Learn DevOps

[Beanstalk] How to limit the SSH rule for environment when creating by AWS Console

Hải Yến Trịnh's photo
Hải Yến Trịnh
·

3 min read

Question:

Hello,
I tried to create an Elastic Beanstalk in AWS Management Console and I find that when I specify key pair in Security configuration, EB will create an inbound rule that allow SSH (port 22) for 0.0.0.0/0.

I also tried to make another sg, but it only add one more security group, the generated sg still have SSH for all inbound. I wonder if there is any way that I can still SSH my instance but do not create SSH for 0.0.0.0/0 (maybe limit for my IP only, etc)

Answer by AWS:

Hello,

Hope you are safe and doing well.

Thank you for contacting AWS Premium Support. I am Saurabh and I will be assisting you with the case today.

From your case notes, I understand that you tried to create an Elastic Beanstalk in AWS Management Console and you noticed that when you specify key pair in Security configuration, EB will create an inbound rule that allow SSH (port 22) for 0.0.0.0/0. You also tried to make another SG, but it only adds one more security group, the generated SG still have SSH for all inbound. You would like to know if there is any way that I can still SSH my instance but do not create SSH for 0.0.0.0/0 (maybe limit for specific IP’s only, etc). Please feel free to correct me if I have misunderstood your concern here.

To start with, I would like to let you know that this is expected that when you create an environment with SSH key defined , beanstalk will add port 22 open for world. This is a service limitation as of now at our end and I can see that we have an open feature request for the same . So I went ahead and added your case with that Feature request . But being at support, I afraid I will not be able to share ETA for the same please keep an aye on below links which will get uploaded

——
https://docs.aws.amazon.com/elasticbeanstalk/latest/relnotes/relnotes.html
https://aws.amazon.com/blogs/aws/
http://aws.amazon.com/new
——

Now, as a workaround I would like to suggest that please add ebextensions

option_settings:
  aws:autoscaling:launchconfiguration:
     SSHSourceRestriction: tcp, 22, 22, IP_Range
Resources:
  AWSEBSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: VPC Security Group
      SecurityGroupIngress: []      # It will remove ingress rules from default security group.

Being said that I would humbly request you to please try aforementioned suggested and feel free to revert over same case if you need any further help relate to the same or if you face any issue while applying the same. I will be more than happy to help you with that.

I hope the above information is beneficial to you. Please feel free to write back to me, if you have any further queries/questions regarding this case or if you think, I have missed out any of your concern. I will always be there and more than happy to assist you further. Eagerly looking forward to hear back from you.

Be safe and keep doing great!

Have a great day ahead and Take Care !

We value your feedback. Please share your experience by rating this correspondence using the AWS Support Center link at the end of this correspondence. Each correspondence can also be rated by selecting the stars in top right corner of each correspondence within the AWS Support Center.

Best regards,
Saurabh M.
Amazon Web Services

AWS