Amazon EC2 - Revoke security group

Declaration

<AMAWSEC2 ACTIVITY="evoke_security_group" PROVIDER="session_based" SESSION="text" ACCESSKEY="text" SECRETKEY="text (encrypted)" USERAGENT="text" MAXERRORRETRY="number" SERVICEURL="text" PROXYHOST="text" PROXYPORT="number" PROXYUSER="text" PROXYPWD="text (encrypted)" SIGNMETHOD="text" SIGNVERSION="number"  SECURITYGROUP="text" USERID="number" IPPROTOCOL="text (options)" CIDRIP="number" FROMPORT="number" TOPORT="number" SOURCEGROUP="text" SOURCEOWNERID="number" />

Related Topics     

Description

Removes a rule from a security group.

IMPORTANT: All EC2 activities are performed using Amazon's EC2 engine and rely on a valid Amazon EC2 service account in order to function correctly.

Practical usage

Used to remove permissions previously set for a security group. The values that you specify in the revoke request (ports, and so on) must match the existing rule's values in order for the rule to be removed.

Parameters

Connection

Property Type Required Default Markup Description
Connection --- --- --- --- Indicates where user credentials and preferences originate from. This parameter does not contain markup and is only displayed in visual mode for task construction and configuration purposes. The available options are:
  • Host (default) - Specifies that user credentials and/or advanced preferences are configured individually for this activity. Normally chosen if only a single activity is required to complete an operation.
  • Session - Specifies that user credentials and/or advanced preferences are obtained from a pre-configured session created in an earlier step with the use of the Amazon EC2 - Create session activity. Normally chosen if a combination of activities within the same action group are required. Linking several activities to a single session eliminates redundancy and improves efficiency. Several sessions can exist in a single task. Multiple sessions can run simultaneously without interference.
Session Text Yes, if the connection is set to Session EC2Session1 SESSION="EC2Session1" The name of an existing session to attach this activity to. This parameter is active only if the Connection parameter is set to Session.
Access key Text Yes, if the connection is set to Host (Empty) ACCESSKEY="022QF06E7MXBSH9DHM02" A 20-character alphanumeric string that uniquely identifies the owner of the AWS service account, similar to a username. This key along with a corresponding secret access key forms a secure information set that AWS uses to confirm a valid user's identity. This parameter is active only if the Connection parameter is set to Host.
Secret access key Text Yes, if the connection is set to Host (Empty) SECRETKEY="kWcrlUX5JEDGM/LtmEENI/aVmYvHNif5zB+d9+ct" A 40-character string that serves the role as password to access the AWS service account. This along with an associated access key forms a secure information set that EC2 uses to confirm a valid user's identity. This parameter is active only if the Connection parameter is set to Host.
User agent Text No Automate USERAGENT="Automate" The name of the client or application initiating requests to AWS. The default value is Automate
Maximum number of retries on error Number No (Empty) MAXERRORRETRY="4" The total amount of instances this activity should retry the request before returning an error. Network components can generate errors anytime in the life of a request, thus, implementing retries can increase reliability. 
Service URL Text No (Empty) SERVICEURL="https://ec2.eu-west-1.amazonaws.com" The URL that provides the service endpoint. To make the service call to a different region, you can pass the region-specific endpoint URL. For example, entering  https://ec2.us-west-1.amazonaws.com points to US West (Northern California) region. A complete list of EC2 regions, accompanying endpoints and valid protocols can be found below under EC2 regions and endpoints.
Proxy host Text No (Empty) PROXYHOST="proxy.host.com" The hostname (for example, server.domain.com) or IP address (for example, xxx.xxx.xxx.xxx) of the proxy server to use when connecting to AWS.  
Proxy port Number No (Empty) PROXYPORT="1028" The port number to use to connect to the proxy server. 
Proxy username Text No (Empty) PROXYUSERNAME="Username" The username to authenticate with the proxy server.
Proxy password Text No (Empty) PROXYPWD="encrypted" The password to authenticate with the proxy server. 
Signature method Text No (Empty) SIGNMETHOD="HmacSHA256" The signature method to use for signing the request. This provides a valid hashing algorithm for signature calculation. Valid AWS signature methods are HmacSHA1 and HmacSHA256.
Signature version Number No (Empty) SIGNVERSION="2" The signature version for signing the request. Valid AWS signature versions are 2 and 4. The difference with version 4 is that it allows you to sign your message using a key that is derived from your secret access key rather than using the secret access key itself.

