Remove default security group from EC2-Instance #44
Comments
|
I don't understand why a security-group has to be created when we specify our own. From an enterprise perspective, this is often an anti-pattern as Cloud Enablement teams generate approved security groups. |
|
If I understand this case correctly, it's not specific to a platform. We faced the same issue with the Java platform. To work around it we had to implement couple of hacks.
Therefore we set the port 22 "incomings" to the same security group of the EC2 instance (application security group). That limits the port 22 to be used by the EB instances only. (aws:autoscaling:launchconfiguration with OptionName: SSHSourceRestriction) All in all, I agree that if we specify our own custom security group, EB shouldn't force a default, partly redundant and potentially less secure security group. |
|
Hello, we're seeing the same issue when specifying a EC2-keypair a new AWS generated Security Group gets added which opens Port 22 for 0.0.0.0/0. "All in all, I agree that if we specify our own custom security group, EB shouldn't force a default, partly redundant and potentially less secure security group." |
|
We also have this issue, we currently deploy almost all environments with cloudformation and tried to restrict http access on our development environment. This wasn't possible because the default security groups allows everyone on port 80. Currently fixed it with the above proposal. |
|
Thanks everybody for voicing your concerns. The default EC2 SG, and the additional EC2 SGs that customers are allowed to pass serve two different purposes. Whereas EB will use the default SG to open it to the LB, the additional SGs customer are allowed to pass are simply attached to the EC2 instances; EB maintains that these SGs will not be manipulated. So, we cannot simply prevent the default security group from being created because doing so would break backwards compatibility. However, we can possibly look into providing a way for you to direct EB not to create the default SG through an option setting in the Is this a feasible solution to your problem? |
For my use-case that would be a very viable option |
|
@rahulrajaram yes this would work for my organizations usecase. |
|
@rahulrajaram Yes, that would be awesome! Thanks for noticing our concerns |
|
@rahulrajaram Looks good. The SG is also used in a single instance setup, guess this can be removed then? |
|
@elgohr , yes, it would make most sense from the usability perspective to keep the behaviour consistent across all types of environments. |
|
@rahulrajaram thanks that would solve our problem as well ! Any idea on an ETA? Thank you, |
|
@rahulrajaram it works for our usecases as well. Do you have any updates for us? :) |
|
@rahulrajaram This is the solution I've been looking for. That would be awesome |
|
can i know if the new option setting to disable auto-creation of default security group under aws:autoscaling:launchconfiguration is released or not ? |
|
@navaganeshr It seems they did add this (just not documented well) See SSHSourceRestriction in https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html#command-options-general-autoscalinglaunchconfiguration |
|
@urkle I don't think that it's the same. It's a valid workaround IMO, but it still creates a new SG with a some-what random name. |
@fferreira-lucid I totaly agree that it is a horrible workaround. IMHO it would be better to have a simple option to DISABLE the SG creation as I couldn't even get the SSHSourceRestriction to work (as it claims to be able to reference an existing SG).. So in the end I just turned off SSH completely for now. |
|
Any updates on this issue? I have created my own security groups for ALB and EC2 and created the stack with CloudFormation template. I need custom security group to allow traffic from EC2 to RDS instance. With this pesky default security group I am not sure that the traffic will go from desired security. For production https can be set, but still having default group is really disappointing |
|
This is being actively worked on by the team as we speak. |
|
Hi @rahulrajaram - do you have any updates here? |
|
Hello I'm looking forward to the update. |
|
This is bananas. How has such a security vulnerability not been resolved yet? At least there's a workaround for port 22 (i.e. SSHSourceRestriction), but there's also port 80, in my case, still being exposed to the outside world for a development server. Please update us on the status @rahulrajaram. Here's the ebsextension config to restrict port 22 for anyone else in need of it: |
|
Why would you assume opening port 22 to the world was something you would want to do? Please allow for security groups to be managed separately. |
|
I'm surprised to see AWS opening holes in customers security on purpose ? nobody ever thought this was a good idea, at least give us a stack parameter/option to disable it |
|
@mdesouky - i would recommend never assigning a public ip address to the EC2 instances or assigning a SSH keypair. Instead, use SSM agent to access the servers via the AWS Console. |
|
Much needed update - the default rule is a really annoying security pitfall. |
|
We solved this issue by stopping to use Beanstalk. |
|
So Beanstalk won't let you select a previous version of a platform calling it a "security risk to our customers", but this is acceptable? |
|
@lisenet the recommended setup includes private subnets, which won't allow inbound connections to your instances from the internet. See https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.managing.vpc.html |
|
@dgagnon but it does allow all outbound traffic to the Internet which is a security risk. How does one remove the default Beanstalk SG? |
|
@lisenet The default security group only opens inbound SSH. Outbound is open by default on all security groups. To completely remove outbound internet access from EB instances, you would need VPC endpoints for every service you use from AWS plus all the updates and packages already built in to your AMI. EB also allows you to specify specific security groups for LB and instances, you can add restrictions using these. |
|
