# Configuring Elastic Beanstalk environments (advanced)
When you create an AWS Elastic Beanstalk environment, Elastic Beanstalk provisions and configures all of the AWS resources required to run and support your application. In addition to configuring your environment's metadata and update behavior, you can customize these resources by providing values for [configuration options](command-options.md). For example, you may want to add an Amazon SQS queue and an alarm on queue depth, or you might want to add an Amazon ElastiCache cluster.
Most of the configuration options have default values that are applied automatically by Elastic Beanstalk. You can override these defaults with configuration files, saved configurations, command line options, or by directly calling the Elastic Beanstalk API. The EB CLI and Elastic Beanstalk console also apply recommended values for some options.
You can easily customize your environment at the same time that you deploy your application version by including a configuration file with your source bundle. When customizing the software on your instance, it is more advantageous to use a configuration file than to create a custom AMI because you do not need to maintain a set of AMIs.
When deploying your applications, you may want to customize and configure the software that your application depends on. These files could be either dependencies required by the application—for example, additional packages from the yum repository—or they could be configuration files such as a replacement for httpd.conf to override specific settings that are defaulted by AWS Elastic Beanstalk.
**Topics**
+ [
# Configuration options
](command-options.md)
+ [
# Advanced environment customization with configuration files (`.ebextensions`)
](ebextensions.md)
+ [
# Using Elastic Beanstalk saved configurations
](environment-configuration-savedconfig.md)
+ [
# Environment manifest (`env.yaml`)
](environment-cfg-manifest.md)
+ [
# Using a custom Amazon machine image (AMI) in your Elastic Beanstalk environment
](using-features.customenv.md)
+ [
# Serving static files
](environment-cfg-staticfiles.md)
+ [
# Configuring HTTPS for your Elastic Beanstalk environment
](configuring-https.md)
# Configuration options
Elastic Beanstalk defines a large number of configuration options that you can use to configure your environment's behavior and the resources that it contains. Configuration options are organized into namespaces like `aws:autoscaling:asg`, which defines options for an environment's Auto Scaling group.
The Elastic Beanstalk console and EB CLI set configuration options when you create an environment, including options that you set explicitly, and [recommended values](#configuration-options-recommendedvalues) defined by the client. You can also set configuration options in saved configurations and configuration files. If the same option is set in multiple locations, the value used is determined by the [order of precedence](#configuration-options-precedence).
Configuration option settings can be composed in text format and saved prior to environment creation, applied during environment creation using any supported client, and added, modified or removed after environment creation. For a detailed breakdown of all of the available methods for working with configuration options at each of these three stages, read the following topics:
+ [Setting configuration options before environment creation](environment-configuration-methods-before.md)
+ [Setting configuration options during environment creation](environment-configuration-methods-during.md)
+ [Setting configuration options after environment creation](environment-configuration-methods-after.md)
For a complete list of namespaces and options, including default and supported values for each, see [General options for all environments](command-options-general.md) and [Platform specific options](command-options-specific.md).
## Precedence
During environment creation, configuration options are applied from multiple sources with the following precedence, from highest to lowest:
+ **Settings applied directly to the environment** – Settings specified during a create environment or update environment operation on the Elastic Beanstalk API by any client, including the Elastic Beanstalk console, EB CLI, AWS CLI, and SDKs. The Elastic Beanstalk console and EB CLI also apply [recommended values](#configuration-options-recommendedvalues) for some options that apply at this level unless overridden.
+ **Saved Configurations** – Settings for any options that are not applied directly to the environment are loaded from a saved configuration, if specified.
+ **Configuration Files (.ebextensions)** – Settings for any options that are not applied directly to the environment, and also not specified in a saved configuration, are loaded from configuration files in the `.ebextensions` folder at the root of the application source bundle.
Configuration files are executed in alphabetical order. For example, `.ebextensions/01run.config` is executed before `.ebextensions/02do.config`.
+ **Default Values** – If a configuration option has a default value, it only applies when the option is not set at any of the above levels.
If the same configuration option is defined in more than one location, the setting with the highest precedence is applied. When a setting is applied from a saved configuration or settings applied directly to the environment, the setting is stored as part of the environment's configuration. These settings can be removed [with the AWS CLI](environment-configuration-methods-after.md#configuration-options-remove-awscli) or [with the EB CLI](environment-configuration-methods-after.md#configuration-options-remove-ebcli).
Settings in configuration files are not applied directly to the environment and cannot be removed without modifying the configuration files and deploying a new application version. If a setting applied with one of the other methods is removed, the same setting will be loaded from configuration files in the source bundle.
For example, say you set the minimum number of instances in your environment to 5 during environment creation, using either the Elastic Beanstalk console, a command line option, or a saved configuration. The source bundle for your application also includes a configuration file that sets the minimum number of instances to 2.
When you create the environment, Elastic Beanstalk sets the `MinSize` option in the `aws:autoscaling:asg` namespace to 5. If you then remove the option from the environment configuration, the value in the configuration file is loaded, and the minimum number of instances is set to 2. If you then remove the configuration file from the source bundle and redeploy, Elastic Beanstalk uses the default setting of 1.
## Recommended values
The Elastic Beanstalk Command Line Interface (EB CLI) and Elastic Beanstalk console provide recommended values for some configuration options. These values can be different from the default values and are set at the API level when your environment is created. Recommended values allow Elastic Beanstalk to improve the default environment configuration without making backwards incompatible changes to the API.
For example, both the EB CLI and Elastic Beanstalk console set the configuration option for EC2 instance type (`InstanceType` in the `aws:autoscaling:launchconfiguration` namespace). Each client provides a different way of overriding the default setting. In the console you can choose a different instance type from a drop down menu on the **Configuration Details** page of the **Create New Environment** wizard. With the EB CLI, you can use the `--instance_type` parameter for [**eb create**](eb3-create.md).
Because the recommended values are set at the API level, they will override values for the same options that you set in configuration files or saved configurations. The following options are set:
**Elastic Beanstalk console**
+ Namespace: `aws:autoscaling:launchconfiguration`
Option Names: `IamInstanceProfile`, `EC2KeyName`, `InstanceType`
+ Namespace: `aws:autoscaling:updatepolicy:rollingupdate`
Option Names: `RollingUpdateType` and `RollingUpdateEnabled`
+ Namespace: `aws:elasticbeanstalk:application`
Option Name: `Application Healthcheck URL`
+ Namespace: `aws:elasticbeanstalk:command`
Option Name: `DeploymentPolicy`, `BatchSize` and `BatchSizeType`
+ Namespace: `aws:elasticbeanstalk:environment`
Option Name: `ServiceRole`
+ Namespace: `aws:elasticbeanstalk:healthreporting:system`
Option Name: `SystemType` and `HealthCheckSuccessThreshold`
+ Namespace: `aws:elasticbeanstalk:sns:topics`
Option Name: `Notification Endpoint`
+ Namespace: `aws:elasticbeanstalk:sqsd`
Option Name: `HttpConnections`
+ Namespace: `aws:elb:loadbalancer`
Option Name: `CrossZone`
+ Namespace: `aws:elb:policies`
Option Names: `ConnectionDrainingTimeout` and `ConnectionDrainingEnabled`
**EB CLI**
+ Namespace: `aws:autoscaling:launchconfiguration`
Option Names: `IamInstanceProfile`, `InstanceType`
+ Namespace: `aws:autoscaling:updatepolicy:rollingupdate`
Option Names: `RollingUpdateType` and `RollingUpdateEnabled`
+ Namespace: `aws:elasticbeanstalk:command`
Option Name: `BatchSize` and `BatchSizeType`
+ Namespace: `aws:elasticbeanstalk:environment`
Option Name: `ServiceRole`
+ Namespace: `aws:elasticbeanstalk:healthreporting:system`
Option Name: `SystemType`
+ Namespace: `aws:elb:loadbalancer`
Option Name: `CrossZone`
+ Namespace: `aws:elb:policies`
Option Names: `ConnectionDrainingEnabled`
# Setting configuration options before environment creation
AWS Elastic Beanstalk supports a large number of [configuration options](command-options.md) that let you modify the settings that are applied to resources in your environment. Several of these options have default values that can be overridden to customize your environment. Other options can be configured to enable additional features.
Elastic Beanstalk supports two methods of saving configuration option settings. Configuration files in YAML or JSON format can be included in your application's source code in a directory named `.ebextensions` and deployed as part of your application source bundle. You create and manage configuration files locally.
Saved configurations are templates that you create from a running environment or JSON options file and store in Elastic Beanstalk. Existing saved configurations can also be extended to create a new configuration.
**Note**
Settings defined in configuration files and saved configurations have lower precedence than settings configured during or after environment creation, including recommended values applied by the Elastic Beanstalk console and [EB CLI](eb-cli3.md). See [Precedence](command-options.md#configuration-options-precedence) for details.
Options can also be specified in a JSON document and provided directly to Elastic Beanstalk when you create or update an environment with the EB CLI or AWS CLI. Options provided directly to Elastic Beanstalk in this manner override all other methods.
For a full list of available options, see [Configuration options](command-options.md).
**Topics**
+ [
## Configuration files (`.ebextensions`)
](#configuration-options-before-ebextensions)
+ [
## Saved configurations
](#configuration-options-before-savedconfig)
+ [
## JSON document
](#configuration-options-before-json)
+ [
## EB CLI configuration
](#configuration-options-before-configyml)
## Configuration files (`.ebextensions`)
Use `.ebextensions` to configure options that are required to make your application work, and provide default values for other options that can be overridden at a higher level of [precedence](command-options.md#configuration-options-precedence). Options specified in `.ebextensions` have the lowest level of precedence and are overridden by settings at any other level.
To use configuration files, create a folder named `.ebextensions` at the top level of your project's source code. Add a file with the extension `.config` and specify options in the following manner:
```
option_settings:
- namespace: namespace
option_name: option name
value: option value
- namespace: namespace
option_name: option name
value: option value
```
For example, the following configuration file sets the application's health check url to `/health`:
`healthcheckurl.config`
```
option_settings:
- namespace: aws:elasticbeanstalk:application
option_name: Application Healthcheck URL
value: /health
```
In JSON:
```
{
"option_settings" :
[
{
"namespace" : "aws:elasticbeanstalk:application",
"option_name" : "Application Healthcheck URL",
"value" : "/health"
}
]
}
```
This configures the Elastic Load Balancing load balancer in your Elastic Beanstalk environment to make an HTTP request to the path `/health` to each EC2 instance to determine if it is healthy or not.
**Note**
YAML relies on consistent indentation. Match the indentation level when replacing content in an example configuration file and ensure that your text editor uses spaces, not tab characters, to indent.
Include the `.ebextensions` directory in your [Application Source Bundle](applications-sourcebundle.md) and deploy it to a new or existing Elastic Beanstalk environment.
Configuration files support several sections in addition to `option_settings` for customizing the software and files that run on the servers in your environment. For more information, see [.Ebextensions](ebextensions.md).
## Saved configurations
Create a saved configuration to save settings that you have applied to an existing environment during or after environment creation by using the Elastic Beanstalk console, EB CLI, or AWS CLI. Saved configurations belong to an application and can be applied to new or existing environments for that application.
**Topics**
+ [
### Elastic Beanstalk console
](#configuration-options-before-savedconfig-console)
+ [
### EB CLI
](#configuration-options-before-savedconfig-ebcli)
+ [
### AWS CLI
](#configuration-options-before-savedconfig-awscli)
### Elastic Beanstalk console
**To create a saved configuration (Elastic Beanstalk console)**
1. Open the [Elastic Beanstalk console](https://console.aws.amazon.com/elasticbeanstalk), and in the **Regions** list, select your AWS Region.
1. In the navigation pane, choose **Environments**, and then choose the name of your environment from the list.
1. Choose **Actions**, and then choose **Save configuration**.
1. Use the on-screen dialog box to complete the action.
Saved configurations are stored in the Elastic Beanstalk S3 bucket in a folder named after your application. For example, configurations for an application named `my-app` in the us-west-2 region for account number 123456789012 can be found at `s3://elasticbeanstalk-us-west-2-123456789012/resources/templates/my-app`.
