Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

restrict ssh access to elastic beanstalk instance only from aws console connect

0

I have following config in .ebextensions..however it does not seem to work

Resources:
  AWSEBSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: "AWSEBSecurityGroup"
      SecurityGroupIngress:
        - CidrIp: "0.0.0.0/0"
          FromPort: 80
          IpProtocol: "tcp"
          ToPort: 80
        - SourceSecurityGroupName: "AWSServiceRoleForEC2InstanceConnect"
          FromPort: 22
          IpProtocol: "tcp"
          ToPort: 22
Topics
ComputeNetworking & Content Delivery
Tags
Amazon EC2Security GroupAWS Elastic Beanstalk
Language
English
asked 7 days ago57 views
3 Answers
1
Accepted Answer

The issue is likely a naming collision or a missing reference. In Elastic Beanstalk, the default security group is often named AWSEBSecurityGroup by the service. By defining a resource with that exact logical ID in .ebextensions, you may be attempting to overwrite a managed resource incorrectly or creating a circular dependency.

Additionally, using SourceSecurityGroupName for the EC2 Instance Connect service role usually fails because that role is a managed IAM entity, not a Security Group. Instead, use the specific IP address range for EC2 Instance Connect in your region.

Recommended Fix: Rename your resource logical ID (e.g., CustomIngressRules). Use CidrIp with the official AWS IP ranges for Instance Connect rather than a group name.

answered 7 days ago
AWS
EXPERT
reviewed 5 days ago
1

Hello.

To allow SSH only for EC2 Instance Connect, try allowing the prefix list "com.amazonaws.region.ec2-instance-connect" in the inbound rules of your security group.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-tutorial.html#eic-tut1-task2

You can allow prefix lists with "SourcePrefixListId".
https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-ec2-securitygroup-ingress.html#cfn-ec2-securitygroup-ingress-sourceprefixlistid

You can check the ID of your managed prefix list by accessing the management console using the URL below.
The ID differs depending on the region, so try changing it to the region you're using and checking.
https://us-east-1.console.aws.amazon.com/vpcconsole/home?region=us-east-1#ManagedPrefixLists:

If you are running EC2 in a private subnet, you can connect by allowing the security group used by the EC2 Instance Connect Endpoint in the inbound rules of the EC2 security group.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/eice-security-groups.html

EXPERT
answered 7 days ago
0

Hi, It is not possible to restrict SSH access to an Elastic Beanstalk instance “only from AWS Console Connect” by using a security group rule. The configuration shown in the question does not work because AWSServiceRoleForEC2InstanceConnect is an IAM service-linked role, not an actual security group. Security group rules can reference only other security groups, not IAM roles or AWS services, so the rule is invalid.

More importantly, EC2 Instance Connect does not connect from a special AWS-owned security group or a fixed AWS IP range. When a user clicks “Connect” in the AWS Console, AWS only injects a temporary public SSH key into the instance. After that, the SSH connection is established as a normal TCP connection to port 22, originating from the client environment. From the instance’s perspective, there is no distinguishable marker indicating that the connection came “from the AWS console.”

For this reason, a security group cannot identify and allow “only console-based SSH connections,” and AWS does not provide any special security group or CIDR block that represents console-originated traffic.

If the goal is to avoid exposing port 22 broadly, there are two realistic options:

  1. Restrict SSH to specific IP addresses. You may allow SSH only from your public IP (for example, your office or home IP). EC2 Instance Connect will continue to work as long as the client’s IP address is permitted in the security group rule. However, this can be inconvenient if the client’s IP frequently changes.

  2. Disable SSH entirely and use AWS Systems Manager Session Manager. This is the recommended solution. With Session Manager, port 22 does not need to be open at all. As long as the instance has the SSM Agent installed and the instance profile includes the appropriate IAM permissions (such as AmazonSSMManagedInstanceCore), you can open a shell directly from the AWS Console without exposing SSH to the internet. Most modern Elastic Beanstalk Amazon Linux 2 platforms include the SSM Agent by default, so enabling this requires only an IAM role update.

In summary, AWS does not provide a mechanism to enforce SSH access exclusively through the AWS console at the security group level. Instead, you should either limit SSH access by IP address or adopt Session Manager, which allows secure console-based access without opening port 22 at all.

If you would like, I can also provide example .ebextensions or .platform configurations for enabling Session Manager on Elastic Beanstalk.

answered 6 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content