AWS CLi; Revoking default security group ingress rule results in an error

Question

I've been asked to figure out how to create items in AWS via CLi for future automation later. I'm stuck on the Security Groups. I can create one fine and I can add ingress rules no problem but I noticed that the default group that gets created has an ingress rule of All Traffic Any/Any and references the SG as the source.

I want to remove this as a possible vector for security risk. I get an error saying the rule doesnt exist. I have tried with the SG group id, group name even using the ip permissions syntax and it all results in the same error. I dont see a way to edit the ingress rule either. Has anyone done this successfully?

Of course the GUI is uber simple and it works fine, I just need to know the proper syntax to do this programatically.

Answer 1

The trick is to get the output of the current rule via describe-security-groups and then pass it in as a parameter to revoke-security-group-ingress. This way, the rules match exactly.

First, this command extracts the existing Inbound permissions:

aws ec2 describe-security-groups --group-ids sg-xxx --query SecurityGroups[].IpPermissions[]

The output looks like:

[
    {
        "FromPort": 0,
        "IpProtocol": "tcp",
        "IpRanges": [
            {
                "CidrIp": "0.0.0.0/0"
            }
        ],
        "Ipv6Ranges": [
            {
                "CidrIpv6": "::/0"
            }
        ],
        "PrefixListIds": [],
        "ToPort": 65535,
        "UserIdGroupPairs": []
    }
]

Then, embed that command in the revoke-security-group-ingress command:

aws ec2 revoke-security-group-ingress --group-id sg-xxx --ip-permissions "`aws ec2 describe-security-groups --group-ids sg-xxx --query SecurityGroups[].IpPermissions[]`"

(This worked on my Mac. If you are running Windows, run it under the Ubuntu shell.)