Restrict instance security group to traffic from load balancer.

MartinRixham · MartinRixham · commit 2100228f1718 · 2025-08-18T08:08:02.000+01:00
diff --git a/cloudformation.json b/cloudformation.json
@@ -93,11 +93,11 @@
         "RouteTableId": { "Ref": "PublicRouteTable" }
       }
     },
-    "InstanceSecurityGroup": {
+    "ALBSecurityGroup": {
       "Type": "AWS::EC2::SecurityGroup",
       "Properties": {
         "VpcId": { "Ref": "VPC" },
-        "GroupDescription": "Allow inbound traffic",
+        "GroupDescription": "Allow inbound HTTP from anywhere",
         "SecurityGroupIngress": [
           {
             "IpProtocol": "tcp",
@@ -107,28 +107,31 @@
           }
         ],
         "SecurityGroupEgress": [
-          {
+          { 
             "IpProtocol": "-1",
             "CidrIp": "0.0.0.0/0"
           }
         ]
       }
     },
-    "ALBSecurityGroup": {
+    "InstanceSecurityGroup": {
       "Type": "AWS::EC2::SecurityGroup",
       "Properties": {
         "VpcId": { "Ref": "VPC" },
-        "GroupDescription": "Allow inbound HTTP from anywhere",
+        "GroupDescription": "Allow inbound traffic from  application load balancer",
         "SecurityGroupIngress": [
           {
             "IpProtocol": "tcp",
             "FromPort": 80,
             "ToPort": 80,
-            "CidrIp": "0.0.0.0/0"
+            "SourceSecurityGroupId": { "Ref": "ALBSecurityGroup" }
           }
         ],
         "SecurityGroupEgress": [
-          { "IpProtocol": "-1", "CidrIp": "0.0.0.0/0" }
+          {
+            "IpProtocol": "-1",
+            "CidrIp": "0.0.0.0/0"
+          }
         ]
       }
     },

Original file line number	Diff line number	Diff line change
`@@ -93,11 +93,11 @@`
`93`	`93`	`"RouteTableId": { "Ref": "PublicRouteTable" }`
`94`	`94`	`}`
`95`	`95`	`},`
`96`		`- "InstanceSecurityGroup": {`
	`96`	`+ "ALBSecurityGroup": {`
`97`	`97`	`"Type": "AWS::EC2::SecurityGroup",`
`98`	`98`	`"Properties": {`
`99`	`99`	`"VpcId": { "Ref": "VPC" },`
`100`		`- "GroupDescription": "Allow inbound traffic",`
	`100`	`+ "GroupDescription": "Allow inbound HTTP from anywhere",`
`101`	`101`	`"SecurityGroupIngress": [`
`102`	`102`	`{`
`103`	`103`	`"IpProtocol": "tcp",`
`@@ -107,28 +107,31 @@`
`107`	`107`	`}`
`108`	`108`	`],`
`109`	`109`	`"SecurityGroupEgress": [`
`110`		`- {`
	`110`	`+ {`
`111`	`111`	`"IpProtocol": "-1",`
`112`	`112`	`"CidrIp": "0.0.0.0/0"`
`113`	`113`	`}`
`114`	`114`	`]`
`115`	`115`	`}`
`116`	`116`	`},`
`117`		`- "ALBSecurityGroup": {`
	`117`	`+ "InstanceSecurityGroup": {`
`118`	`118`	`"Type": "AWS::EC2::SecurityGroup",`
`119`	`119`	`"Properties": {`
`120`	`120`	`"VpcId": { "Ref": "VPC" },`
`121`		`- "GroupDescription": "Allow inbound HTTP from anywhere",`
	`121`	`+ "GroupDescription": "Allow inbound traffic from application load balancer",`
`122`	`122`	`"SecurityGroupIngress": [`
`123`	`123`	`{`
`124`	`124`	`"IpProtocol": "tcp",`
`125`	`125`	`"FromPort": 80,`
`126`	`126`	`"ToPort": 80,`
`127`		`- "CidrIp": "0.0.0.0/0"`
	`127`	`+ "SourceSecurityGroupId": { "Ref": "ALBSecurityGroup" }`
`128`	`128`	`}`
`129`	`129`	`],`
`130`	`130`	`"SecurityGroupEgress": [`
`131`		`- { "IpProtocol": "-1", "CidrIp": "0.0.0.0/0" }`
	`131`	`+ {`
	`132`	`+ "IpProtocol": "-1",`
	`133`	`+ "CidrIp": "0.0.0.0/0"`
	`134`	`+ }`
`132`	`135`	`]`
`133`	`136`	`}`
`134`	`137`	`},`