Your AWS Elastic Beanstalk environment security - AWS Elastic Beanstalk

Your AWS Elastic Beanstalk environment security

Elastic Beanstalk provides several options that control the security of your environment and of the Amazon EC2 instances in it. This topic discusses the configuration of these options.

Configuring your environment security

You can modify your Elastic Beanstalk environment security configuration in the Elastic Beanstalk console.

To configure environment security in the Elastic Beanstalk console

  1. Open the Elastic Beanstalk console, and in the Regions list, select your AWS Region.

  2. In the navigation pane, choose Environments, and then choose the name of your environment from the list.


    If you have many environments, use the search bar to filter the environment list.

  3. In the navigation pane, choose Configuration.

  4. In the Security configuration category, choose Edit.

The following settings are available.

        The Elastic Beanstalk security configuration page

Service role

Select a service role to associate with your Elastic Beanstalk environment. Elastic Beanstalk assumes the service role when it accesses other AWS services on your behalf. For details, see Managing Elastic Beanstalk service roles.

EC2 key pair

You can securely log in to the Amazon Elastic Compute Cloud (Amazon EC2) instances provisioned for your Elastic Beanstalk application with an Amazon EC2 key pair. For instructions on creating a key pair, see Creating a Key Pair Using Amazon EC2 in the Amazon EC2 User Guide for Linux Instances.


When you create a key pair, Amazon EC2 stores a copy of your public key. If you no longer need to use it to connect to any environment instances, you can delete it from Amazon EC2. For details, see Deleting Your Key Pair in the Amazon EC2 User Guide for Linux Instances.

Choose an EC2 key pair from the drop-down menu to assign it to your environment's instances. When you assign a key pair, the public key is stored on the instance to authenticate the private key, which you store locally. The private key is never stored on AWS.

For more information about connecting to Amazon EC2 instances, see Connect to Your Instance and Connecting to Linux/UNIX Instances from Windows using PuTTY in the Amazon EC2 User Guide for Linux Instances.

IAM instance profile

An instance profile is an IAM role that is applied to instances launched in your Elastic Beanstalk environment. Amazon EC2 instances assume the instance profile role to sign requests to AWS and access APIs, for example, to upload logs to Amazon S3.

The first time you create an environment in the Elastic Beanstalk console, Elastic Beanstalk prompts you to create an instance profile with a default set of permissions. You can add permissions to this profile to provide your instances access to other AWS services. For details, see Managing Elastic Beanstalk instance profiles.

Environment security configuration namespaces

Elastic Beanstalk provides configuration options in the following namespaces to enable you to customize the security of your environment:

The EB CLI and Elastic Beanstalk console apply recommended values for the preceding options. You must remove these settings if you want to use configuration files to configure the same. See Recommended values for details.