By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I restrict access to SSH port 22 in my Elastic Beanstalk instance security group to a specific CIDR range or security group?

2 minute read
0

I configured an AWS Elastic Beanstalk environment with an Amazon Elastic Compute Cloud (Amazon EC2) key pair. The instance security group opened SSH port 22 to the internet (0.0.0.0/0). I want to restrict SSH access to a specific CIDR range or a security group in the Elastic Beanstalk instance.

Resolution

Note: Elastic Beanstalk uses AWS CloudFormation to manage resources. If you manually change an Amazon EC2 instance outside of CloudFormation, then errors might occur.

Restrict SSH access to a specific CIDR range

Complete the following steps:

  1. Create a configuration file that has the following settings:

    option_settings:
    aws:autoscaling:launchconfiguration:    
        SSHSourceRestriction: tcp, 22, 22, my-cidr-range

    Note: Replace my-cidr-range with your CIDR range.

  2. Add the file to the .ebextensions folder in the root of the application source bundle:

    .ebextensions/SSHSourceRestriction.config

  3. Deploy the source bundle to the environment.

Restrict SSH access to a specific security group

Complete the following steps:

  1. Create a configuration file that has the following settings:

    option_settings:
    aws:autoscaling:launchconfiguration:    
        SSHSourceRestriction: tcp, 22, 22, sg-0f69e4fd26ac48ec3
    aws:ec2:vpc:
        VPCId: vpc-09b7141f091e43ad4
        Subnets: subnet-093a0b2f2415060bc
        ELBSubnets: subnet-093a0b2f2415060bc

    Note: The preceding .ebextensions configuration file works with an Elastic Beanstalk environment that you create with defined virtual private cloud (VPC) configurations.

  2. Add the file to the .ebextensions folder in the root of the application source bundle:

    .ebextensions/SSHSourceRestriction.config

  3. Deploy the source bundle to the environment.

Related information

elastic-beanstalk-samples on the GitHub website

Topics
Compute
Tags
AWS Elastic BeanstalkAmazon EC2
Language
English
AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago
2 Comments

I've tried to restrict SSH access to a security group like this.

option_settings:
  aws:autoscaling:launchconfiguration:
    SSHSourceRestriction: tcp, 22, 22, sg-05325d0a65efe65b3

but I get this error:

2024-08-19 20:37:27    INFO    Environment update is starting.      
2024-08-19 20:37:50    ERROR   Service:AmazonCloudFormation, Message:Stack named 'awseb-e-d28wppwkia-stack' aborted operation. Current state: 'UPDATE_ROLLBACK_COMPLETE'  Reason: null
2024-08-19 20:37:50    ERROR   Updating security group ingress named: sgr-092e9bf7b6c825257 failed Reason: Resource handler returned message: "Exactly one of CidrIp, CidrIpv6, SourceSecurityGroupId, and SourcePrefixListId must be specified and not empty" (RequestToken: 6f2f6767-50f5-78d0-47f6-e3ae5f31a92f, HandlerErrorCode: InvalidRequest)
2024-08-19 20:37:51    ERROR   Failed to deploy application.
guglielm
replied 9 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
AWS Official
replied 9 months ago

Relevant content