4

My current setup consists of CloudFront and Elastic Beanstalk. How to configure the security group of corresponding LoadBalancer so only requests from CloudFront can pass the LoadBalancer?

user1791139
  • 606
  • 1
  • 11
  • 27
  • Does this answer your question? [AWS Cloudfront and ELB Security Groups](https://stackoverflow.com/questions/22188381/aws-cloudfront-and-elb-security-groups) – rpadovani Feb 09 '22 at 09:38

3 Answers3

1

This can be done by setting up a Security Group with the Cloud Front IP Addresses, and restricting the EC2 instance to that security group. Since Cloudfront IP's change all the time, this will be updated with a Lambda Function.

Full Directions Are Here, but here are the cliff notes:

  1. AWS Console -> EC2 -> Security Groups

  2. Create A Security Group in the same VPC as your EB Instance, being sure to create the following tags:

    • AutoUpdate: true
    • Name: cloudfront
    • Protocol: http (or alternatively this can be https, or something custom if you modify the script).

  3. Create an IAM policy with the following contents:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:::" }, { "Effect": "Allow", "Action": [ "ec2:DescribeSecurityGroups", "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress" ], "Resource": "" } ] }

  1. In IAM create a role utilizing the above policy

  2. Create a Lambda Function based on this source code, and assigning it the role created in step #5.

  3. Use the sample at the bottom of the source code to test the function.

  4. When it fails because the JSON you pull does not match the hash in the test request, grab the hash value its expecting from the error message and replace the md5 value in the test sample with that value.

  5. Rerun the test. This time it will succeed.

NOTE: Take a look at the groups you created and they're now populated with a whole bunch of entries for CloudFront IP's.

  1. AWS Console -> Elastic Beanstalk -> Application -> Environment -> Configuration -> Instance - Update the groups to include the group-id of the group you created.

The Lambda Function will keep your IP list in sync.

Doug
  • 6,446
  • 9
  • 74
  • 107
0

You can put an IAM Role on the Elastic BeanStalk to only allow incoming messages from CloudFront. OR you can only allow access to the ELB Instance from a certain port, then filter CloudFront to that port. For instance, Port 443 is HTTPS, grant CloudFront access to ELB via Port 443, then on your Security-Group, only allow Inbound Access to the instance from the IP that CloudFront will access it.

Check this out

Community
  • 1
  • 1
iSkore
  • 7,394
  • 3
  • 34
  • 59
0

You can create a security group that only allows CloudFront and have it automatically updated. You can also add a custom header (preshared secret) between your distribution and your Elastic Beanstalk environment.

  1. https://github.com/awslabs/aws-cloudfront-samples
  2. https://aws.amazon.com/about-aws/whats-new/2015/12/now-add-or-modify-request-headers-forwarded-from-amazon-cloudfront-to-origin/
imperalix
  • 3,701
  • 1
  • 23
  • 19