How to Set Application Security for AWS
Any code you deploy using EB becomes immediately public at the URL provided in the URL field unless you change the security rules for AWS. This means that you really do need to verify that the page is safe to display before you deploy it. However, you can also make the page private by following these steps:
- Choose Services → EC2 from the menu at the top of the page.
You see the EC2 Dashboard page.
- Choose Network & Security → Security Groups from the Navigation pane.
EC2 displays a list of security groups. The selected security group in the figure is the one used with EB.
- Select the security group entry for EB configuration and choose Actions → Edit Inbound Rules.
EC2 displays the Edit Inbound Rules dialog box. You can change any configuration option for the security group that will modify the way in which incoming requests work. For example, you can change the HTTP type to HTTPS to create secure access to the page. However, in this case, you can use a simpler method to secure access to the page in a reasonable way: Simply disallow access from sources other than your system.
- Choose My P in the Source field for both HTTP and SSH access of the security group.
EC2 modifies the rules as expected.
To make this setup work, you must also provide access to the website to the instance security group. Otherwise, when you attempt to perform updates, the updates will fail.
- Click Add Rule.
You see a new rule added to the list.
- Choose All Traffic in the Type field and All in the Protocol field.
These two settings provide complete access to the security group.
- Choose Custom in the Source field and type sg in the text field after it.
You see a listing of security groups for your server. A source can consist of a Classless Inter-Domain Routing (CIDR) address, IP address, or security group ID. Typing sg tells EC2 that you want to use a security group. Note that one of the security groups in the list specifically mentions the AWSEBSecurityGroup, which is the security group that you want to use.
- Click the security group for the website instance in the list.
The security group appears in the Source field.
- Click Save.
The inbound security rules now prevent access to the site by any entity other than the website instance or you.
The IP address supplied when you choose My IP in the Source field uses the IP address of your current location. If other people use the same router (and therefore the same IP address), they also have access to the website. Consequently, setting the inbound rules does help provide security, but only a certain level of security. In addition, the IP address can change when you reset the router and then reconnect to the Internet provider. Consequently, you may find that you lose access to the test site you’ve created because of the change in IP address. If you suddenly find that you have lost access, verify that your IP address hasn’t changed.