removed, run the describe-security-groups
command:
aws ec2 describe-security-groups --group-ids sg-ABC123
--group-name
parameter to identify the security group. Note that you can only use the --group-name
parameter when the security group is in your default VPC in that region.If the security group you're trying to remove a rule from, is not in your
default VPC, you must use the --group-id
parameter.
If the rule is not found in the security group, the AWS CLI throws an error: "The specified rule does not exist in this security group".
If your inbound rule specifies a port range or you want to remove multiple
inbound rules, use the --ip-permissions
parameter in the call to
revoke-security-group-ingress
:
aws ec2 revoke-security-group-ingress --group-id sg-ABC123 --ip-permissions "[{\"IpProtocol\": \"tcp\", \"FromPort\": 80, \"ToPort\": 90, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]"
In the code snippet we've removed an inbound rule that allows TCP traffic from
anywhere to a port range of 80-90
.
The syntax with the --ip-permission
parameter is quite tricky, make sure you
escape the double quotes in the json
input.
If you need to remove multiple inbound rules with a single command pass multiple
objects in the list of the --ip-permission
parameter.
To remove a security group outbound rule with the AWS CLI, run the
revoke-security-group-egress
command, passing in parameters that identify the
rule you're trying to remove.
aws ec2 revoke-security-group-egress --group-id sg-ABC123 --protocol icmp --port -1 --cidr 0.0.0.0/0
The command above removes an outbound rule that allows icmp traffic on all ports to everywhere.
All
ports by passing in the -1
value to the --port
parameter.To verify that the rule has been removed, run the describe-security-groups
command:
aws ec2 describe-security-groups --group-ids sg-ABC123
If your outbound rule specifies a port range or you want to remove multiple
outbound rules, use the --ip-permissions
parameter in the call to
revoke-security-group-egress
:
aws ec2 revoke-security-group-egress --group-id sg-ABC123 --ip-permissions "[{\"IpProtocol\": \"tcp\", \"FromPort\": 80, \"ToPort\": 90, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]"
In the command above, we removed an outbound rule that allows TCP traffic on
ports 80-90
to everywhere.
To remove multiple inbound rules in a single call to
revoke-security-group-egress
, pass multiple objects in the list of the
--ip-permissions
parameter.