Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Can I freely configure AWSEBSecurityGroups created by ElasticBeanstalk in ebxtensions?

0

The following "01-security-group.config" was create under the .ebxtensions directory.
I then ran eb create using PHP sample application (php.zip).
The VPC is a custom VPC, not a default VPC.
EC2 and ELB are located on public subnets.
KeyPair also sets.

Resources:
    AWSEBSecurityGroup:
        Type: AWS::EC2::SecurityGroup
        Properties:
            GroupDescription: EC2 SecurityGroup for ElasticBeanstalk environment.
            SecurityGroupIngress:
                - ToPort: 80
                  FromPort: 80
                  IpProtocol: tcp
                  SourceSecurityGroupId: { "Fn::GetAtt" : [ "AWSEBLoadBalancerSecurityGroup", "GroupId" ]}
                - ToPort: 22
                  FromPort: 22
                  IpProtocol: tcp
                  CidrIp: xx.xx.xx.xx/32

The expectation is that the AWSEBSecurityGroup description field and inbound rules will be as specified.
However, the results are as follows, with a different description and an unnecessary rule (SSH, 0.0.0.0/0).

ID:sg-058b4d99a88ea5c75
Description: VPC Security Group
Inbound Rule

TypeProtocolPortSource
SSHTCP220.0.0.0/0
HTTPTCP80awseb-e-kbmrvrb9qk-stack-AWSEBLoadBalancerSecurityGroup-DXLN25QVL0F9
SSHTCP22xx.xx.xx.xx/32

Next, eb deploy was run with the following changes.

Resources:
    AWSEBSecurityGroup:
        Type: AWS::EC2::SecurityGroup
        Properties:
            GroupDescription: EC2 SecurityGroup for ElasticBeanstalk environment.
            SecurityGroupIngress:
                - ToPort: 80
                  FromPort: 80
                  IpProtocol: tcp
                  SourceSecurityGroupId: { "Fn::GetAtt" : [ "AWSEBLoadBalancerSecurityGroup", "GroupId" ]}
option_settings:
  aws:autoscaling:launchconfiguration:
    SSHSourceRestriction: tcp, 22, 22, xx.xx.xx.xx/32

There are no more unnecessary rules in the security group as shown below.

ID: sg-058b4d99a88ea5c75 Description: VPC Security Group
Inbound Rule

TypeProtocolPortSource
HTTPTCP80awseb-e-kbmrvrb9qk-stack-AWSEBLoadBalancerSecurityGroup-DXLN25QVL0F9
SSHTCP22xx.xx.xx.xx/32

Based on the above, I have two questions.

  1. I would like to complete the configuration with just Resources instead of separating it with Resouces and option_seggings, is there a way to do this?
  2. Is it possible to change the description field?

for your information, AWSEBLoadBalancerSecurityGroup reflects the description field (security group is replaced). Thanks.

Argomenti
Computazionali
Tag
AWS Elastic Beanstalk
Lingua
English
zizi
posta 3 anni fa644 visualizzazioni
1 Risposta
1
Risposta accettata

Hi zizi, I answer your questions.

  1. Unfortunately No...
    The default allowed "SSH (22/tcp) from 0.0.0.0/0" must be overridden and restricted in the "option_settings".

  2. Not possible, as far as I know when "option_settings" is used.
    This is because there is no description field in the SSHSourceRestriction section of the AWS document.
    However, the description field can be set by using a security group that has already been created.
    See KNOWLEDGE-CENTER for more information.

Just FYI,
Inbound HTTP (80/tcp) permission from AWSEBLoadBalancerSecurityGroup is allowed by default without explicitly stating it.
Therefore, if only HTTP(from AWSEBLoadBalancer) and SSH(from your environment IP) connections are to be allowed, the following statement in "01-security-group.config" is all that is required.

option_settings:
  aws:autoscaling:launchconfiguration:
    SSHSourceRestriction: tcp, 22, 22, xx.xx.xx.xx/32

I hope this will help.

profile picture
Tsumita
con risposta 3 anni fa
  • zizi
    3 anni fa

    Hi Tsumita, Thanks.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente