How do I restrict access to SSH port 22 in my Elastic Beanstalk instance security group to a specific CIDR or security group?

2 minute read
0

I configured an AWS Elastic Beanstalk environment with an Amazon Elastic Compute Cloud (Amazon EC2) key pair. The instance security group opened SSH port 22 to the internet (0.0.0.0/0). I want to restrict SSH access to a specific CIDR or a security group in the Elastic Beanstalk instance.

Resolution

Note: Elastic Beanstalk uses AWS CloudFormation to manage resources. If you manually change an Amazon EC2 instance outside of CloudFormation, then errors might occur.

To restrict access to a specific CIDR range or security group, configure the following settings.

Restrict SSH access to a specific CIDR range

Complete the following steps:

  1. Create a config file that has the following settings:

    option_settings:  
       aws:autoscaling:launchconfiguration:    
          SSHSourceRestriction: tcp, 22, 22, my-cidr-range

    Note: Replace my-cidr-range with your CIDR range.

  2. Move the file to the .ebextensions folder in the root of the application source bundle:

    .ebextensions/SSHSourceRestriction.config
  3. Deploy the source bundle to the environment.

Restrict SSH access to a specific security group

Complete the following steps:

  1. Create a config file that has the following settings:

    option_settings:  
       aws:autoscaling:launchconfiguration:    
          SSHSourceRestriction: tcp, 22, 22, my-security-group

    Note: Replace my-security-group with your security group name.

  2. Move the file to the .ebextensions folder in the root of the application source bundle:

    .ebextensions/SSHSourceRestriction.config
  3. Deploy the source bundle to the environment.

Related information

elastic-beanstalk-samples on the GitHub website

AWS OFFICIAL
AWS OFFICIALUpdated 5 months ago
3 Comments

I've tried to restrict SSH access to a security group like this.

option_settings:
  aws:autoscaling:launchconfiguration:
    SSHSourceRestriction: tcp, 22, 22, sg-05325d0a65efe65b3

but I get this error:

2024-08-19 20:37:27    INFO    Environment update is starting.      
2024-08-19 20:37:50    ERROR   Service:AmazonCloudFormation, Message:Stack named 'awseb-e-d28wppwkia-stack' aborted operation. Current state: 'UPDATE_ROLLBACK_COMPLETE'  Reason: null
2024-08-19 20:37:50    ERROR   Updating security group ingress named: sgr-092e9bf7b6c825257 failed Reason: Resource handler returned message: "Exactly one of CidrIp, CidrIpv6, SourceSecurityGroupId, and SourcePrefixListId must be specified and not empty" (RequestToken: 6f2f6767-50f5-78d0-47f6-e3ae5f31a92f, HandlerErrorCode: InvalidRequest)
2024-08-19 20:37:51    ERROR   Failed to deploy application.      

replied a month ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a month ago

I've had the exact same problem when updating SSHSourceRestriction via Terraform. Here's the GitHub issue I've opened: https://github.com/hashicorp/terraform-provider-aws/issues/39201

My guess is that this happens because an attempt is made to modify the original CIDR rule (which is impossible), rather than creating a brand new rule for the security group source. I've explained it in the GitHub issue above.

replied 11 days ago