En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Can I freely configure AWSEBSecurityGroups created by ElasticBeanstalk in ebxtensions?

0

The following "01-security-group.config" was create under the .ebxtensions directory.
I then ran eb create using PHP sample application (php.zip).
The VPC is a custom VPC, not a default VPC.
EC2 and ELB are located on public subnets.
KeyPair also sets.

Resources:
    AWSEBSecurityGroup:
        Type: AWS::EC2::SecurityGroup
        Properties:
            GroupDescription: EC2 SecurityGroup for ElasticBeanstalk environment.
            SecurityGroupIngress:
                - ToPort: 80
                  FromPort: 80
                  IpProtocol: tcp
                  SourceSecurityGroupId: { "Fn::GetAtt" : [ "AWSEBLoadBalancerSecurityGroup", "GroupId" ]}
                - ToPort: 22
                  FromPort: 22
                  IpProtocol: tcp
                  CidrIp: xx.xx.xx.xx/32

The expectation is that the AWSEBSecurityGroup description field and inbound rules will be as specified.
However, the results are as follows, with a different description and an unnecessary rule (SSH, 0.0.0.0/0).

ID:sg-058b4d99a88ea5c75
Description: VPC Security Group
Inbound Rule

TypeProtocolPortSource
SSHTCP220.0.0.0/0
HTTPTCP80awseb-e-kbmrvrb9qk-stack-AWSEBLoadBalancerSecurityGroup-DXLN25QVL0F9
SSHTCP22xx.xx.xx.xx/32

Next, eb deploy was run with the following changes.

Resources:
    AWSEBSecurityGroup:
        Type: AWS::EC2::SecurityGroup
        Properties:
            GroupDescription: EC2 SecurityGroup for ElasticBeanstalk environment.
            SecurityGroupIngress:
                - ToPort: 80
                  FromPort: 80
                  IpProtocol: tcp
                  SourceSecurityGroupId: { "Fn::GetAtt" : [ "AWSEBLoadBalancerSecurityGroup", "GroupId" ]}
option_settings:
  aws:autoscaling:launchconfiguration:
    SSHSourceRestriction: tcp, 22, 22, xx.xx.xx.xx/32

There are no more unnecessary rules in the security group as shown below.

ID: sg-058b4d99a88ea5c75 Description: VPC Security Group
Inbound Rule

TypeProtocolPortSource
HTTPTCP80awseb-e-kbmrvrb9qk-stack-AWSEBLoadBalancerSecurityGroup-DXLN25QVL0F9
SSHTCP22xx.xx.xx.xx/32

Based on the above, I have two questions.

  1. I would like to complete the configuration with just Resources instead of separating it with Resouces and option_seggings, is there a way to do this?
  2. Is it possible to change the description field?

for your information, AWSEBLoadBalancerSecurityGroup reflects the description field (security group is replaced). Thanks.

Sujets
Calcul
Balises
AWS Elastic Beanstalk
Langue
English
zizi
demandé il y a 3 ans644 vues
1 réponse
1
Réponse acceptée

Hi zizi, I answer your questions.

  1. Unfortunately No...
    The default allowed "SSH (22/tcp) from 0.0.0.0/0" must be overridden and restricted in the "option_settings".

  2. Not possible, as far as I know when "option_settings" is used.
    This is because there is no description field in the SSHSourceRestriction section of the AWS document.
    However, the description field can be set by using a security group that has already been created.
    See KNOWLEDGE-CENTER for more information.

Just FYI,
Inbound HTTP (80/tcp) permission from AWSEBLoadBalancerSecurityGroup is allowed by default without explicitly stating it.
Therefore, if only HTTP(from AWSEBLoadBalancer) and SSH(from your environment IP) connections are to be allowed, the following statement in "01-security-group.config" is all that is required.

option_settings:
  aws:autoscaling:launchconfiguration:
    SSHSourceRestriction: tcp, 22, 22, xx.xx.xx.xx/32

I hope this will help.

profile picture
Tsumita
répondu il y a 3 ans
  • zizi
    il y a 3 ans

    Hi Tsumita, Thanks.

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents