I configured an AWS Elastic Beanstalk environment with an Amazon Elastic Compute Cloud (Amazon EC2) key pair. The instance security group opened SSH port 22 to the internet (0.0.0.0/0). I want to restrict SSH access to a specific CIDR or a security group in the Elastic Beanstalk instance.
Resolution
Note: Elastic Beanstalk uses AWS CloudFormation to manage resources. If you manually change an Amazon EC2 instance outside of CloudFormation, then errors might occur.
To restrict access to a specific CIDR range or security group, configure the following settings.
Restrict SSH access to a specific CIDR range
Complete the following steps:
-
Create a config file that has the following settings:
option_settings:
aws:autoscaling:launchconfiguration:
SSHSourceRestriction: tcp, 22, 22, my-cidr-range
Note: Replace my-cidr-range with your CIDR range.
-
Move the file to the .ebextensions folder in the root of the application source bundle:
.ebextensions/SSHSourceRestriction.config
-
Deploy the source bundle to the environment.
Restrict SSH access to a specific security group
Complete the following steps:
-
Create a config file that has the following settings:
option_settings:
aws:autoscaling:launchconfiguration:
SSHSourceRestriction: tcp, 22, 22, my-security-group
Note: Replace my-security-group with your security group name.
-
Move the file to the .ebextensions folder in the root of the application source bundle:
.ebextensions/SSHSourceRestriction.config
-
Deploy the source bundle to the environment.
Related information
elastic-beanstalk-samples on the GitHub website