### EB CLI
The [EB CLI](eb-cli3.md) also provides subcommands for interacting with saved configurations under [**eb config**](eb3-config.md):
**To create a saved configuration (EB CLI)**
1. Save the attached environment's current configuration:
```
~/project$ eb config save --cfg my-app-v1
```
The EB CLI saves the configuration to `~/project/.elasticbeanstalk/saved_configs/my-app-v1.cfg.yml`
1. Modify the saved configuration locally if needed.
1. Upload the saved configuration to S3:
```
~/project$ eb config put my-app-v1
```
### AWS CLI
Create a saved configuration from a running environment with `aws elasticbeanstalk create-configuration-template`
**To create a saved configuration (AWS CLI)**
1. Identify your Elastic Beanstalk environment's environment ID with `describe-environments`:
```
$ aws elasticbeanstalk describe-environments --environment-name my-env
{
"Environments": [
{
"ApplicationName": "my-env",
"EnvironmentName": "my-env",
"VersionLabel": "89df",
"Status": "Ready",
"Description": "Environment created from the EB CLI using \"eb create\"",
"EnvironmentId": "e-vcghmm2zwk",
"EndpointURL": "awseb-e-v-AWSEBLoa-1JUM8159RA11M-43V6ZI1194.us-west-2.elb.amazonaws.com",
"SolutionStackName": "64bit Amazon Linux 2015.03 v2.0.2 running Multi-container Docker 1.7.1 (Generic)",
"CNAME": "my-env-nfptuqaper.elasticbeanstalk.com",
"Health": "Green",
"AbortableOperationInProgress": false,
"Tier": {
"Version": " ",
"Type": "Standard",
"Name": "WebServer"
},
"HealthStatus": "Ok",
"DateUpdated": "2015-10-01T00:24:04.045Z",
"DateCreated": "2015-09-30T23:27:55.768Z"
}
]
}
```
1. Save the environment's current configuration with `create-configuration-template`:
```
$ aws elasticbeanstalk create-configuration-template --environment-id e-vcghmm2zwk --application-name my-app --template-name v1
```
Elastic Beanstalk saves the configuration to your Elastic Beanstalk bucket in Amazon S3.
## JSON document
If you use the AWS CLI to create and update environments, you can also provide configuration options in JSON format. A library of configuration files in JSON is useful if you use the AWS CLI to create and manage environments.
For example, the following JSON document sets the application's health check url to `/health`:
**\$1/ebconfigs/healthcheckurl.json**
```
[
{
"Namespace": "aws:elasticbeanstalk:application",
"OptionName": "Application Healthcheck URL",
"Value": "/health"
}
]
```
## EB CLI configuration
In addition to supporting saved configurations and direct environment configuration with **eb config** commands, the EB CLI has a configuration file with an option named `default_ec2_keyname` that you can use to specify an Amazon EC2 key pair for SSH access to the instances in your environment. The EB CLI uses this option to set the `EC2KeyName` configuration option in the `aws:autoscaling:launchconfiguration` namespace.
**\$1/workspace/my-app/.elasticbeanstalk/config.yml**
```
branch-defaults:
master:
environment: my-env
develop:
environment: my-env-dev
deploy:
artifact: ROOT.war
global:
application_name: my-app
default_ec2_keyname: my-keypair
default_platform: Tomcat 8 Java 8
default_region: us-west-2
profile: null
sc: git
```
# Setting configuration options during environment creation
When you create an AWS Elastic Beanstalk environment by using the Elastic Beanstalk console, EB CLI, AWS CLI, an SDK, or the Elastic Beanstalk API, you can provide values for configuration options to customize your environment and the AWS resources that are launched within it.
For anything other than a one-off configuration change, you can [store configuration files](environment-configuration-methods-before.md) locally, in your source bundle, or in Amazon S3.
This topic includes procedures for all of the methods to set configuration options during environment creation.
**Topics**
+ [
## In the Elastic Beanstalk console
](#configuration-options-during-console)
+ [
## Using the EB CLI
](#configuration-options-during-ebcli)
+ [
## Using the AWS CLI
](#configuration-options-during-awscli)
## In the Elastic Beanstalk console
When you create an Elastic Beanstalk environment in the Elastic Beanstalk console, you can provide configuration options using configuration files, saved configurations, and forms in the **Create New Environment** wizard.
**Topics**
+ [
### Using configuration files (`.ebextensions`)
](#configuration-options-during-console-ebextensions)
+ [
### Using a saved configuration
](#configuration-options-during-console-savedconfig)
+ [
### Using the new environment wizard
](#configuration-options-during-console-wizard)
### Using configuration files (`.ebextensions`)
Include `.config` files in your [application source bundle](applications-sourcebundle.md) in a folder named `.ebextensions`.
For details about configuration files, see [.Ebextensions](ebextensions.md).
```
~/workspace/my-app-v1.zip
|-- .ebextensions
| |-- environmentvariables.config
| `-- healthcheckurl.config
|-- index.php
`-- styles.css
```
Upload the source bundle to Elastic Beanstalk normally, during [environment creation](using-features.environments.md).
The Elastic Beanstalk console applies [recommended values](command-options.md#configuration-options-recommendedvalues) for some configuration options and has form fields for others. Options configured by the Elastic Beanstalk console are applied directly to the environment and override settings in configuration files.
### Using a saved configuration
When you create a new environment using the Elastic Beanstalk console, one of the first steps is to choose a configuration. The configuration can be a [**predefined configuration**](concepts.platforms.md), typically the latest version of a platform such as **PHP** or **Tomcat**, or it can be a **saved configuration**.
**To apply a saved configuration during environment creation (Elastic Beanstalk console)**
1. Open the [Elastic Beanstalk console](https://console.aws.amazon.com/elasticbeanstalk), and in the **Regions** list, select your AWS Region.
1. In the navigation pane, choose **Applications**, and then choose your application's name from the list.
1. In the navigation pane, find your application's name and choose **Saved configurations**.
1. Select the saved configuration you want to apply, and then choose **Launch environment**.
1. Proceed through the wizard to create your environment.
Saved configurations are application-specific. See [Saved configurations](environment-configuration-methods-before.md#configuration-options-before-savedconfig) for details on creating saved configurations.
### Using the new environment wizard
Most of the standard configuration options are presented on the **Configure more options** page of the [Create New Environment wizard](environments-create-wizard.md). If you create an Amazon RDS database or configure a VPC for your environment, additional configuration options are available for those resources.
**To set configuration options during environment creation (Elastic Beanstalk console)**
1. Open the [Elastic Beanstalk console](https://console.aws.amazon.com/elasticbeanstalk), and in the **Regions** list, select your AWS Region.
1. In the navigation pane, choose **Applications**.
1. Choose or [create](applications.md) an application.
1. Choose **Actions**, and then choose **Create environment**.
1. Proceed through the wizard, and choose **Configure more options**.
1. Choose any of the **configuration presets**, and then choose **Edit** in one or more of the configuration categories to change a group of related configuration options.
1. When you are done making option selections, choose **Create environment**.
Any options that you set in the new environment wizard are set directly on the environment and override any option settings in saved configurations or configuration files (`.ebextensions`) that you apply. You can remove settings after the environment is created using the [EB CLI](environment-configuration-methods-after.md#configuration-options-after-ebcli) or [AWS CLI](environment-configuration-methods-after.md#configuration-options-after-awscli) to allow the settings in saved configurations or configuration files to surface.
For details about the new environment wizard, see [The create new environment wizard](environments-create-wizard.md).
## Using the EB CLI
**Topics**
+ [
### Using configuration files (`.ebextensions`)
](#configuration-options-during-ebcli-ebextensions)
+ [
### Using saved configurations
](#configuration-options-during-ebcli-savedconfig)
+ [
### Using command line options
](#configuration-options-during-ebcli-params)
### Using configuration files (`.ebextensions`)
Include `.config` files in your project folder under `.ebextensions` to deploy them with your application code.
For details about configuration files, see [.Ebextensions](ebextensions.md).
```
~/workspace/my-app/
|-- .ebextensions
| |-- environmentvariables.config
| `-- healthcheckurl.config
|-- .elasticbeanstalk
| `-- config.yml
|-- index.php
`-- styles.css
```
Create your environment and deploy your source code to it with **eb create**.
```
~/workspace/my-app$ eb create my-env
```
### Using saved configurations
To apply a saved configuration when you create an environment with [**eb create**](eb3-create.md), use the `--cfg` option.
```
~/workspace/my-app$ eb create --cfg savedconfig
```
You can store the saved configuration in your project folder or in your Elastic Beanstalk storage location on Amazon S3. In the previous example, the EB CLI first looks for a saved configuration file named `savedconfig.cfg.yml` in the folder `.elasticbeanstalk/saved_configs/`. Do not include the file name extensions (`.cfg.yml`) when applying a saved configuration with `--cfg`.
```
~/workspace/my-app/
|-- .ebextensions
| `-- healthcheckurl.config
|-- .elasticbeanstalk
| |-- saved_configs
| | `-- savedconfig.cfg.yml
| `-- config.yml
|-- index.php
`-- styles.css
```
If the EB CLI does not find the configuration locally, it looks in the Elastic Beanstalk storage location in Amazon S3. For details on creating, editing, and uploading saved configurations, see [Saved configurations](environment-configuration-methods-before.md#configuration-options-before-savedconfig).
### Using command line options
The EB CLI **eb create** command has several [options](eb3-create.md#eb3-createoptions) that you can use to set configuration options during environment creation. You can use these options to add an RDS database to your environment, configure a VPC, or override [recommended values](command-options.md#configuration-options-recommendedvalues).
For example, the EB CLI uses the `t2.micro` instance type by default. To choose a different instance type, use the `--instance_type` option.
```
$ eb create my-env --instance_type t2.medium
```
To create an Amazon RDS database instance and attach it to your environment, use the `--database` options.
```
$ eb create --database.engine postgres --database.username dbuser
```
If you leave out the environment name, database password, or any other parameters that are required to create your environment, the EB CLI prompts you to enter them.
See [eb create](eb3-create.md) for a full list of available options and usage examples.
## Using the AWS CLI
When you use the `create-environment` command to create an Elastic Beanstalk environment with the AWS CLI, the AWS CLI does not apply any [recommended values](command-options.md#configuration-options-recommendedvalues). All configuration options are defined in configuration files in the source bundle that you specify.
**Topics**
+ [
### Using configuration files (`.ebextensions`)
](#configuration-options-during-awscli-ebextensions)
+ [
### Using a saved configuration
](#configuration-options-during-awscli-savedconfig)
+ [
### Using command line options
](#configuration-options-during-awscli-params)
### Using configuration files (`.ebextensions`)
To apply configuration files to an environment that you create with the AWS CLI, include them in the application source bundle that you upload to Amazon S3.
For details about configuration files, see [.Ebextensions](ebextensions.md).
```
~/workspace/my-app-v1.zip
|-- .ebextensions
| |-- environmentvariables.config
| `-- healthcheckurl.config
|-- index.php
`-- styles.css
```
**To upload an application source bundle and create an environment with the AWS CLI**
1. If you don't already have an Elastic Beanstalk bucket in Amazon S3, create one with `create-storage-location`.
```
$ aws elasticbeanstalk create-storage-location
{
"S3Bucket": "elasticbeanstalk-us-west-2-123456789012"
}
```
1. Upload your application source bundle to Amazon S3.
```
$ aws s3 cp sourcebundle.zip s3://elasticbeanstalk-us-west-2-123456789012/my-app/sourcebundle.zip
```
1. Create the application version.
```
$ aws elasticbeanstalk create-application-version --application-name my-app --version-label v1 --description MyAppv1 --source-bundle S3Bucket="elasticbeanstalk-us-west-2-123456789012",S3Key="my-app/sourcebundle.zip" --auto-create-application
```
1. Create the environment.
```
$ aws elasticbeanstalk create-environment --application-name my-app --environment-name my-env --version-label v1 --solution-stack-name "64bit Amazon Linux 2015.03 v2.0.0 running Tomcat 8 Java 8"
```
### Using a saved configuration
To apply a saved configuration to an environment during creation, use the `--template-name` parameter.
