Elastic beanstalk automatically creates a security group that allows all traffic on port 80. How can I disable this?

Question

I am deploying a service on Elastic Beanstalk (EB). When you create an EB environment, it asks you to select a security group for hosts running the application. No matter what you select, EB will always use your selected security group in addition to a generated security group which allows all external HTTP and HTTPS traffic on ports 80 and 443. Is there any way to disable this? I would like the allowed traffic to be determined by my selected security group. I do not want to allow any external traffic.

Answer 1

If your environment is using a Single Instance

When a security group is created, you can always change this by going into EC2 => Security Groups => find the corresponding security group attached to the EC2 instance created by EB (probably some random characters like: awseb-e-thmgihexyz-stack-AWSEBSecurityGroup-6PG13Z3VXXX9) => Inbound => Edit => remove Inbound Port 80 and Inbound Port 443

Or a very similar method:

Go to EC2 => select the instance that was created by your EB app => scroll to the far left => you'll see your security group there, should start with awseb, select it => It'll take you to the Security Group Inbound page by default => Edit => remove Inbound Port 80 and Inbound Port 443

If your environment is using a Load Balancer

Go the EB Dashboard, click on your app => go to Configuration on the left => click on Load Balancer settings icon on the top left. There you will see Listener port: 80. Click 80 and switch it to OFF. You can also do this to Secure listener port: 443 which should not actually be on by default.

Update:

To dynamically update your Security Group Incomming Traffic, use the EC2 SDK's authorizeSecurityGroupIngress Documented HERE.

Hope this helps!