Can I freely configure AWSEBSecurityGroups created by ElasticBeanstalk in ebxtensions?

0

The following "01-security-group.config" was create under the .ebxtensions directory.
I then ran eb create using PHP sample application (php.zip).
The VPC is a custom VPC, not a default VPC.
EC2 and ELB are located on public subnets.
KeyPair also sets.

Resources:
    AWSEBSecurityGroup:
        Type: AWS::EC2::SecurityGroup
        Properties:
            GroupDescription: EC2 SecurityGroup for ElasticBeanstalk environment.
            SecurityGroupIngress:
                - ToPort: 80
                  FromPort: 80
                  IpProtocol: tcp
                  SourceSecurityGroupId: { "Fn::GetAtt" : [ "AWSEBLoadBalancerSecurityGroup", "GroupId" ]}
                - ToPort: 22
                  FromPort: 22
                  IpProtocol: tcp
                  CidrIp: xx.xx.xx.xx/32

The expectation is that the AWSEBSecurityGroup description field and inbound rules will be as specified.
However, the results are as follows, with a different description and an unnecessary rule (SSH, 0.0.0.0/0).

ID:sg-058b4d99a88ea5c75
Description: VPC Security Group
Inbound Rule

TypeProtocolPortSource
SSHTCP220.0.0.0/0
HTTPTCP80awseb-e-kbmrvrb9qk-stack-AWSEBLoadBalancerSecurityGroup-DXLN25QVL0F9
SSHTCP22xx.xx.xx.xx/32

Next, eb deploy was run with the following changes.

Resources:
    AWSEBSecurityGroup:
        Type: AWS::EC2::SecurityGroup
        Properties:
            GroupDescription: EC2 SecurityGroup for ElasticBeanstalk environment.
            SecurityGroupIngress:
                - ToPort: 80
                  FromPort: 80
                  IpProtocol: tcp
                  SourceSecurityGroupId: { "Fn::GetAtt" : [ "AWSEBLoadBalancerSecurityGroup", "GroupId" ]}
option_settings:
  aws:autoscaling:launchconfiguration:
    SSHSourceRestriction: tcp, 22, 22, xx.xx.xx.xx/32

There are no more unnecessary rules in the security group as shown below.

ID: sg-058b4d99a88ea5c75 Description: VPC Security Group
Inbound Rule

TypeProtocolPortSource
HTTPTCP80awseb-e-kbmrvrb9qk-stack-AWSEBLoadBalancerSecurityGroup-DXLN25QVL0F9
SSHTCP22xx.xx.xx.xx/32

Based on the above, I have two questions.

  1. I would like to complete the configuration with just Resources instead of separating it with Resouces and option_seggings, is there a way to do this?
  2. Is it possible to change the description field?

for your information, AWSEBLoadBalancerSecurityGroup reflects the description field (security group is replaced). Thanks.

zizi
asked 2 years ago461 views
1 Answer
1
Accepted Answer

Hi zizi, I answer your questions.

  1. Unfortunately No...
    The default allowed "SSH (22/tcp) from 0.0.0.0/0" must be overridden and restricted in the "option_settings".

  2. Not possible, as far as I know when "option_settings" is used.
    This is because there is no description field in the SSHSourceRestriction section of the AWS document.
    However, the description field can be set by using a security group that has already been created.
    See KNOWLEDGE-CENTER for more information.

Just FYI,
Inbound HTTP (80/tcp) permission from AWSEBLoadBalancerSecurityGroup is allowed by default without explicitly stating it.
Therefore, if only HTTP(from AWSEBLoadBalancer) and SSH(from your environment IP) connections are to be allowed, the following statement in "01-security-group.config" is all that is required.

option_settings:
  aws:autoscaling:launchconfiguration:
    SSHSourceRestriction: tcp, 22, 22, xx.xx.xx.xx/32

I hope this will help.

profile picture
Tsumita
answered 2 years ago
  • Hi Tsumita, Thanks.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions