I'm building a portfolio/resume website using a template I found, and I'm currently customizing it with my own information. I'm using WebStorm for development, and my site is hosted on GitHub, where I also have GitHub Actions set up to deploy to an EC2 instance. I have a t2.micro Linux AMI instance, which is part of the free tier. My workflow requires a PEM secret for SSH, and I've configured the security group inbound rules for HTTP (80), HTTPS (443), and SSH (22).
Typically, ports 80 and 443 are open to everyone, while SSH is usually restricted to my local IP for security reasons. However, since GitHub Actions needs SSH access, I've unfortunately opened it up globally, which seems really insecure. I'm looking for advice on how to whitelist my IP and others for GitHub Actions while keeping out everyone else.
3 Answers
AWS recently introduced EC2 Instance Connect Endpoints. This allows you to SSH into instances without needing a public IP. However, I'm not entirely sure if you can script the AWS CLI for this within GitHub Actions. Check out the AWS documentation for more details.
You might want to consider integrating GHA with CodeBuild. It lets you run specific jobs on CodeBuild runners located in a designated VPC, which could enhance your security while deploying.
Why not use SSM for your SSH needs? It’s a much more secure way to manage instances without opening ports. You could leverage Amazon Systems Manager, which helps with remote access and management of your AWS environment. It could save you from the hassle of dealing with SSH access directly.
I didn’t even know SSM was an option! For my simple HTML site on EC2, I only found tutorials that focused on SSH setups. I’m totally willing to learn about SSM and improve my skills, especially after getting the hang of GHA. Thanks for the suggestion!