Security Group

Property Type Required Default Markup Description
Security group Text Yes (Empty) SECURITYGROUP="websrv" The name (for example, wbsrv) or unique ID (for example, sg-1a2b3c4d ) of the security group in which to remove a rule from. The name/ID must be valid and the group must belong to your AWS account.
User ID Number Yes (Empty) USERID="495219933132" The AWS account ID that owns the source security group. Cannot be used when specifying a CIDR IP address.
CIDR IP permission --- --- --- --- If enabled, revokes one or more CIDR (Classless Inter-Domain Routing) IP address ranges permission to access a security group in your account (enabled by default). If this option is enabled, the User/Group pair permission and associated parameters are ignored. This is a design mode parameter used only during task construction and configuration, thus, comprises no markup.
IP protocol Text (Options) Yes, if revoking IP range TCP
  • IPPROTOCOL="tcp"
  • IPPROTOCOL="udp"
  • IPPROTOCOL="icmp"
 Specifies the IP protocol associated with the CIDR IP address to revoke. This parameter is available only if the CIDR IP Permission parameter is enabled. Security groups for Amazon EC2 can have rules only for the following protocols:
  • TCP
  • UDP
  • ICMP
CIDR IP Number Yes, if revoking IP range (Empty) CIDRIP="209.223.157.0/24" The name or number of the IP protocol to revoke. This parameter is available only if the CIDR IP Permission parameter is enabled.
From port Number Yes, if specifying TCP or UDP (Empty) FROMPORT="80" For the TCP or UDP protocols, specifies the beginning port in a range of ports to revoke. This parameter is available only if the CIDR IP Permission parameter is enabled.
To port Number Yes, if specifying TCP or UDP (Empty) TOPORT="84" For the TCP or UDP protocols, specifies the end port in a range of ports to revoke. This parameter is available only if the CIDR IP Permission parameter is enabled.
User/Group pair permission --- --- --- --- If enabled, revokes one or more security groups permission to access a security group in your account (disabled by default). If this parameter is enabled, the CIDR IP permission and associated parameters are ignored. This is a design mode parameter used only during task construction and configuration, thus, comprises no markup.
Source security group name Text Yes, if revoking security group (Empty) SOURCEGROUP="headoffice" The name of the source security group in which access permission should be revoked. This parameter is available only if the User/Group pair permission parameter is enabled.
Source security group owner ID Number Yes, if revoking security group (Empty) SOURCEOWNERID="495219933132" The ID of the AWS account that owns the source security group.  This parameter is available only if the User/Group pair permission parameter is enabled.

Description

Error Causes

On Error

Additional notes

EC2 regions and endpoints

This table contains a complete list of EC2 endpoints, accompanying regions and supported protocols.

Endpoint Region Protocol
ec2.us-east-1.amazonaws.com US East (Northern Virginia) Region HTTP and HTTPS
ec2.us-west-2.amazonaws.com US West (Oregon) Region HTTP and HTTPS
ec2.us-west-1.amazonaws.com   US West (Northern California) Region HTTP and HTTPS
ec2.eu-west-1.amazonaws.com EU (Ireland) Region HTTP and HTTPS
ec2.ap-southeast-1.amazonaws.com Asia Pacific (Singapore) Region HTTP and HTTPS
ec2.ap-southeast-2.amazonaws.com Asia Pacific (Sydney) Region HTTP and HTTPS
ec2.ap-northeast-1.amazonaws.com Asia Pacific (Tokyo) Region HTTP and HTTPS
ec2.sa-east-1.amazonaws.com   South America (Sao Paulo) Region HTTP and HTTPS

Examples

NOTE:
  • Copy and paste the sample AML code below directly into the Task Builder Steps Panel.
  • To successfully run the sample code, update parameters containing user credentials, files, file paths, or other information specific to the task to match your environment.

Example 1

This sample task revokes CIDR IP permission from a security group.

Copy 
<AMAWSEC2 ACTIVITY="revoke_security_group" SECURITYGROUP="websrv" USERID="49521993313132" CIDRIP="209.223.157.0/24" FROMPORT="80" TOPORT="84" />

Example 2

This sample task revokes user/group pair permission from a security group.

Copy 
<AMAWSEC2 ACTIVITY="revoke_security_group" SECURITYGROUP="websrv" USERID="49521993313132" SOURCEGROUP="headoffice" SOURCEOWNERID="495219933132" />