使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

Can I freely configure AWSEBSecurityGroups created by ElasticBeanstalk in ebxtensions?

0

The following "01-security-group.config" was create under the .ebxtensions directory.
I then ran eb create using PHP sample application (php.zip).
The VPC is a custom VPC, not a default VPC.
EC2 and ELB are located on public subnets.
KeyPair also sets.

Resources:
    AWSEBSecurityGroup:
        Type: AWS::EC2::SecurityGroup
        Properties:
            GroupDescription: EC2 SecurityGroup for ElasticBeanstalk environment.
            SecurityGroupIngress:
                - ToPort: 80
                  FromPort: 80
                  IpProtocol: tcp
                  SourceSecurityGroupId: { "Fn::GetAtt" : [ "AWSEBLoadBalancerSecurityGroup", "GroupId" ]}
                - ToPort: 22
                  FromPort: 22
                  IpProtocol: tcp
                  CidrIp: xx.xx.xx.xx/32

The expectation is that the AWSEBSecurityGroup description field and inbound rules will be as specified.
However, the results are as follows, with a different description and an unnecessary rule (SSH, 0.0.0.0/0).

ID:sg-058b4d99a88ea5c75
Description: VPC Security Group
Inbound Rule

TypeProtocolPortSource
SSHTCP220.0.0.0/0
HTTPTCP80awseb-e-kbmrvrb9qk-stack-AWSEBLoadBalancerSecurityGroup-DXLN25QVL0F9
SSHTCP22xx.xx.xx.xx/32

Next, eb deploy was run with the following changes.

Resources:
    AWSEBSecurityGroup:
        Type: AWS::EC2::SecurityGroup
        Properties:
            GroupDescription: EC2 SecurityGroup for ElasticBeanstalk environment.
            SecurityGroupIngress:
                - ToPort: 80
                  FromPort: 80
                  IpProtocol: tcp
                  SourceSecurityGroupId: { "Fn::GetAtt" : [ "AWSEBLoadBalancerSecurityGroup", "GroupId" ]}
option_settings:
  aws:autoscaling:launchconfiguration:
    SSHSourceRestriction: tcp, 22, 22, xx.xx.xx.xx/32

There are no more unnecessary rules in the security group as shown below.

ID: sg-058b4d99a88ea5c75 Description: VPC Security Group
Inbound Rule

TypeProtocolPortSource
HTTPTCP80awseb-e-kbmrvrb9qk-stack-AWSEBLoadBalancerSecurityGroup-DXLN25QVL0F9
SSHTCP22xx.xx.xx.xx/32

Based on the above, I have two questions.

  1. I would like to complete the configuration with just Resources instead of separating it with Resouces and option_seggings, is there a way to do this?
  2. Is it possible to change the description field?

for your information, AWSEBLoadBalancerSecurityGroup reflects the description field (security group is replaced). Thanks.

主题
计算
标签
AWS Elastic Beanstalk
语言
English
zizi
已提问 2 年前475 查看次数
1 回答
1
已接受的回答

Hi zizi, I answer your questions.

  1. Unfortunately No...
    The default allowed "SSH (22/tcp) from 0.0.0.0/0" must be overridden and restricted in the "option_settings".

  2. Not possible, as far as I know when "option_settings" is used.
    This is because there is no description field in the SSHSourceRestriction section of the AWS document.
    However, the description field can be set by using a security group that has already been created.
    See KNOWLEDGE-CENTER for more information.

Just FYI,
Inbound HTTP (80/tcp) permission from AWSEBLoadBalancerSecurityGroup is allowed by default without explicitly stating it.
Therefore, if only HTTP(from AWSEBLoadBalancer) and SSH(from your environment IP) connections are to be allowed, the following statement in "01-security-group.config" is all that is required.

option_settings:
  aws:autoscaling:launchconfiguration:
    SSHSourceRestriction: tcp, 22, 22, xx.xx.xx.xx/32

I hope this will help.

profile picture
Tsumita
已回答 2 年前
  • zizi
    2 年前

    Hi Tsumita, Thanks.

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容