```
$ aws elasticbeanstalk create-environment --application-name my-app --environment-name my-env --template-name savedconfig --version-label v1
```
When you specify a saved configuration, do not also specify a solution stack name. Saved configurations already specify a solution stack and Elastic Beanstalk will return an error if you try to use both options.
### Using command line options
Use the `--option-settings` parameter to specify configuration options in JSON format.
```
$ aws elasticbeanstalk create-environment --application-name my-app --environment-name my-env --version-label v1 --template-name savedconfig --option-settings '[
{
"Namespace": "aws:elasticbeanstalk:application",
"OptionName": "Application Healthcheck URL",
"Value": "/health"
}
]
```
To load the JSON from a file, use the `file://` prefix.
```
$ aws elasticbeanstalk create-environment --application-name my-app --environment-name my-env --version-label v1 --template-name savedconfig --option-settings file://healthcheckurl.json
```
Elastic Beanstalk applies option settings that you specify with the `--option-settings` option directly to your environment. If the same options are specified in a saved configuration or configuration file, `--option-settings` overrides those values.
# Setting configuration options after environment creation
You can modify the option settings on a running environment by applying saved configurations, uploading a new source bundle with configuration files (`.ebextensions`), or using a JSON document. The EB CLI and Elastic Beanstalk console also have client-specific functionality for setting and updating configuration options.
When you set or change a configuration option, you can trigger a full environment update, depending on the severity of the change. For example, changes to options in the [`aws:autoscaling:launchconfiguration`](command-options-general.md#command-options-general-autoscalinglaunchconfiguration), such as `InstanceType`, require that the Amazon EC2 instances in your environment are reprovisioned. This triggers a [rolling update](using-features.rollingupdates.md). Other configuration changes can be applied without any interruption or reprovisioning.
You can remove option settings from an environment with EB CLI or AWS CLI commands. Removing an option that has been set directly on an environment at an API level allows settings in configuration files, which are otherwise masked by settings applied directly to an environment, to surface and take effect.
Settings in saved configurations and configuration files can be overridden by setting the same option directly on the environment with one of the other configuration methods. However, these can only be removed completely by applying an updated saved configuration or configuration file. When an option is not set in a saved configuration, in a configuration file, or directly on an environment, the default value applies, if there is one. See [Precedence](command-options.md#configuration-options-precedence) for details.
**Topics**
+ [
## The Elastic Beanstalk console
](#configuration-options-after-console)
+ [
## The EB CLI
](#configuration-options-after-ebcli)
+ [
## The AWS CLI
](#configuration-options-after-awscli)
## The Elastic Beanstalk console
You can update configuration option settings in the Elastic Beanstalk console by deploying an application source bundle that contains configuration files, applying a saved configuration, or modifying the environment directly with the **Configuration** page in the environment management console.
**Topics**
+ [
### Using configuration files (`.ebextensions`)
](#configuration-options-after-console-ebextensions)
+ [
### Using a saved configuration
](#configuration-options-after-console-savedconfig)
+ [
### Using the Elastic Beanstalk console
](#configuration-options-after-console-configpage)
### Using configuration files (`.ebextensions`)
Update configuration files in your source directory, create a new source bundle, and deploy the new version to your Elastic Beanstalk environment to apply the changes.
For details about configuration files, see [.Ebextensions](ebextensions.md).
**To deploy a source bundle**
1. Open the [Elastic Beanstalk console](https://console.aws.amazon.com/elasticbeanstalk), and in the **Regions** list, select your AWS Region.
1. In the navigation pane, choose **Environments**, and then choose the name of your environment from the list.
1. On the environment overview page, choose **Upload and deploy**.
1. Use the on-screen dialog box to upload the source bundle.
1. Choose **Deploy**.
1. When the deployment completes, you can choose the site URL to open your website in a new tab.
Changes made to configuration files will not override option settings in saved configurations or settings applied directly to the environment at the API level. See [Precedence](command-options.md#configuration-options-precedence) for details.
### Using a saved configuration
Apply a saved configuration to a running environment to apply option settings that it defines.
**To apply a saved configuration to a running environment (Elastic Beanstalk console)**
1. Open the [Elastic Beanstalk console](https://console.aws.amazon.com/elasticbeanstalk), and in the **Regions** list, select your AWS Region.
1. In the navigation pane, choose **Applications**, and then choose your application's name from the list.
1. In the navigation pane, find your application's name and choose **Saved configurations**.
1. Select the saved configuration you want to apply, and then choose **Load**.
1. Select an environment, and then choose **Load**.
Settings defined in a saved configuration override settings in configuration files, and are overridden by settings configured using the environment management console.
See [Saved configurations](environment-configuration-methods-before.md#configuration-options-before-savedconfig) for details on creating saved configurations.
### Using the Elastic Beanstalk console
The Elastic Beanstalk console presents many configuration options on the **Configuration** page for each environment.
**To change configuration options on a running environment (Elastic Beanstalk console)**
1. Open the [Elastic Beanstalk console](https://console.aws.amazon.com/elasticbeanstalk), and in the **Regions** list, select your AWS Region.
1. In the navigation pane, choose **Environments**, and then choose the name of your environment from the list.
1. In the navigation pane, choose **Configuration**.
1. Find the configuration page you want to edit:
+ If you see the option you're interested in, or you know which configuration category it's in, choose **Edit** in the configuration category for it.
+ To look for an option, turn on **Table View**, and then enter search terms into the search box. As you type, the list gets shorter and shows only options that match your search terms.
When you see the option you're looking for, choose **Edit** in the configuration category that contains it.
![\[Table view of the configuration overview page of the Elastic Beanstalk console, showing an option search\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/images/environments-cfg-console.overview.table.search1.png)
1. Change settings, and then choose **Save**.
1. Repeat the previous two steps in additional configuration categories, as needed.
1. Choose **Apply**.
Changes made to configuration options in the environment management console are applied directly to the environment. These changes override settings for the same options in configuration files or saved configurations. For details, see [Precedence](command-options.md#configuration-options-precedence).
For details about changing configuration options on a running environment using the Elastic Beanstalk console, see the topics under [Configuring Elastic Beanstalk environments](customize-containers.md).
## The EB CLI
You can update configuration option settings with the EB CLI by deploying source code that contains configuration files, applying settings from a saved configuration, or modifying the environment configuration directly with the **eb config** command.
**Topics**
+ [
### Using configuration files (`.ebextensions`)
](#configuration-options-after-ebcli-ebextensions)
+ [
### Using a saved configuration
](#configuration-options-after-ebcli-savedconfig)
+ [
### Using **eb config**
](#configuration-options-after-ebcli-ebconfig)
+ [
### Using **eb setenv**
](#configuration-options-after-ebcli-ebsetenv)
### Using configuration files (`.ebextensions`)
Include `.config` files in your project folder under `.ebextensions` to deploy them with your application code.
For details about configuration files, see [.Ebextensions](ebextensions.md).
```
~/workspace/my-app/
|-- .ebextensions
| |-- environmentvariables.config
| `-- healthcheckurl.config
|-- .elasticbeanstalk
| `-- config.yml
|-- index.php
`-- styles.css
```
Deploy your source code with **eb deploy**.
```
~/workspace/my-app$ eb deploy
```
### Using a saved configuration
You can use the **eb config** command to apply a saved configuration to a running environment. Use the `--cfg` option with the name of the saved configuration to apply its settings to your environment.
```
$ eb config --cfg v1
```
In this example, `v1` is the name of a [previously created and saved configuration file](environment-configuration-methods-before.md#configuration-options-before-savedconfig).
Settings applied to an environment with this command override settings that were applied during environment creation, and settings defined in configuration files in your application source bundle.
### Using **eb config**
The EB CLI's **eb config** command lets you set and remove option settings directly on an environment by using a text editor.
When you run **eb config**, the EB CLI shows settings applied to your environment from all sources, including configuration files, saved configurations, recommended values, options set directly on the environment, and API defaults.
**Note**
**eb config** does not show environment properties. To set environment properties that you can read from within your application, use [**eb setenv**](#configuration-options-after-ebcli-ebsetenv).
The following example shows settings applied in the `aws:autoscaling:launchconfiguration` namespace. These settings include:
+ Two recommended values, for `IamInstanceProfile` and `InstanceType`, applied by the EB CLI during environment creation.
+ The option `EC2KeyName`, set directly on the environment during creation based on repository configuration.
+ API default values for the other options.
```
ApplicationName: tomcat
DateUpdated: 2015-09-30 22:51:07+00:00
EnvironmentName: tomcat
SolutionStackName: 64bit Amazon Linux 2015.03 v2.0.1 running Tomcat 8 Java 8
settings:
...
aws:autoscaling:launchconfiguration:
BlockDeviceMappings: null
EC2KeyName: my-key
IamInstanceProfile: aws-elasticbeanstalk-ec2-role
ImageId: ami-1f316660
InstanceType: t2.micro
...
```
**To set or change configuration options with **eb config****
1. Run **eb config** to view your environment's configuration.
```
~/workspace/my-app/$ eb config
```
1. Change any of the setting values using the default text editor.
```
aws:autoscaling:launchconfiguration:
BlockDeviceMappings: null
EC2KeyName: my-key
IamInstanceProfile: aws-elasticbeanstalk-ec2-role
ImageId: ami-1f316660
InstanceType: t2.medium
```
1. Save the temporary configuration file and exit.
1. The EB CLI updates your environment configuration.
Setting configuration options with **eb config** overrides settings from all other sources.
You can also remove options from your environment with **eb config**.
**To remove configuration options (EB CLI)**
1. Run **eb config** to view your environment's configuration.
```
~/workspace/my-app/$ eb config
```
1. Replace any value shown with the string `null`. You can also delete the entire line containing the option that you want to remove.
```
aws:autoscaling:launchconfiguration:
BlockDeviceMappings: null
EC2KeyName: my-key
IamInstanceProfile: aws-elasticbeanstalk-ec2-role
ImageId: ami-1f316660
InstanceType: null
```
1. Save the temporary configuration file and exit.
1. The EB CLI updates your environment configuration.
Removing options from your environment with **eb config** allows settings for the same options to surface from configuration files in your application source bundle. See [Precedence](command-options.md#configuration-options-precedence) for details.
### Using **eb setenv**
To set environment properties with the EB CLI, use **eb setenv**.
```
~/workspace/my-app/$ eb setenv ENVVAR=TEST
INFO: Environment update is starting.
INFO: Updating environment my-env's configuration settings.
INFO: Environment health has transitioned from Ok to Info. Command is executing on all instances.
INFO: Successfully deployed new configuration to environment.
```
This command sets environment properties in the [`aws:elasticbeanstalk:application:environment` namespace](command-options-general.md#command-options-general-elasticbeanstalkapplicationenvironment). Environment properties set with **eb setenv** are available to your application after a short update process.
View environment properties set on your environment with **eb printenv**.
```
~/workspace/my-app/$ eb printenv
Environment Variables:
ENVVAR = TEST
```
## The AWS CLI
You can update configuration option settings with the AWS CLI by deploying a source bundle that contains configuration files, applying a remotely stored saved configuration, or modifying the environment directly with the `aws elasticbeanstalk update-environment` command.
**Topics**
+ [
### Using configuration files (`.ebextensions`)
](#configuration-options-after-awscli-ebextensions)
+ [
### Using a saved configuration
](#configuration-options-after-awscli-savedconfig)
+ [
### Using command line options
](#configuration-options-after-awscli-commandline)
### Using configuration files (`.ebextensions`)
To apply configuration files to a running environment with the AWS CLI, include them in the application source bundle that you upload to Amazon S3.
