Skip to content

Commit 163b90f

Browse files
author
Ranganath
committed
Updated template to use SSM Parameter for Linux AMI, changed to use AmazonSSMManagedInstanceCore policy for Instance Profile Role
1 parent f2d80af commit 163b90f

File tree

2 files changed

+31
-6
lines changed

2 files changed

+31
-6
lines changed

README.md

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,8 @@
11
## AWS Secrets Manager Ssh Key Rotation
22

3-
Secrets Manager - Lambda rotation function for SSH Keys
4-
Please see a walk-through of using this function in [How to use AWS Secrets Manager to securely store and rotate SSH key pairs](https://aws.amazon.com/blogs/security/how-to-use-aws-secrets-manager-securely-store-rotate-ssh-key-pairs/)
3+
Secrets Manager - Lambda rotation function for SSH Keys.
4+
5+
Please see a walk-through of using this function in [How to use AWS Secrets Manager to securely store and rotate SSH key pairs](https://aws.amazon.com/blogs/security/how-to-use-aws-secrets-manager-securely-store-rotate-ssh-key-pairs/).
56

67
## License Summary
78

master_workers.yaml

Lines changed: 28 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -5,8 +5,8 @@ Parameters:
55
Type: AWS::EC2::KeyPair::KeyName
66
LinuxAMI:
77
Description: Amazon Linux AMI ID
8-
Type: AWS::EC2::Image::Id
9-
Default: ami-035b3c7efe6d061d5
8+
Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>'
9+
Default: '/aws/service/ami-amazon-linux-latest/amzn-ami-hvm-x86_64-gp2'
1010
VpcBlock:
1111
Type: String
1212
Default: 192.168.0.0/16
@@ -124,13 +124,30 @@ Resources:
124124
MasterSecurityGroup:
125125
Type: AWS::EC2::SecurityGroup
126126
Properties:
127-
GroupDescription: Master Node Security Group - Allow SSH access from all Public Internet addresses
127+
GroupDescription: Master Node Security Group - Allow SSH access from your IP range
128128
VpcId: !Ref VPC
129129
SecurityGroupIngress:
130130
- IpProtocol: tcp
131131
FromPort: '22'
132132
ToPort: '22'
133133
CidrIp: !Ref YourIPRange
134+
Description: SSH from your IP
135+
SecurityGroupEgress:
136+
- IpProtocol: tcp
137+
FromPort: '80'
138+
ToPort: '80'
139+
CidrIp: 0.0.0.0/0
140+
Description: HTTP to Internet
141+
- IpProtocol: tcp
142+
FromPort: '443'
143+
ToPort: '443'
144+
CidrIp: 0.0.0.0/0
145+
Description: HTTPS to Internet
146+
- IpProtocol: tcp
147+
FromPort: '22'
148+
ToPort: '22'
149+
CidrIp: 0.0.0.0/0
150+
Description: SSH to Anywhere
134151
WorkerSecurityGroup:
135152
Type: AWS::EC2::SecurityGroup
136153
Properties:
@@ -141,6 +158,13 @@ Resources:
141158
FromPort: '22'
142159
ToPort: '22'
143160
SourceSecurityGroupId: !Ref 'MasterSecurityGroup'
161+
Description: SSH from MasterServer
162+
SecurityGroupEgress:
163+
- IpProtocol: tcp
164+
FromPort: '443'
165+
ToPort: '443'
166+
CidrIp: 0.0.0.0/0
167+
Description: HTTPS to Internet
144168
WorkerServerRole:
145169
Type: AWS::IAM::Role
146170
Properties:
@@ -154,7 +178,7 @@ Resources:
154178
Action:
155179
- sts:AssumeRole
156180
ManagedPolicyArns:
157-
- arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM
181+
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
158182
WorkerServerInstanceProfile:
159183
Type: AWS::IAM::InstanceProfile
160184
Properties:

0 commit comments

Comments
 (0)