eclat-sg − manipulate security groups


eclat sg [−−input|−−ingress|−I|−−output|−−egress|−O] −A|−D|−−add|−−delete [−Nn] [−G NAME] [−P PORT[PORT]] [−g ID] [−p PROTO] [−s CIDR] [−u USER] [−−group−id=ID] [−−group−name=NAME] [−−name] [−−next, −−new] [−−port=PORT[PORT]] [−−protocol=PROTO] [−−source=CIDR] [−−user=USER] GROUP

eclat sg −−list|−L [−n] [−−name] [GROUP]

eclat sg −h

eclat sg −−help

eclat sg −−usage


The eclat sg command is used to list and configure EC2 security groups. When invoked with the −−list (−L) argument, it displays information about the given group, or all groups in the account, if the GROUP argument is not provided. The argument is either the group ID, or group name. In the latter case, the −−name (−n) option should be given.

When used with −−add (−A) option, the command adds the rules to the security groups. The rules to add are described by the command line options that follow. For example:

eclat sg --add --proto tcp --port 22 --source sg-01234567

This command adds to the security group sg−01234567 a rule allowing access to port 22 from IP addresses in the range

If −−proto icmp is used the −−port option can be omitted.

Several rules can be added in one invocation. The −−next (−−new) option is used to separate them. E.g.:

eclat sg --add --proto tcp --port 22 --source --next \
--proto icmp --source sg-01234567

The −−delete (−D) option deletes existing rules, which are defined using the same syntax as described above.

By default, both −−add and −−delete operate on ingress rules. This can be changed by placing the −−output (−O) option before them. The −−output option remains in effect for all options that follow it. The −−input option cancels its effect.

The −−list (−L) option instructs the program to list rules in the named security group. If no group is specified, all existing groups will be listed.


, −−ingress, −I

Operate on the ingress rules.

−−output, −−egress, −O

Operate on the egress rules.

These modifiers apply to all −−add and −−delete options that follow them, until another modifier or end of line is encountered.

By default, −−input is assumed.

The −−output modifier is valid only for EC2-VPC.

These options define the operation to be performed over the security group. A valid invocation of the sg subcommand must contain exactly one of these:

Add rules.


Delete rules.


List rules.

Rule constituents
The options below are used to define the rules. Unless −−list is requested, at least one rule must be defined.

A rule defines a set of IPv4 addresses and a port range that these are allowed to access. The IP addresses can be specfied either in dotted-quad notation or as host names and can optionally be followed by a / and the network mask length or the network mask. For example: or Missing netmask part implies the network mask length of 32.

Another way of defining IP addresses is by supplying the name or ID of another EC2 security group.
, −−group−name=NAME

Sets source group name.

−P, −−port=PORT[-PORT]

Destination port number or range. Each PORT can be either a port number in decimal or a service name from services(5).

−g, −−group−id=ID

Sets source group ID.

−p, −−protocol=PROTO

Protocol name or number.

−s, −−source=CIDR

Source CIDR. The argument is an IPv4 address or host name, optionally followed by a / and the network mask length in decimal or the network mask in dotted-quad notation.

−u, −−user=USER

User name for the subsequent −−group−name or −−group−id option.

Other options

The GROUP argument is a group name. Without this option it is treated as the group name.


Begins next rule.

Informational options

Give a terse help summary.


List command line syntax and available options.


eclat(1), eclat−lssg(1), eclat−mksg(1), eclat−rmsg(1).


Sergey Poznyakoff


Report bugs to <bug−>.


Copyright © 2012-2015 Sergey Poznyakoff
License GPLv3+: GNU GPL version 3 or later <>
This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.