The answer to this question is: you need to use –ip-permissions. There does not seem to be any other way to do it. Here is an example (all one line!):
aws ec2 authorize-security-group-ingress --group-id sg-000000000000000 --ip-permissions IpProtocol=icmp,FromPort='8',ToPort=-1,IpRanges=[{CidrIp=0.0.0.0/0}]
The icmp echo request is designated as type 8, code N/A. It was not obvious that in order to set code=N/A you must set ToPort to -1. Figuring this out took way longer than it should have taken.