For details about configuration files, see [.Ebextensions](ebextensions.md).
```
~/workspace/my-app-v1.zip
|-- .ebextensions
| |-- environmentvariables.config
| `-- healthcheckurl.config
|-- index.php
`-- styles.css
```
**To upload an application source bundle and apply it to a running environment (AWS CLI)**
1. If you don't already have an Elastic Beanstalk bucket in Amazon S3, create one with `create-storage-location`:
```
$ aws elasticbeanstalk create-storage-location
{
"S3Bucket": "elasticbeanstalk-us-west-2-123456789012"
}
```
1. Upload your application source bundle to Amazon S3.
```
$ aws s3 cp sourcebundlev2.zip s3://elasticbeanstalk-us-west-2-123456789012/my-app/sourcebundlev2.zip
```
1. Create the application version.
```
$ aws elasticbeanstalk create-application-version --application-name my-app --version-label v2 --description MyAppv2 --source-bundle S3Bucket="elasticbeanstalk-us-west-2-123456789012",S3Key="my-app/sourcebundlev2.zip"
```
1. Update the environment.
```
$ aws elasticbeanstalk update-environment --environment-name my-env --version-label v2
```
### Using a saved configuration
You can apply a saved configuration to a running environment with the `--template-name` option on the `aws elasticbeanstalk update-environment` command.
The saved configuration must be in your Elastic Beanstalk bucket in a path named after your application under `resources/templates`. For example, the `v1` template for the `my-app` application in the US West (Oregon) Region (us-west-2) for account 123456789012 is located at `s3://elasticbeanstalk-us-west-2-123456789012/resources/templates/my-app/v1`
**To apply a saved configuration to a running environment (AWS CLI)**
+ Specify the saved configuration in an `update-environment` call with the `--template-name` option.
```
$ aws elasticbeanstalk update-environment --environment-name my-env --template-name v1
```
Elastic Beanstalk places saved configurations in this location when you create them with `aws elasticbeanstalk create-configuration-template`. You can also modify saved configurations locally and place them in this location yourself.
### Using command line options
**To change configuration options with a JSON document (AWS CLI)**
1. Define your option settings in JSON format in a local file.
1. Run `update-environment` with the `--option-settings` option.
```
$ aws elasticbeanstalk update-environment --environment-name my-env --option-settings file://~/ebconfigs/as-zero.json
```
In this example, `as-zero.json` defines options that configure the environment with a minimum and maximum of zero instances. This stops the instances in the environment without terminating the environment.
**`~/ebconfigs/as-zero.json`**
```
[
{
"Namespace": "aws:autoscaling:asg",
"OptionName": "MinSize",
"Value": "0"
},
{
"Namespace": "aws:autoscaling:asg",
"OptionName": "MaxSize",
"Value": "0"
},
{
"Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
"OptionName": "RollingUpdateEnabled",
"Value": "false"
}
]
```
**Note**
Setting configuration options with `update-environment` overrides settings from all other sources.
You can also remove options from your environment with `update-environment`.
**To remove configuration options (AWS CLI)**
+ Run the `update-environment` command with the `--options-to-remove` option.
```
$ aws elasticbeanstalk update-environment --environment-name my-env --options-to-remove Namespace=aws:autoscaling:launchconfiguration,OptionName=InstanceType
```
Removing options from your environment with `update-environment` allows settings for the same options to surface from configuration files in your application source bundle. If an option isn't configured using any of these methods, the API default value applies, if one exists. See [Precedence](command-options.md#configuration-options-precedence) for details.
# General options for all environments
**Topics**
+ [
## aws:autoscaling:asg
](#command-options-general-autoscalingasg)
+ [
## aws:autoscaling:launchconfiguration
](#command-options-general-autoscalinglaunchconfiguration)
+ [
## aws:autoscaling:scheduledaction
](#command-options-general-autoscalingscheduledaction)
+ [
## aws:autoscaling:trigger
](#command-options-general-autoscalingtrigger)
+ [
## aws:autoscaling:updatepolicy:rollingupdate
](#command-options-general-autoscalingupdatepolicyrollingupdate)
+ [
## aws:ec2:instances
](#command-options-general-ec2instances)
+ [
## aws:ec2:vpc
](#command-options-general-ec2vpc)
+ [
## aws:elasticbeanstalk:application
](#command-options-general-elasticbeanstalkapplication)
+ [
## aws:elasticbeanstalk:application:environment
](#command-options-general-elasticbeanstalkapplicationenvironment)
+ [
## aws:elasticbeanstalk:application:environmentsecrets
](#command-options-general-elasticbeanstalk-application-environmentsecrets)
+ [
## aws:elasticbeanstalk:cloudwatch:logs
](#command-options-general-cloudwatchlogs)
+ [
## aws:elasticbeanstalk:cloudwatch:logs:health
](#command-options-general-cloudwatchlogs-health)
+ [
## aws:elasticbeanstalk:command
](#command-options-general-elasticbeanstalkcommand)
+ [
## aws:elasticbeanstalk:environment
](#command-options-general-elasticbeanstalkenvironment)
+ [
## aws:elasticbeanstalk:environment:process:default
](#command-options-general-environmentprocess)
+ [
## aws:elasticbeanstalk:environment:process:process\$1name
](#command-options-general-environmentprocess-process)
+ [
## aws:elasticbeanstalk:environment:proxy:staticfiles
](#command-options-general-environmentproxystaticfiles)
+ [
## aws:elasticbeanstalk:healthreporting:system
](#command-options-general-elasticbeanstalkhealthreporting)
+ [
## aws:elasticbeanstalk:hostmanager
](#command-options-general-elasticbeanstalkhostmanager)
+ [
## aws:elasticbeanstalk:managedactions
](#command-options-general-elasticbeanstalkmanagedactions)
+ [
## aws:elasticbeanstalk:managedactions:platformupdate
](#command-options-general-elasticbeanstalkmanagedactionsplatformupdate)
+ [
## aws:elasticbeanstalk:monitoring
](#command-options-general-elasticbeanstalkmonitoring)
+ [
## aws:elasticbeanstalk:sns:topics
](#command-options-general-elasticbeanstalksnstopics)
+ [
## aws:elasticbeanstalk:sqsd
](#command-options-general-elasticbeanstalksqsd)
+ [
## aws:elasticbeanstalk:trafficsplitting
](#command-options-general-elasticbeanstalktrafficsplitting)
+ [
## aws:elasticbeanstalk:xray
](#command-options-general-elasticbeanstalkxray)
+ [
## aws:elb:healthcheck
](#command-options-general-elbhealthcheck)
+ [
## aws:elb:loadbalancer
](#command-options-general-elbloadbalancer)
+ [
## aws:elb:listener
](#command-options-general-elblistener)
+ [
## aws:elb:listener:listener\$1port
](#command-options-general-elblistener-listener)
+ [
## aws:elb:policies
](#command-options-general-elbpolicies)
+ [
## aws:elb:policies:policy\$1name
](#command-options-general-elbpolicies-custom)
+ [
## aws:elbv2:listener:default
](#command-options-general-elbv2-listener-default)
+ [
## aws:elbv2:listener:listener\$1port
](#command-options-general-elbv2-listener)
+ [
## aws:elbv2:listenerrule:rule\$1name
](#command-options-general-elbv2-listenerrule)
+ [
## aws:elbv2:loadbalancer
](#command-options-general-elbv2)
+ [
## aws:rds:dbinstance
](#command-options-general-rdsdbinstance)
## aws:autoscaling:asg
Configure your environment's Auto Scaling group. For more information, see [Auto Scaling your Elastic Beanstalk environment instances](using-features.managing.as.md).
**Namespace: `aws:autoscaling:asg`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| Availability Zones | Availability Zones (AZs) are distinct locations within an AWS Region that are engineered to be isolated from failures in other AZs. They provide inexpensive, low-latency network connectivity to other AZs in the same Region. Choose the number of AZs for your instances. | `Any` | `Any` `Any 1` `Any 2` `Any 3` |
| Cooldown | Cooldown periods help prevent Amazon EC2 Auto Scaling from initiating additional scaling activities before the effects of previous activities are visible. A cooldown period is the amount of time, in seconds, after a scaling activity completes before another scaling activity can start. | `360` | `0` to `10000` |
| Custom Availability Zones | Define the AZs for your instances. | None | `us-east-1a` `us-east-1b` `us-east-1c` `us-east-1d` `us-east-1e` `eu-central-1` |
| EnableCapacityRebalancing | Specifies whether to enable the Capacity Rebalancing feature for Spot Instances in your Auto Scaling Group. For more information, see [Capacity Rebalancing](https://docs.aws.amazon.com/autoscaling/ec2/userguide/capacity-rebalance.html) in the *Amazon EC2 Auto Scaling User Guide*. This option is only relevant when `EnableSpot` is set to `true` in the [`aws:ec2:instances`](#command-options-general-ec2instances) namespace, and there is at least one Spot Instance in your Auto Scaling group. | `false` | `true` `false` |
| MinSize | The minimum number of instances that you want in your Auto Scaling group. | `1` | `1` to `10000` |
| MaxSize | The maximum number of instances that you want in your Auto Scaling group. | `4` | `1` to `10000` |
## aws:autoscaling:launchconfiguration
Configure the Amazon Elastic Compute Cloud (Amazon EC2) instances for your environment.
The instances that are used for your environment are created using either an Amazon EC2 launch template or an Auto Scaling group launch configuration resource. The following options work with both of these resource types.
For more information, see [The Amazon EC2 instances for your Elastic Beanstalk environment](using-features.managing.ec2.md). You can also reference more information about Amazon Elastic Block Store (EBS) in [Amazon EBS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html) chapter in the *Amazon EC2 User Guide*.
