AWS Beanstalk SSL Load balanced environment

1
votes

I am trying to make sense of a note in the aws documentation to configure HTTPS for an elastic beanstalk application.

The note reads:

If at any point you decide to redeploy your application using a load-balanced environment, you risk opening port 443 to all incoming traffic from the Internet. In that case, delete the configuration file from your .ebextensions directory. Then create a load-balanced environment and set up SSL using the Load Balancer section of the Configuration page of the Elastic Beanstalk management console.

Here is the link to the original documentation page: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https.html#configuring-https-elb

Can you help me make sense of the warning?

1
sslamazon-web-servicesamazon-elastic-beanstalk

1 Answers

0
votes

This documentation is poorly written.

There are actually 2 separate possibilities

  • Load Balanced Environment: All traffic goes through a load balancer first, then to instance.
  • Non-Load Balanced Environment: All traffic goes directly through your instance.

If all the traffic goes directly to the instance, you need to open up your instances HTTPS port 443 to everyone

    Resources:
  sslSecurityGroupIngress: 
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {Ref : AWSEBSecurityGroup}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

If you didn't, everyone couldn't access your site.

If all your traffic is going through a load balancer you can change your instance security to only talk to it. It gets to ignore the rest of the internet. This is more secure because your load balancer is the one that is open to everyone. This matters because imagine if there was a bug in linux that let someone take over your machine through port 443 by doing something weird. The load balancer sees it first and standardizes it so its harder for your instance to be attacked.