AWS Security ChangesHomeSearch

AWS elasticbeanstalk medium security documentation change

Service: elasticbeanstalk · 2025-05-01 · Security-related medium

File: elasticbeanstalk/latest/dg/command-options-general.md

Summary

Added documentation for DisableDefaultEC2SecurityGroup option, updated EC2KeyName note about security group association, and expanded SecurityGroups documentation with custom security group guidance

Security assessment

The changes explicitly document how to disable default security groups (which allow open HTTP access) and enforce custom security group configuration. This addresses potential security risks from overly permissive default groups by requiring explicit firewall rule management. The warning about traffic blocking in multi-instance environments highlights security implications.

Diff

diff --git a/elasticbeanstalk/latest/dg/command-options-general.md b/elasticbeanstalk/latest/dg/command-options-general.md
index 474f8204a..d2cf40a50 100644
--- a//elasticbeanstalk/latest/dg/command-options-general.md
+++ b//elasticbeanstalk/latest/dg/command-options-general.md
@@ -110,0 +111 @@ Namespace: `aws:autoscaling:launchconfiguration` **Name** | **Description** | **
+DisableDefaultEC2SecurityGroup |  When set to the default value of `false`, Elastic Beanstalk creates a default security group that allows traffic from the internet or load balancer on the standard ports for HTTP (80). It attaches this security group to the EC2 instances of the environment when it creates the environment. When set to `true`, Elastic Beanstalk will not assign the default security group to the EC2 instances. The `SecurityGroups` option of this namespace will require at least one value if you set this option to `true`. Use the `SecurityGroups` option to define your chosen security groups. For more information, see [Managing EC2 security groups](./using-features.managing.ec2.instances.sg.html). If a value is specified for EC2KeyName in an environment that has `DisableDefaultEC2SecurityGroup` set to `true` a default security group will not be associated with the EC2 instances. |  `false` |  `true` `false`  
@@ -121 +122 @@ This option setting can cause Elastic Beanstalk to create an environment with a
-EC2KeyName |  You can use a key pair to securely log into your EC2 instance.
+EC2KeyName |  You can use a key pair to securely log into your EC2 instance. If a value is specified for `EC2KeyName` in an environment that has `DisableDefaultEC2SecurityGroup` set to `true` a default security group will not be associated with the EC2 instances.
@@ -174 +175,5 @@ MonitoringInterval |  The interval (in minutes) that you want Amazon CloudWatch
-SecurityGroups |  Lists the Amazon EC2 security group IDs to assign to the EC2 instances in the Auto Scaling group to define firewall rules for the instances. You can provide a single string of comma-separated values that contain existing Amazon EC2 security groups IDs or references to AWS::EC2::SecurityGroup resources created in the template.  |  `elasticbeanstalk-default` |   
+SecurityGroups |  Lists the Amazon EC2 security group IDs to assign to the EC2 instances in the Auto Scaling group to define firewall rules for the instances. Use this option along with `DisableDefaultEC2SecurityGroup` to attach your own custom security groups that define firewall rules for the EC2 instances. For more information, see [Load balanced (multi-instance) environments](./using-features.managing.ec2.instances.sg.html#using-features.managing.ec2.instances.sg.load-balancer-security).
+
+###### Important
+
+You may need to complete some additional configuration to prevent incoming traffic to your EC2 instances from being blocked. This only applies to multi-instance environments with custom EC2 security groups. The EC2 security groups must include an inbound rule that grants access to traffic routed from the load balancer. For more information, see [Managing EC2 security groups in multi-instance environments](./using-features.managing.ec2.instances.sg.html#using-features.managing.ec2.instances.sg.load-balancer-security). You can provide a single string of comma-separated values that contain existing Amazon EC2 security groups IDs or references to AWS::EC2::SecurityGroup resources created in the template.  You must provide at least one value for this option if `DisableDefaultEC2SecurityGroup` for this namespace is set to `true`. |  `elasticbeanstalk-default` |