**Namespace: `aws:autoscaling:launchconfiguration`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| DisableDefaultEC2SecurityGroup | When set to the default value of `false`, Elastic Beanstalk creates a default security group that allows traffic from the internet or load balancer on the standard ports for HTTP (80). It attaches this security group to the EC2 instances of the environment when it creates the environment. When set to `true` Elastic Beanstalk will not assign the default security group to the EC2 instances for a new environment. For an existing environment, Elastic Beanstalk will unassign the default EC2 security group from your environment's EC2 instances. As a result, you must also set the following configurations: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html) If a value is specified for EC2KeyName in an environment that has `DisableDefaultEC2SecurityGroup` set to `true` a default security group will not be associated with the EC2 instances. | `false` | `true` `false` |
| DisableIMDSv1 | Set to `true` to disable Instance Metadata Service Version 1 (IMDSv1) and enforce IMDSv2. Set to `false` to enable both IMDSv1 and IMDSv2. The instances for your environment default as follows, based on the platform operating system: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html) For more information, see [Configuring the instance metadata service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html). This option setting can cause Elastic Beanstalk to migrate an existing environment with launch configurations to launch templates. Doing so requires the necessary permissions to manage launch templates. These permissions are included in our managed policy. If you use custom policies instead of our managed policies, environment creation or updates might fail when you update your environment configuration. For more information and other considerations, see [Migrating your Elastic Beanstalk environment to launch templates](environments-cfg-autoscaling-launch-templates.md). | `false` – platforms based on Windows server, Amazon Linux 2 and earlier `true` – platforms based on Amazon Linux 2023 | `true` `false` |
| EC2KeyName | You can use a key pair to securely log into your EC2 instance. If a value is specified for `EC2KeyName` in an environment that has `DisableDefaultEC2SecurityGroup` set to `true` a default security group will not be associated with the EC2 instances. If you use the Elastic Beanstalk console to create an environment, you can't set this option in a [configuration file](ebextensions.md). The console overrides this option with a [recommended value](command-options.md#configuration-options-recommendedvalues). | None | |
| IamInstanceProfile | An instance profile enables AWS Identity and Access Management (IAM) users and AWS services to access temporary security credentials to make AWS API calls. Specify the instance profile's name or its ARN. Examples: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html) If you use the Elastic Beanstalk console or EB CLI to create an environment, you can't set this option in a [configuration file](ebextensions.md). The console and EB CLI override this option with a [recommended value](command-options.md#configuration-options-recommendedvalues). | None | Instance profile name or ARN. |
| ImageId | You can override the default Amazon Machine Image (AMI) by specifying your own custom AMI ID. Example: `ami-1f316660` | None | |
| InstanceType | The instance type that's used to run your application in an Elastic Beanstalk environment. The `InstanceType` option is obsolete. It's replaced by the newer and more powerful `InstanceTypes` option in the [`aws:ec2:instances`](#command-options-general-ec2instances) namespace. You can use this new option to specify a list of one or more instance types for your environment. The first value on that list is equivalent to the value of the `InstanceType` option that's included in the `aws:autoscaling:launchconfiguration` namespace that's described here. We recommend that you specify instance types by using the new option. If specified, the new option takes precedence over the previous one. For more information, see [The aws:ec2:instances namespace](environments-cfg-autoscaling-configuration-approaches.md#environments-cfg-autoscaling-namespace.instances). The instance types that are available depend on the Availability Zones and Region used. If you choose a subnet, the Availability Zone that contains that subnet determines the available instance types. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html) If you use the Elastic Beanstalk console or EB CLI to create an environment, you can't set this option in a [configuration file](ebextensions.md). The console and EB CLI override this option with a [recommended value](command-options.md#configuration-options-recommendedvalues). | Varies by account and Region. | One EC2 instance type. Varies by account, Region, and Availability Zone. You can obtain a list of Amazon EC2 instance types filtered by these values. For more information, see [Available instance types](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/instance-types.html#AvailableInstanceTypes) in the *Amazon EC2 User Guide*. |
| LaunchTemplateTagPropagationEnabled | Set to `true` to enable the propagation of environment tags to the launch templates for specific resources provisioned to the environment. Elastic Beanstalk can only propagate tags to launch templates for the following resources: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html) This constraint exists because CloudFormation only allows tags on template creation for specific resources. For more information see [TagSpecification](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-tagspecification.html) in the *AWS CloudFormation User Guide*. Changing this option value from `false` to `true` for an existing environment may be a breaking change for previously existing tags. When this feature is enabled, the propagation of tags will require EC2 replacement, which can result in downtime. You can enable *rolling updates* to apply configuration changes in batches and prevent downtime during the update process. For more information, see [Configuration changes](environments-updating.md). For more information about launch templates, see the following: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html) For more information about this option, see [Tag propagation to launch templates](applications-tagging-resources.launch-templates.md). | `false` | `true` `false` |
| MonitoringInterval | The interval (in minutes) that you want Amazon CloudWatch metrics to be returned at. | `5 minute` | `1 minute` `5 minute` |
| SecurityGroups | Lists the Amazon EC2 security group IDs to assign to the EC2 instances in the Auto Scaling group to define firewall rules for the instances. Use this option along with `DisableDefaultEC2SecurityGroup` to attach your own custom security groups that define firewall rules for the EC2 instances. For more information, see [Load balanced (multi-instance) environments](using-features.managing.ec2.instances.sg.md#using-features.managing.ec2.instances.sg.load-balancer-security). You may need to complete some additional configuration to prevent incoming traffic to your EC2 instances from being blocked. This only applies to multi-instance environments with custom EC2 security groups. The EC2 security groups must include an inbound rule that grants access to traffic routed from the load balancer. For more information, see [Managing EC2 security groups in multi-instance environments](using-features.managing.ec2.instances.sg.md#using-features.managing.ec2.instances.sg.load-balancer-security). You can provide a single string of comma-separated values that contain existing Amazon EC2 security groups IDs or references to AWS::EC2::SecurityGroup resources created in the template. You must provide at least one value for this option if `DisableDefaultEC2SecurityGroup` for this namespace is set to `true`. | `elasticbeanstalk-default` | |
| SSHSourceRestriction | Used to lock down SSH access to an environment. For example, you can lock down SSH access to the EC2 instances so that only a bastion host can access the instances in the private subnet. This string takes the following form: `protocol, fromPort, toPort, source_restriction` [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html) | None | |
| BlockDeviceMappings | Attach additional Amazon EBS volumes or instance store volumes on all of the instances in the Auto Scaling group. This option setting can cause Elastic Beanstalk to migrate an existing environment with launch configurations to launch templates. Doing so requires the necessary permissions to manage launch templates. These permissions are included in our managed policy. If you use custom policies instead of our managed policies, environment creation or updates might fail when you update your environment configuration. For more information and other considerations, see [Migrating your Elastic Beanstalk environment to launch templates](environments-cfg-autoscaling-launch-templates.md). When mapping instance store volumes, you only need to map the device name to a volume name. However, we recommend, when mapping Amazon EBS volumes, you additionally specify some or all of the following fields (each field must be separated by a colon): [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html) The following example attaches three Amazon EBS volumes, one blank 100GB gp2 volume and one snapshot, one blank 20GB io1 volume with 2000 provisioned IOPS, and an instance store volume `ephemeral0`. Multiple instance store volumes can be attached if the instance type supports it. `/dev/sdj=:100:true:gp2,/dev/sdh=snap-51eef269,/dev/sdi=:20:true:io1:2000,/dev/sdb=ephemeral0` | None | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html) |
| RootVolumeType | Volume type (magnetic, general purpose SSD or provisioned IOPS SSD) to use for the root Amazon EBS volume attached to the EC2 instances for your environment. This option setting can cause Elastic Beanstalk to migrate an existing environment with launch configurations to launch templates. Doing so requires the necessary permissions to manage launch templates. These permissions are included in our managed policy. If you use custom policies instead of our managed policies, environment creation or updates might fail when you update your environment configuration. For more information and other considerations, see [Migrating your Elastic Beanstalk environment to launch templates](environments-cfg-autoscaling-launch-templates.md). | Varies by platform. | `standard` for magnetic storage. `gp2` or `gp3` for general purpose SSD. `io1` for provisioned IOPS SSD. |
| RootVolumeSize | The storage capacity of the root Amazon EBS volume in whole GB. Required if you set `RootVolumeType` to provisioned IOPS SSD. For example, `"64"`. | Varies per platform for magnetic storage and general purpose SSD. None for provisioned IOPS SSD. | `10` to `16384` GB for general purpose and provisioned IOPS SSD. `8` to `1024` GB for magnetic. |
| RootVolumeIOPS | The desired input/output operations per second (IOPS) for a provisioned IOPS SSD root volume or for a general purpose `gp3` SSD root volume. The maximum ratio of IOPS to volume size is 500 to 1. For example, a volume with 3000 IOPS must be at least 6 GiB. | None | `100` to `20000` for io1 provisioned IOPS SSD root volumes. `3000` to `16000` for general purpose `gp3` SSD root volumes. |
| RootVolumeThroughput | The desired throughput of mebibytes per second (MiB/s) to provision for the Amazon EBS root volume attached to your environment's EC2 instance. This option is only applicable to `gp3` storage types. | None | `125` to `1000` |
## aws:autoscaling:scheduledaction
Configure [scheduled actions](environments-cfg-autoscaling-scheduledactions.md) for your environment's Auto Scaling group. For each action, specify a `resource_name` in addition to the option name, namespace, and value for each setting. See [The aws:autoscaling:scheduledaction namespace](environments-cfg-autoscaling-scheduledactions.md#environments-cfg-autoscaling-scheduledactions-namespace) for examples.
**Namespace: `aws:autoscaling:scheduledaction`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| StartTime | For one-time actions, choose the date and time to run the action. For recurrent actions, choose when to activate the action. | None | A [ISO-8601 timestamp](http://www.w3.org/TR/NOTE-datetime) unique across all scheduled scaling actions. |
| EndTime | A date and time in the future (in the UTC/GMT time zone) when you want the scheduled scaling action to stop repeating. If you don't specify an **EndTime**, the action recurs according to the `Recurrence` expression. Example: `2015-04-28T04:07:2Z` When a scheduled action ends, Amazon EC2 Auto Scaling doesn't automatically revert to its previous settings. Configure a second scheduled action to return to the original settings as needed. | None | A [ISO-8601 timestamp](http://www.w3.org/TR/NOTE-datetime) unique across all scheduled scaling actions. |
| MaxSize | The maximum instance count to apply when the action runs. | None | `0` to `10000` |
| MinSize | The minimum instance count to apply when the action runs. | None | `0` to `10000` |
| DesiredCapacity | Set the initial desired capacity for the Auto Scaling group. After the scheduled action is applied, triggers adjust the desired capacity based on their settings. | None | `0` to `10000` |
| Recurrence | The frequency that you want the scheduled action to occur at. If you don't specify a recurrence, then the scaling action occurs only once, as specified by the `StartTime`. | None | A [Cron](http://en.wikipedia.org/wiki/Cron) expression. |
| Suspend | Set to `true` to deactivate a recurrent scheduled action temporarily. | `false` | `true` `false` |
## aws:autoscaling:trigger
Configure scaling triggers for your environment's Auto Scaling group.
**Note**
Three options in this namespace determine how long the metric for a trigger can remain beyond its defined limits before the trigger initates. These options are related as follows:
`BreachDuration = Period * EvaluationPeriods`
The default values for these options (5, 5, and 1, respectively) satisfy this equation. If you specify inconsistent values, Elastic Beanstalk might modify one of the values so that the equation is still satisfied.
**Namespace: `aws:autoscaling:trigger`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| BreachDuration | The amount of time, in minutes, a metric can be beyond its defined limit (as specified in the `UpperThreshold` and `LowerThreshold`) before the trigger is invoked. | `5` | `1` to `600` |
| LowerBreachScaleIncrement | How many Amazon EC2 instances to remove when performing a scaling activity. | `-1` | |
| LowerThreshold | If the measurement falls below this number for the breach duration, a trigger is invoked. | `2000000` | `0` to `20000000` |
| MeasureName | The metric that's used for your Auto Scaling trigger. `HealthyHostCount`, `UnhealthyHostCount` and `TargetResponseTime` are only applicable for environments with a dedicated load balancer. These aren't valid metric values for environments configured with a shared load balancer. For more information about load balancer types, see [Load balancer for your Elastic Beanstalk environment](using-features.managing.elb.md). | `NetworkOut` | `CPUUtilization` `NetworkIn` `NetworkOut` `DiskWriteOps` `DiskReadBytes` `DiskReadOps` `DiskWriteBytes` `Latency` `RequestCount` `HealthyHostCount` `UnhealthyHostCount` `TargetResponseTime` |
| Period | Specifies how frequently Amazon CloudWatch measures the metrics for your trigger. The value is the number of minutes between two consecutive periods. | `5` | `1` to `600` |
| EvaluationPeriods | The number of consecutive evaluation periods that's used to determine if a breach is occurring. | `1` | `1` to `600` |
| Statistic | The Statistic the trigger uses, such as `Average`. | `Average` | `Minimum` `Maximum` `Sum` `Average` |
| Unit | The unit for the trigger measurement, such as `Bytes`. | `Bytes` | `Seconds` `Percent` `Bytes` `Bits` `Count` `Bytes/Second` `Bits/Second` `Count/Second` `None` |
| UpperBreachScaleIncrement | Specifies how many Amazon EC2 instances to add when performing a scaling activity. | `1` | |
| UpperThreshold | If the measurement is higher than this number for the breach duration, a trigger is invoked. | `6000000` | `0` to `20000000` |
## aws:autoscaling:updatepolicy:rollingupdate
Configure rolling updates your environment's Auto Scaling group.