@dgagnon where did you get the information that this is the recommended setup? Didn’t find a word in the security best practices (https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/security-best-practices.html) or general Beanstalk security guidelines (https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/security.html). I’m sorry, but letting customers tinker custom VPC-solutions to stuff default security holes isn’t my understanding of |
|
@elgohr that link pertains to the security aspects specific to elastic beanstalk. For VPC related security, you can look at this link: https://docs.aws.amazon.com/vpc/latest/userguide/infrastructure-security.html Edit: I recommend the following guide as well: https://docs.aws.amazon.com/quickstart/latest/vpc/architecture.html |
|
@dgagnon so I'm buying a PaaS solution to patch the IaaS inside the solution? Did I get that correct? |
|
@elgohr no you did not. |
That's precisely the problem. We want to be able to control outbound traffic by using SGs. How is having a default SG that allows all traffic to leave the network best practice? |
|
@lisenet If you need that level of security, manage the NAT instances yourself instead of using NAT Gateways. We use pfSense and it works great in that regard. You can even install SSM agent on it although not many of the automations supports FreeBSD properly. |
This doesn't resolve the issue. Egress for instances should explicitly defined and that cannot be achieved by using the default security group. It's not just instance traffic egressing to the internet. |
|
@janzelc-trifecta see my earlier comments on what is needed to achieve the level of egress control you want. All the tools are there at your disposal for your specific use case. EB is designed with access to internet in mind. From this thread, it seems most people do not even use private subnets. This would make your use case more of an edge case. I do no know of any compliance framework who forbid internet access completely. Mandate DLP ? Sure. Strict firewalls ? Absolutely. IDS ? ez-pz. no access to the internet of any kind ? what are you doing on EB then ? While it is possible to completely cut off the access to the internet from your VM, the security group is not where it happens. Use network ACLs and routing tables. |
|
@dgagnon you are in denial. |
|
@lisenet I run a successful business and have many big customers on Elastic Beanstalk, including customers with compliance requirements. But I am also a Certified AWS Cloud Practitioner, I understand the security guarantees of AWS as well as it's capabilities. Maybe it just is not for you. |
|
@dgagnon good for you, but neither of that is a justification of the problem reported on this issue I'm afraid. |
|
@lisenet The problem reported is easily worked around in less than 15 minutes of work. I have provided many different solutions to the reported problem. The hostility in this thread toward AWS is unwarranted for an issue of this caliber. |
|
@dgagnon thank you for your suggested workarounds. |
|
Updated the workaround section in the initial report. |
|
We have decided to halt development of this feature until we can accommodate more complex customer uses cases. We want to ensure that the existing environments continues to operate without disruption. |
|
I also found this very annoying. I have a EB, and the default SG was manualy detached from the ec2s and deleted, and from then on we could not work with the EB as it always looked for a SG with the id of the deleted one and would fail with error. |
@backnol-aws Guys, come on the fix is simple and remains backwards compatible. It's a simple flag addition: option_settings:
aws:autoscaling:launchconfiguration:
AutoGeneratedSecurityGroup: false |
|
Hey everyone, after trying various options I finally found the solution and it is extremely simple. What we have to do is tell Cloud Formation to replace the security group resource elastic beanstalk created. The easiest way to do that is by changing the name! And best of all Elastic Beanstalk always assigns the default security group a logical name of Alright here is an example solution:
Filename: Resources:
AWSEBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: my-sg
GroupDescription: Allow CloudFront
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
SourcePrefixListId: pl-4ea04527The key here is using -Phew- Sifting through AWS documentation can sure be a woozy. |
Thanks for the solution. I confirm that it is indeed working. To block access completely, create an empty security group and assign it to the resource. Resources:
AWSEBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: { "Ref" : "AWSEBEnvironmentName" }
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
SourceSecurityGroupId: <SECURITY_GROUP_ID>Cons: We still need an option like this one: |
|
Here's why the security group has such an unattractive name: https://stackoverflow.com/a/56924571/4425643 Because if we give it a pretty static name, cloudformation chokes and can't update our configuration when it needs replacing. https://repost.aws/knowledge-center/cloudformation-custom-name So in other words, we can't have nice things. |
|
The workarounds are not working for SingleInstance EB and we haven't been able to automate the update using Terraform CDK. We finally added instructions to remove the ingress rule manually until finding a way to automate this. |
and others
Community Note
Tell us about your request
When using aws:autoscaling:launchconfiguration:SecurityGroups (https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html#command-options-general-autoscalinglaunchconfiguration) the defined groups are added to the EC2-Instance. Nevertheless a default group is also added to the instance. How can this be removed?
Is this request specific to an Elastic Beanstalk platform?
If so, which one(s)? multi-container-docker-18.09.9-ce-(generic)
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
What outcome are you trying to achieve, ultimately, and why is it hard/impossible to do right now? What is the impact of not having this problem solved? The more details you can provide, the better we'll be able to understand and solve the problem.
Security hardening.
Are you currently working around this issue?
How are you currently solving this problem?
No workaround.
Edit 2023-02-05: You could try working around by putting the Beanstalk into a VPC with a private subnet (#44 (comment)).
The text was updated successfully, but these errors were encountered: