Are you experiencing the error "An error occurred when calling the RevokeSecurityGroupIngress operation" while using AWS?
This guide is for you.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to fix AWS related errors.
In this context, we shall look into the steps to assign IAM users to the IAM role.
More information about RevokeSecurityGroupIngress?
The API RevokeSecurityGroupIngress is mainly used to remove a specified rule from a security group. But in order to remove the rule, we must specify the values that match the existing rule’s value exactly.
Also, each rule comprises of protocol and source security group. We need to specify the destination port or range of ports for TCP and UDP protocols.
What triggers "An error occurred when calling the RevokeSecurityGroupIngress operation" aws error?
Generally, the AWS config rule checks for the security group if it allows inbound TCP or UDP traffic to 0.0.0.0/0.
For example, we need to specify the ports in the AWS config rule parameter to allow TCP ports 443 and 1020-1025 access to 0.0.0.0/0. The SSM Document AWS-DisablePublicAccessForSecurityGroup is limited to the default SSH 22 and RDP 3389 ports. Also, it is opened to all IP addresses (0.0.0.0/0), or a specified IPv4 address using the IpAddressToBlock parameter.
Generally, this error can occur due to various reasons. It includes non-existence of security group rule, not specifying a region in code, the previous request still not propagated, improper permissions, incorrect credentials.
How we fix the error "An error occurred when calling the RevokeSecurityGroupIngress operation" ?
One of our customers was trying to create the AWS Systems Manager Automation document 'AWS-DisablePublicAccessForSecurityGroup' to disable SSH and RDP ports. But auto-remediation failed with the AWS Config rule vpc-sg-open-only-to-authorized-ports resulting in the error as given below:
An error occurred (InvalidPermission.NotFound) when calling the RevokeSecurityGroupIngress operation: The specified rule does not exist in this security group.
Now let’s see how to fix this error message to our customers.
This error indicates that the target security group doesn’t have an inbound rule, or isn’t located in the default Amazon Virtual Private Cloud (Amazon VPC).
Note: We make sure that we have installed and configured the AWS Command Line Interface (AWS CLI).
First, we run the below describe-remediation-execution-status command to verify the error message;
aws configservice describe-remediation-execution-status –config-rule-name vpc-sg-open-only-to-authorized-ports –region af-south-1 –resource-keys resourceType=AWS::EC2::SecurityGroup,resourceId=sg-1234567891234567891
As a result, of the above command, the inbound rules for the security group must specify the open ports using one of the following patterns:
SSH or RDP port + 0.0.0.0/0
SSH or RDP port + ::/0
Finally, now configure auto-remediation for other ports. For that, you can use a custom SSM document to automate the process.