**Namespace: `aws:autoscaling:updatepolicy:rollingupdate`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| MaxBatchSize | The number of instances included in each batch of the rolling update. | One-third of the minimum size of the Auto Scaling group, rounded to the next highest integer. | `1` to `10000` |
| MinInstancesInService | The minimum number of instances that must be in service within the Auto Scaling group while other instances are terminated. | The minimum size of the Auto Scaling group or one fewer than the maximum size of the Auto Scaling group, whichever is lower. | `0` to `9999` |
| RollingUpdateEnabled | If `true`, it enables rolling updates for an environment. Rolling updates are useful when you need to make small, frequent updates to your Elastic Beanstalk software application and you want to avoid application downtime. Setting this value to true automatically enables the `MaxBatchSize`, `MinInstancesInService`, and `PauseTime` options. Setting any of those options also automatically sets the `RollingUpdateEnabled` option value to `true`. Setting this option to `false` disables rolling updates. If you use the Elastic Beanstalk console or EB CLI to create an environment, you can't set this option in a [configuration file](ebextensions.md). The console and EB CLI override this option with a [recommended value](command-options.md#configuration-options-recommendedvalues). | `false` | `true` `false` |
| RollingUpdateType | This includes three types: time-based rolling updates, health-based rolling updates, and immutable updates. Time-based rolling updates apply a PauseTime between batches. Health-based rolling updates wait for new instances to pass health checks before moving on to the next batch. [Immutable updates](environmentmgmt-updates-immutable.md) launch a full set of instances in a new Auto Scaling group. If you use the Elastic Beanstalk console or EB CLI to create an environment, you can't set this option in a [configuration file](ebextensions.md). The console and EB CLI override this option with a [recommended value](command-options.md#configuration-options-recommendedvalues). | `Time` | `Time` `Health` `Immutable` |
| PauseTime | The amount of time (in seconds, minutes, or hours) the Elastic Beanstalk service waits after it completed updates to one batch of instances and before it continues on to the next batch. | Automatically computed based on instance type and container. | `PT0S`\$1 (0 seconds) to `PT1H` (1 hour) |
| Timeout | The maximum amount of time (in minutes or hours) to wait for all instances in a batch of instances to pass health checks before canceling the update. | `PT30M` (30 minutes) | `PT5M`\$1 (5 minutes) to `PT1H` (1 hour) \$1[ISO8601 duration](http://en.wikipedia.org/wiki/ISO_8601#Durations) format: `PT#H#M#S` where each \$1 is the number of hours, minutes, and/or seconds, respectively. |
## aws:ec2:instances
Configure your environment's instances, including Spot options. This namespace complements [`aws:autoscaling:launchconfiguration`](#command-options-general-autoscalinglaunchconfiguration) and [`aws:autoscaling:asg`](#command-options-general-autoscalingasg).
For more information, see [Auto Scaling your Elastic Beanstalk environment instances](using-features.managing.as.md).
**Namespace: `aws:ec2:instances`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| EnableSpot | Enable Spot Instance requests for your environment. When `false`, some options in this namespace don't take effect. This option setting can cause Elastic Beanstalk to migrate an existing environment with launch configurations to launch templates. Doing so requires the necessary permissions to manage launch templates. These permissions are included in our managed policy. If you use custom policies instead of our managed policies, environment creation or updates might fail when you update your environment configuration. For more information and other considerations, see [Migrating your Elastic Beanstalk environment to launch templates](environments-cfg-autoscaling-launch-templates.md). | `false` | `true` `false` |
| InstanceTypes | A comma-separated list of instance types that you want your environment to use (for example, `t2.micro,t3.micro`). When `EnableSpot` is `true` and `SpotAllocationStrategy` is set to `capacity-optimized-prioritized`, the list of values specified in this option determines the instance type priority for the Spot Instance allocation strategy. When Spot Instances are not activated (`EnableSpot` is `false`), only the first instance type on the list is used. The first instance type on the list in this option is equivalent to the value of the `InstanceType` option in the [`aws:autoscaling:launchconfiguration`](#command-options-general-autoscalinglaunchconfiguration) namespace. We don't recommend using the latter option because it's obsolete. If you specify both, the first instance type on the list in the `InstanceTypes` option is used, and `InstanceType` is ignored. The instance types that are available depend on the Availability Zones and Region used. If you choose a subnet, the Availability Zone that contains that subnet determines the available instance types. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html) Some older AWS accounts might provide Elastic Beanstalk with default instance types that don't support Spot Instances (for example, t1.micro). If you activate Spot Instance requests and you get an error about an instance type that doesn’t support Spot, be sure to configure instance types that support Spot. To choose Spot Instance types, use the [Spot Instance Advisor](https://aws.amazon.com/ec2/spot/instance-advisor/). When you update your environment configuration and remove one or more instance types from the `InstanceTypes` option, Elastic Beanstalk terminates any Amazon EC2 instances running on any of the removed instance types. Your environment's Auto Scaling group then launches new instances, as necessary to complete the desired capacity, using your current specified instance types. | A list of two instance types. Varies by account and Region. | One to forty EC2 instance types. We recommend at least two. Varies by account, Region, and Availability Zone. You can obtain a list of Amazon EC2 instance types filtered by these values. For more information, see [Available instance types](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/instance-types.html#AvailableInstanceTypes) in the *Amazon EC2 User Guide*. The instance types must all be part of the same architecture (`arm64`, `x86_64`, `i386`). `SupportedArchitectures` is also part of this namespace. If you provide any values for `SupportedArchitectures`, the value(s) you enter for `InstanceTypes` must belong to one, and only one, of the architectures you provide for `SupportedArchitectures`. |
| SpotAllocationStrategy | Specifies the [spot instance allocation strategy](environments-cfg-autoscaling-spot-allocation-strategy.md) that determines how Spot Instances are allocated from the available spot capacity pools. If set to `capacity-optimized-prioritized`, the order of the values in `InstanceTypes` sets the instance type priority for allocation. This option is relevant only when `EnableSpot` is `true`. | `capacity-optimized` | `capacity-optimized` `price-capacity-optimized` `capacity-optimized-prioritized` `lowest-price ` |
| SpotFleetOnDemandBase | The minimum number of On-Demand Instances that your Auto Scaling group provisions before considering Spot Instances as your environment scales up. This option is relevant only when `EnableSpot` is `true`. | `0` | `0` to `MaxSize` option in [`aws:autoscaling:asg`](#command-options-general-autoscalingasg) namespace |
| SpotFleetOnDemandAboveBasePercentage | The percentage of On-Demand Instances as part of additional capacity that your Auto Scaling group provisions beyond the `SpotOnDemandBase` instances. This option is relevant only when `EnableSpot` is `true`. | `0` for a single-instance environment `70` for a load-balanced environment | `0` to `100` |
| SpotMaxPrice | The maximum price per unit hour, in USD, that you're willing to pay for a Spot Instance. For recommendations about maximum price options for Spot Instances, see [Spot Instance pricing history](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-spot-instances-history.html) in the *Amazon EC2 User Guide*. This option is relevant only when `EnableSpot` is `true`. | On-Demand price, for each instance type. The option's value in this case is `null`. | `0.001` to `20.0` `null` |
| SupportedArchitectures | A comma-separated list of EC2 instance architecture types that you'll use for your environment. Elastic Beanstalk supports instance types based on the following processor architectures: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html) For more information about processor architecture and Amazon EC2 instance types see [Amazon EC2 instance types](using-features.managing.ec2.instance-types.md). | None | `arm64` `x86_64` `i386` The 32-bit architecture `i386` is not supported by the majority of Elastic Beanstalk platforms. We recommended that you choose the `x86_64` or `arm64` architecture types instead. |
## aws:ec2:vpc
Configure your environment to launch resources in a custom [Amazon Virtual Private Cloud](https://docs.aws.amazon.com/vpc/latest/userguide/) (Amazon VPC). If you don't configure settings in this namespace, Elastic Beanstalk launches resources in the default VPC.
**Namespace: `aws:ec2:vpc`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| VPCId | The ID for your Amazon VPC. | None | |
| Subnets | The IDs of the Auto Scaling group subnet or subnets. If you have multiple subnets, specify the value as a single comma-separated string of subnet IDs (for example, `"subnet-11111111,subnet-22222222"`). | None | |
| ELBSubnets | The IDs of the subnet or subnets for the elastic load balancer. If you have multiple subnets, specify the value as a single comma-separated string of subnet IDs (for example, `"subnet-11111111,subnet-22222222"`). | None | |
| ELBScheme | Specify `internal` if you want to create an internal load balancer in your Amazon VPC so that your Elastic Beanstalk application can't be accessed from outside your Amazon VPC. If you specify a value other than `public` or `internal`, Elastic Beanstalk ignores the value. | `public` | `public` `internal` |
| DBSubnets | Contains the IDs of the database subnets. This is only used if you want to add an Amazon RDS DB Instance as part of your application. If you have multiple subnets, specify the value as a single comma-separated string of subnet IDs (for example, `"subnet-11111111,subnet-22222222"`). | None | |
| AssociatePublicIpAddress | Specifies whether to launch instances with public IP addresses in your Amazon VPC. Instances with public IP addresses don't require a NAT device to communicate with the Internet. You must set the value to `true` if you want to include your load balancer and instances in a single public subnet. This option has no effect on a single-instance environment, which always has a single Amazon EC2 instance with an Elastic IP address. The option is relevant to load-balanced, scalable environments. | None | `true` `false` |
## aws:elasticbeanstalk:application
Configure a health check path for your application. For more information, see [Basic health reporting](using-features.healthstatus.md).
**Namespace: `aws:elasticbeanstalk:application`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| Application Healthcheck URL | The path where health check requests are sent to. If this path isn't set, the load balancer attempts to make a TCP connection on port 80 to verify the health status of your application. Set to a path starting with `/` to send an HTTP GET request to that path. You can also include a protocol (HTTP, HTTPS, TCP, or SSL) and port before the path to check HTTPS connectivity or use a non-default port. If you use the Elastic Beanstalk console to create an environment, you can't set this option in a [configuration file](ebextensions.md). The console overrides this option with a [recommended value](command-options.md#configuration-options-recommendedvalues). | None | Valid values include: `/` (HTTP GET to root path) `/health` `HTTPS:443/` `HTTPS:443/health` |
The EB CLI and Elastic Beanstalk console apply recommended values for the preceding options. You must remove these settings if you want to use configuration files to configure the same. See [Recommended values](command-options.md#configuration-options-recommendedvalues) for details.
## aws:elasticbeanstalk:application:environment
Configure environment properties for your application.
**Namespace: `aws:elasticbeanstalk:application:environment`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| Any environment variable name. | Pass in key-value pairs. | None | Any environment variable value. |
See [Environment variables and other software settings](environments-cfg-softwaresettings.md) for more information.
## aws:elasticbeanstalk:application:environmentsecrets
Configure environment variables to serve as *environment secrets* for your application. Environment secrets store AWS Secrets Manager secrets or AWS Systems Manager Parameter Store parameters.
**Namespace: `aws:elasticbeanstalk:application:environmentsecrets`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| OptionName | Specifies the name of the environment variable to hold the secret store or parameter store value. | None | Any environment variable name. |
| Value | Specifies the ARN for the value stored in AWS Secrets Manager or AWS Systems Manager Parameter Store. During instance bootstrapping Elastic Beanstalk initiates the environment variable to the value stored in this ARN resource. Ensure that the necessary permissions are in place for your environment's EC2 instance profile role to access the secret and parameter ARNs. For more information, see [Required IAM permissions](AWSHowTo.secrets.IAM-permissions.md). | None | Valid ARN value for an AWS Secrets Manager secret or AWS Systems Manager Parameter Store parameter value. |
For more information, see [Configuring secrets as environment variables](AWSHowTo.secrets.env-vars.md).
## aws:elasticbeanstalk:cloudwatch:logs
Configure instance log streaming for your application.
**Namespace: `aws:elasticbeanstalk:cloudwatch:logs`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| StreamLogs | Specifies whether to create groups in CloudWatch Logs for proxy and deployment logs, and stream logs from each instance in your environment. | `false` | `true` `false` |
| DeleteOnTerminate | Specifies whether to delete the log groups when the environment is terminated. If `false`, the logs are kept `RetentionInDays` days. | `false` | `true` `false` |
| RetentionInDays | The number of days to keep log events before they expire. | 7 | 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653 |
## aws:elasticbeanstalk:cloudwatch:logs:health
Configure environment health log streaming for your application.
