AWS elasticbeanstalk high security documentation change
Summary
Updated security group documentation, clarified default EC2 security group behavior, and added option to disable default security group via CLI
Security assessment
The change explicitly documents that the default EC2 security group allows SSH (port 22) from the internet, which could expose instances to unauthorized access if not properly restricted. Introducing the 'DisableDefaultEC2SecurityGroup' option helps mitigate this risk by allowing users to opt out of the permissive default.
Diff
diff --git a/elasticbeanstalk/latest/dg/using-features.managing.ec2.console.md b/elasticbeanstalk/latest/dg/using-features.managing.ec2.console.md index eb61edac1..30c9e78a7 100644 --- a//elasticbeanstalk/latest/dg/using-features.managing.ec2.console.md +++ b//elasticbeanstalk/latest/dg/using-features.managing.ec2.console.md @@ -13 +13 @@ You can create or modify your Elastic Beanstalk environment's Amazon EC2 instanc -Although the Elastic Beanstalk console doesn't provide the option to change the processor architecture of an existing environment, you can do so with the AWS CLI. For example commands, see [Configuring Amazon EC2 instances using the AWS CLI](./using-features.managing.ec2.aws-cli.html). +Although the Elastic Beanstalk console doesn't provide the option to change the processor architecture of an existing environment, you can do so with the AWS CLI. For example commands, see [](./using-features.managing.ec2.aws-cli.html). @@ -75 +75 @@ The following settings related to Amazon EC2 instances are available in the **In - * Security groups + * EC2 security groups @@ -108 +108 @@ The IMDS section on this configuration page appears only for platform versions t -### Security groups +### EC2 security groups @@ -110 +110 @@ The IMDS section on this configuration page appears only for platform versions t -The security groups that are attached to your instances determine which traffic is allowed to reach the instances. They also determine which traffic is allowed to leave the instances. Elastic Beanstalk creates a security group that allows traffic from the load balancer on the standard ports for HTTP (80) and HTTPS (443). +The security groups that are attached to your instances determine which traffic is allowed to reach and exit the instances. @@ -112 +112,5 @@ The security groups that are attached to your instances determine which traffic -You can specify additional security groups that you have created to allow traffic on other ports or from other sources. For example, you can create a security group for SSH access that allows inbound traffic on port 22 from a restricted IP address range. Otherwise, for additional security, create one that allows traffic from a bastion host that only you have access to. +The default EC2 security group that Elastic Beanstalk creates allows all incoming traffic from the internet or load balancers on the standard ports for HTTP (80) and SSH(22). You may also define your own custom security groups to designate firewall rules for the EC2 instances. The security groups can allow traffic on other ports or from other sources. For example, you can create a security group for SSH access that allows inbound traffic on port 22 from a restricted IP address range. Or for additional security, you can create one that allows traffic from a bastion host that only you can access. + +You can select to opt out your environment from the default EC2 security group by setting the `DisableDefaultEC2SecurityGroup` option in the [aws:autoscaling:launchconfiguration](./command-options-general.html#command-options-general-autoscalinglaunchconfiguration) namespace to `true`. This option is not available in the console, but you can set it with the AWS CLI. For more information, see [Managing EC2 security groups](./using-features.managing.ec2.instances.sg.html). + +For more information about Amazon EC2 security groups, see [Amazon EC2 Security Groups](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html) in the _Amazon EC2 User Guide_. @@ -120,2 +123,0 @@ Therefore, we recommend that you instead first create a separate security group. -For more information about Amazon EC2 security groups, see [Amazon EC2 Security Groups](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html) in the _Amazon EC2 User Guide_. - @@ -143 +145 @@ The **Instance types** setting determines the type of Amazon EC2 instance that's -Although the Elastic Beanstalk console doesn't provide the option to change the processor architecture of an existing environment, you can do so with the AWS CLI. For example commands, see [Configuring Amazon EC2 instances using the AWS CLI](./using-features.managing.ec2.aws-cli.html). +Although the Elastic Beanstalk console doesn't provide the option to change the processor architecture of an existing environment, you can do so with the AWS CLI. For example commands, see [](./using-features.managing.ec2.aws-cli.html). @@ -163 +165 @@ Amazon EC2 instance types -Configuring with the AWS CLI +Managing EC2 security groups