**Namespace: `aws:elasticbeanstalk:cloudwatch:logs:health`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| HealthStreamingEnabled | For environments with enhanced health reporting enabled, specifies whether to create a group in CloudWatch Logs for environment health and archive Elastic Beanstalk environment health data. For information about enabling enhanced health, see [`aws:elasticbeanstalk:healthreporting:system`](#command-options-general-elasticbeanstalkhealthreporting). | `false` | `true` `false` |
| DeleteOnTerminate | Specifies whether to delete the log group when the environment is terminated. If `false`, the health data is kept `RetentionInDays` days. | `false` | `true` `false` |
| RetentionInDays | The number of days to keep the archived health data before it expires. | 7 | 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653 |
## aws:elasticbeanstalk:command
Configure the deployment policy for your application code. For more information, see [Deployment policies and settings](using-features.rolling-version-deploy.md).
**Namespace: `aws:elasticbeanstalk:command`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| DeploymentPolicy | Choose a [deployment policy](using-features.rolling-version-deploy.md) for application version deployments. If you use the Elastic Beanstalk console to create an environment, you can't set this option in a [configuration file](ebextensions.md). The console overrides this option with a [recommended value](command-options.md#configuration-options-recommendedvalues). | `AllAtOnce` | `AllAtOnce` `Rolling` `RollingWithAdditionalBatch` `Immutable` `TrafficSplitting` |
| Timeout | The amount of time, in seconds, to wait for an instance to complete executing commands. Elastic Beanstalk internally adds 240 seconds (four minutes) to the `Timeout` value. For example, the effective timeout by default is 840 seconds (600 \$1 240), or 14 minutes. | `600` | `1` to `3600` |
| BatchSizeType | The type of number that's specified in **BatchSize**. If you use the Elastic Beanstalk console or EB CLI to create an environment, you can't set this option in a [configuration file](ebextensions.md). The console and EB CLI override this option with a [recommended value](command-options.md#configuration-options-recommendedvalues). | `Percentage` | `Percentage` `Fixed` |
| BatchSize | The percentage or the fixed number of Amazon EC2 instances in the Auto Scaling group to simultaneously perform deployments on. Valid values vary depending on the **BatchSizeType** setting used. If you use the Elastic Beanstalk console or EB CLI to create an environment, you can't set this option in a [configuration file](ebextensions.md). The console and EB CLI override this option with a [recommended value](command-options.md#configuration-options-recommendedvalues). | `100` | `1` to `100` (`Percentage`). `1` to [aws:autoscaling:asg::MaxSize](#command-options-general-autoscalingasg) (`Fixed`) |
| IgnoreHealthCheck | Don't cancel a deployment due to failed health checks. | false | `true` `false` |
## aws:elasticbeanstalk:environment
Configure your environment's architecture and service role.
**Namespace: `aws:elasticbeanstalk:environment`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| EnvironmentType | Set to `SingleInstance` to launch one EC2 instance with no load balancer. | `LoadBalanced` | `SingleInstance` `LoadBalanced` |
| ServiceRole | The name of an IAM role that Elastic Beanstalk uses to manage resources for the environment. Specify a role name (optionally prefixed with a custom path) or its ARN. Examples: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html) If you use the Elastic Beanstalk console or EB CLI to create an environment, you can't set this option in a [configuration file](ebextensions.md). The console and EB CLI override this option with a [recommended value](command-options.md#configuration-options-recommendedvalues). | None | IAM role name, path/name, or ARN |
| LoadBalancerType | The type of load balancer for your environment. For more information, see [Load balancer for your Elastic Beanstalk environment](using-features.managing.elb.md). | `classic` | `classic` `application` `network` |
| LoadBalancerIsShared | Specifies whether the environment's load balancer is dedicated or shared. This option can only be set for an Application Load Balancer. It can't be changed after the environment is created. When `false`, the environment has its own dedicated load balancer, created, and managed by Elastic Beanstalk. When `true`, the environment uses a shared load balancer, created by you and specified in the `SharedLoadBalancer` option of the [aws:elbv2:loadbalancer](#command-options-general-elbv2) namespace. | `false` | `true` `false` |
## aws:elasticbeanstalk:environment:process:default
Configure your environment's default process.
**Namespace: `aws:elasticbeanstalk:environment:process:default`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| DeregistrationDelay | The amount of time, in seconds, to wait for active requests to complete before deregistering. | `20` | `0` to `3600` |
| HealthCheckInterval | The interval of time, in seconds, that Elastic Load Balancing checks the health of the Amazon EC2 instances of your application. | With classic or application load balancer: `15` With network load balancer: `30` | With classic or application load balancer: `5` to `300` With network load balancer: `10`, `30` |
| HealthCheckPath | The path that HTTP requests for health checks are sent to. | `/` | A routable path. |
| HealthCheckTimeout | The amount of time, in seconds, to wait for a response during a health check. This option is only applicable to environments with an application load balancer. | `5` | `1` to `60` |
| HealthyThresholdCount | The number of consecutive successful requests before Elastic Load Balancing changes the instance health status. | With classic or application load balancer: `3` With network load balancer: `5` | `2` to `10` |
| MatcherHTTPCode | A comma-separated list of HTTP code(s) that indicate that an instance is healthy. This option is only applicable to environments with a network or application load balancer. | `200` | With application load balancer: `200` to `499` With network load balancer: `200` to `399` |
| Port | Port that the process listens on. | `80` | `1` to `65535` |
| Protocol | The protocol that the process uses. With an application load balancer, you can only set this option to `HTTP` or `HTTPS`. With a network load balancer, you can only set this option to `TCP`. | With classic or application load balancer: `HTTP` With network load balancer: `TCP` | `TCP` `HTTP` `HTTPS` |
| StickinessEnabled | Set to true to enable sticky sessions. This option is only applicable to environments with an application load balancer. | `'false'` | `'false'` `'true'` |
| StickinessLBCookieDuration | The lifetime, in seconds, of the sticky session cookie. This option is only applicable to environments with an application load balancer. | `86400` (one day) | `1` to `604800` |
| StickinessType | Set to `lb_cookie` to use cookies for sticky sessions. This option is only applicable to environments with an application load balancer. | `lb_cookie` | `lb_cookie` |
| UnhealthyThresholdCount | The number of consecutive unsuccessful requests before Elastic Load Balancing changes the instance health status. | `5` | `2` to `10` |
## aws:elasticbeanstalk:environment:process:process\$1name
Configure additional processes for your environment.
**Namespace: `aws:elasticbeanstalk:environment:process:process_name`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| DeregistrationDelay | The amount of time, in seconds, to wait for active requests to complete before deregistering. | `20` | `0` to `3600` |
| HealthCheckInterval | The interval, in seconds, that Elastic Load Balancing checks the health of Amazon EC2 instances for your application. | With classic or application load balancer: `15` With network load balancer: `30` | With classic or application load balancer: `5` to `300` With network load balancer: `10`, `30` |
| HealthCheckPath | The path that HTTP requests for health checks are sent to. | `/` | A routable path. |
| HealthCheckTimeout | The amount of time, in seconds, to wait for a response during a health check. This option is only applicable to environments with an application load balancer. | `5` | `1` to `60` |
| HealthyThresholdCount | The number of consecutive successful requests before Elastic Load Balancing changes the instance health status. | With classic or application load balancer: `3` With network load balancer: `5` | `2` to `10` |
| MatcherHTTPCode | A comma-separated list of HTTP code(s) that indicates that an instance is healthy. This option is only applicable to environments with a network or application load balancer. | `200` | With application load balancer: `200` to `499` With network load balancer: `200` to `399` |
| Port | The port that the process listens on. | `80` | `1` to `65535` |
| Protocol | The protocol that the process uses. With an application load balancer, you can only set this option to `HTTP` or `HTTPS`. With a network load balancer, you can only set this option to `TCP`. | With classic or application load balancer: `HTTP` With network load balancer: `TCP` | `TCP` `HTTP` `HTTPS` |
| StickinessEnabled | Set to true to enable sticky sessions. This option is only applicable to environments with an application load balancer. | `'false'` | `'false'` `'true'` |
| StickinessLBCookieDuration | The lifetime, in seconds, of the sticky session cookie. This option is only applicable to environments with an application load balancer. | `86400` (one day) | `1` to `604800` |
| StickinessType | Set to `lb_cookie` to use cookies for sticky sessions. This option is only applicable to environments with an application load balancer. | `lb_cookie` | `lb_cookie` |
| UnhealthyThresholdCount | The number of consecutive unsuccessful requests before Elastic Load Balancing changes the instance health status. | `5` | `2` to `10` |
## aws:elasticbeanstalk:environment:proxy:staticfiles
You can use the following namespace to configure the proxy server to serve static files. When the proxy server receives a request for a file under the specified path, it serves the file directly instead of routing the request to your application. This reduces the number of requests that your application has to process.
Map a path served by the proxy server to a folder in your source code that contains static assets. Each option that you define in this namespace maps a different path.
**Note**
This namespace applies to platform branches based on Amazon Linux 2 and later. If your environment uses a platform version based on Amazon Linux AMI (preceding Amazon Linux 2), refer to [Platform specific options](command-options-specific.md) for platform-specific static file namespaces.
**Namespace: `aws:elasticbeanstalk:environment:proxy:staticfiles`**
| **Name** | **Value** |
| --- | --- |
| The path where the proxy server serves the files. Start the value with `/`. For example, specify `/images` to serve files at `subdomain.eleasticbeanstalk.com/images`. | The name of the folder containing the files. For example, specify `staticimages` to serve files from a folder named `staticimages` at the top level of your source bundle. |
## aws:elasticbeanstalk:healthreporting:system
Configure enhanced health reporting for your environment.
**Namespace: `aws:elasticbeanstalk:healthreporting:system`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| SystemType | The health reporting system ([basic](using-features.healthstatus.md) or [enhanced](health-enhanced.md)). Enhanced health reporting requires a [service role](concepts-roles-service.md) and a version 2 or newer [platform version](concepts.platforms.md). If you use the Elastic Beanstalk console or EB CLI to create an environment, you can't set this option in a [configuration file](ebextensions.md). The console and EB CLI override this option with a [recommended value](command-options.md#configuration-options-recommendedvalues). | `basic` | `basic` `enhanced` |
| ConfigDocument | A JSON document that describes the environment and instance metrics to publish to CloudWatch. | None | |
| EnhancedHealthAuthEnabled | Enables authorization for the internal API that Elastic Beanstalk uses to communicate enhanced health information from your environment instances to the Elastic Beanstalk service. For more information, see [Enhanced health roles](health-enhanced.md#health-enhanced-roles). This option is only applicable to enhanced health reporting (such as when `SystemType` is set to `enhanced`). | `true` | `true` `false` |
| HealthCheckSuccessThreshold | Lowers the threshold for instances to pass health checks. If you use the Elastic Beanstalk console to create an environment, you can't set this option in a [configuration file](ebextensions.md). The console overrides this option with a [recommended value](command-options.md#configuration-options-recommendedvalues). | `Ok` | `Ok` `Warning` `Degraded` `Severe` |
## aws:elasticbeanstalk:hostmanager
Configure the EC2 instances in your environment to upload rotated logs to Amazon S3.
**Namespace: `aws:elasticbeanstalk:hostmanager`**
| **Name** | **Description** | **Default** | Valid values |
| --- | --- | --- | --- |
| LogPublicationControl | Copy the log files of the Amazon EC2 instances for your application to the Amazon S3 bucket that's associated with your application. | `false` | `true` `false` |
## aws:elasticbeanstalk:managedactions
Configure managed platform updates for your environment.
**Namespace: `aws:elasticbeanstalk:managedactions`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| ManagedActionsEnabled | Enable [managed platform updates](environment-platform-update-managed.md#environment-platform-update-managed-namespace). When you set this to `true`, you must also specify a `PreferredStartTime` and `UpdateLevel`. | `false` | `true` `false` |
| PreferredStartTime | Configure a maintenance window for managed actions in UTC. For example, `"Tue:09:00"`. | None | Day and time in the *day*:*hour*:*minute* format. |
| ServiceRoleForManagedUpdates | The name of an IAM role that Elastic Beanstalk uses to perform managed platform updates for your environment. You can use either the same role that you specified for the `ServiceRole` option of the `aws:elasticbeanstalk:environment` namespace, or your account's [managed updates service-linked role](using-service-linked-roles-managedupdates.md). In the latter case, if the account doesn't have a managed-updates service-linked role yet, Elastic Beanstalk creates it. | None | Same as `ServiceRole` or `AWSServiceRoleForElasticBeanstalkManagedUpdates` |
## aws:elasticbeanstalk:managedactions:platformupdate
Configure managed platform updates for your environment.
**Namespace: `aws:elasticbeanstalk:managedactions:platformupdate`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| UpdateLevel | The highest level of update to apply with managed platform updates. Platforms are versioned *major*.*minor*.*patch*. For example, 2.0.8 has a major version of 2, a minor version of 0, and a patch version of 8. | None | `patch` for patch version updates only. `minor` for both minor and patch version updates. |
| InstanceRefreshEnabled | Enable weekly instance replacement. This requires `ManagedActionsEnabled` to be set to `true`. | false | `true` `false` |
## aws:elasticbeanstalk:monitoring
Configure your environment to terminate EC2 instances that fail health checks.
**Namespace: `aws:elasticbeanstalk:monitoring`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| Automatically Terminate Unhealthy Instances | Terminate an instance if it fails health checks. This option was only supported on [legacy environments](using-features.migration.md). It determined the health of an instance based on being able to reach it and on other instance-based metrics. Elastic Beanstalk doesn't provide a way to automatically terminate instances based on application health. | `true` | `true` `false` |
## aws:elasticbeanstalk:sns:topics
Configure notifications for your environment.
**Namespace: `aws:elasticbeanstalk:sns:topics`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| Notification Endpoint | The endpoint where you want to be notified of important events affecting your application. If you use the Elastic Beanstalk console to create an environment, you can't set this option in a [configuration file](ebextensions.md). The console overrides this option with a [recommended value](command-options.md#configuration-options-recommendedvalues). | None | |
| Notification Protocol | The protocol that's used to send notifications to your endpoint. | `email` | `http` `https` `email` `email-json` `sqs` |
| Notification Topic ARN | The Amazon Resource Name (ARN) for the topic you subscribed to. | None | |
| Notification Topic Name | The name of the topic you subscribed to. | None | |
## aws:elasticbeanstalk:sqsd
Configure the Amazon SQS queue for a worker environment.
**Namespace: `aws:elasticbeanstalk:sqsd`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| WorkerQueueURL | The URL of the queue that the daemon in the worker environment tier reads messages from. When you don't specify a value, the queue that Elastic Beanstalk automatically creates is a [standard](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/standard-queues.html) Amazon SQS queue. When you provide a value, you can provide the URL of either a standard or a [FIFO](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/FIFO-queues.html) Amazon SQS queue. Be aware that if you provide a FIFO queue, [periodic tasks](using-features-managing-env-tiers.md#worker-periodictasks) aren't supported. | automatically generated | If you don't specify a value, then Elastic Beanstalk automatically creates a queue. |
| HttpPath | The relative path to the application that HTTP POST messages are sent to. | / | |
| MimeType | The MIME type of the message that's sent in the HTTP POST request. | `application/json` | `application/json` `application/x-www-form-urlencoded` `application/xml` `text/plain` Custom MIME type. |
| HttpConnections | The maximum number of concurrent connections to any applications that are within an Amazon EC2 instance. If you use the Elastic Beanstalk console to create an environment, you can't set this option in a [configuration file](ebextensions.md). The console overrides this option with a [recommended value](command-options.md#configuration-options-recommendedvalues). | `50` | `1` to `100` |
| ConnectTimeout | The amount of time, in seconds, to wait for successful connections to an application. | `5` | `1` to `60` |
| InactivityTimeout | The amount of time, in seconds, to wait for a response on an existing connection to an application.The message is reprocessed until the daemon receives a 200 (OK) response from the application in the worker environment tier or the RetentionPeriod expires. | `299` | `1` to `36000` |
| VisibilityTimeout | The amount of time, in seconds, an incoming message from the Amazon SQS queue is locked for processing. After the configured amount of time has passed, then the message is again made visible in the queue for any other daemon to read. | 300 | `0` to `43200` |
| ErrorVisibilityTimeout | The amount of time, in seconds, that elapses before Elastic Beanstalk returns a message to the Amazon SQS queue after a processing attempt fails with an explicit error. | `2` seconds | `0` to `43200` seconds |
| RetentionPeriod | The amount of time, in seconds, a message is valid and is actively processed for. | `345600` | `60` to `1209600` |
| MaxRetries | The maximum number of attempts that Elastic Beanstalk attempts to send the message to the web application that will process it before moving the message to the dead-letter queue. | `10` | `1` to `100` |
## aws:elasticbeanstalk:trafficsplitting
Configure traffic-splitting deployments for your environment.
This namespace applies when you set the `DeploymentPolicy` option of the [aws:elasticbeanstalk:command](#command-options-general-elasticbeanstalkcommand) namespace to `TrafficSplitting`. For more information about deployment policies, see [Deployment policies and settings](using-features.rolling-version-deploy.md).
**Namespace: `aws:elasticbeanstalk:trafficsplitting`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| NewVersionPercent | The initial percentage of incoming client traffic that Elastic Beanstalk shifts to environment instances running the new application version you're deploying. | `10` | `1` to `100` |
| EvaluationTime | The time period, in minutes, that Elastic Beanstalk waits after an initial healthy deployment before proceeding to shift all incoming client traffic to the new application version that you're deploying. | `5` | `3` to `600` |
## aws:elasticbeanstalk:xray
Run the AWS X-Ray daemon to relay trace information from your [X-Ray integrated](environment-configuration-debugging.md) application.
**Namespace: `aws:elasticbeanstalk:xray`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| `XRayEnabled` | Set to `true` to run the X-Ray daemon on the instances in your environment. | `false` | `true` `false` |
## aws:elb:healthcheck
Configure healthchecks for a Classic Load Balancer.
**Namespace: `aws:elb:healthcheck`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| HealthyThreshold | The number of consecutive successful requests before Elastic Load Balancing changes the instance health status. | `3` | `2` to `10` |
| Interval | The interval that Elastic Load Balancing checks the health of your application's Amazon EC2 instances at. | `10` | `5` to `300` |
| Timeout | The amount of time, in seconds, that Elastic Load Balancing waits for a response before it considers the instance nonresponsive. | `5` | `2` to `60` |
| UnhealthyThreshold | The number of consecutive unsuccessful requests before Elastic Load Balancing changes the instance health status. | `5` | `2` to `10` |
| (deprecated) Target | The destination on a backend instance that health checks are sent to. Use `Application Healthcheck URL` in the [`aws:elasticbeanstalk:application`](#command-options-general-elasticbeanstalkapplication) namespace instead. | `TCP:80` | Target in the format *PROTOCOL*:*PORT**/PATH* |
## aws:elb:loadbalancer
Configure your environment's Classic Load Balancer.
Several of the options in this namespace are no longer supported in favor of listener-specific options in the [aws:elb:listener](#command-options-general-elblistener) namespace. With these options that aren't supported anymore, you can only configure two listeners (one secure and one unsecure) on standard ports.
**Namespace: `aws:elb:loadbalancer`**
| Name | Description | Default | Valid values |
| --- | --- | --- | --- |
| CrossZone | Configure the load balancer to route traffic evenly across all instances in all Availability Zones rather than only within each zone. If you use the Elastic Beanstalk console or EB CLI to create an environment, you can't set this option in a [configuration file](ebextensions.md). The console and EB CLI override this option with a [recommended value](command-options.md#configuration-options-recommendedvalues). | `false` | `true` `false` |
| SecurityGroups | Assign one or more security groups that you created to the load balancer. Required if `DisableDefaultEC2SecurityGroup` ([aws:autoscaling:launchconfiguration](#command-options-general-autoscalinglaunchconfiguration)) is set to `true`. Load balanced environments that have opted out of the default Elastic Beanstalk EC2 security group must provide one or more security groups with this option. For more information, see [Managing EC2 security groups](using-features.managing.ec2.instances.sg.md). | None | One or more security group IDs. |
| ManagedSecurityGroup | Assign an existing security group to the load balancer for your environment, instead of creating a new one. To use this setting, update the `SecurityGroups` setting in this namespace to include your security group’s ID, and remove the ID of the security group that was created automatically, if one was created. To allow traffic from the load balancer to your environment’s EC2 instances, Elastic Beanstalk adds a rule to the security group of the instances that allows inbound traffic from the managed security group. | None | A security group ID. |
| (deprecated) LoadBalancerHTTPPort | The port to listen on for the unsecure listener. | `80` | `OFF` `80` |
| (deprecated) LoadBalancerPortProtocol | The protocol to use on the unsecure listener. | `HTTP` | `HTTP` `TCP` |
| (deprecated) LoadBalancerHTTPSPort | The port to listen on for the secure listener. | `OFF` | `OFF` `443` `8443` |
| (deprecated) LoadBalancerSSLPortProtocol | The protocol to use on the secure listener. | `HTTPS` | `HTTPS` `SSL` |
| (deprecated) SSLCertificateId | The Amazon Resource Name (ARN) of an SSL certificate to bind to the secure listener. | None | |
## aws:elb:listener
Configure the default listener (port 80) on a Classic Load Balancer.
**Namespace: `aws:elb:listener`**
| Name | Description | Default | Valid values |
| --- | --- | --- | --- |
| ListenerProtocol | The protocol used by the listener. | HTTP | HTTP TCP |
| InstancePort | The port that this listener uses to communicate with the EC2 instances. | 80 | 1 to 65535 |
| InstanceProtocol | The protocol that this listener uses to communicate with the EC2 instances. It must be at the same internet protocol layer as the `ListenerProtocol`. It also must have the same security level as any other listener using the same `InstancePort` as this listener. For example, if `ListenerProtocol` is `HTTPS` (application layer, using a secure connection), you can set `InstanceProtocol` to `HTTP` (also at the application layer, using an insecure connection). If, in addition, you set `InstancePort` to `80`, you must set `InstanceProtocol` to `HTTP` in all other listeners with `InstancePort` set to `80`. | `HTTP` when `ListenerProtocol` is `HTTP` `TCP` when `ListenerProtocol` is `TCP` | HTTP or HTTPS when ListenerProtocol is HTTP or HTTPS `TCP` or `SSL` when `ListenerProtocol` is `TCP` or `SSL` |
| PolicyNames | A comma-separated list of policy names to apply to the port for this listener. We recommend that you use the LoadBalancerPorts option of the [aws:elb:policies](#command-options-general-elbpolicies) namespace instead. | None | |
| ListenerEnabled | Specifies whether this listener is enabled. If you specify false, the listener isn't included in the load balancer. | true | `true` `false` |
## aws:elb:listener:listener\$1port
Configure additional listeners on a Classic Load Balancer.
**Namespace: `aws:elb:listener:listener_port`**
| Name | Description | Default | Valid values |
| --- | --- | --- | --- |
| ListenerProtocol | The protocol used by the listener. | HTTP | HTTP HTTPS TCP SSL |
| InstancePort | The port that this listener uses to communicate with the EC2 instances. | The same as listener\$1port. | 1 to 65535 |
| InstanceProtocol | The protocol that this listener uses to communicate with the EC2 instances. It must be at the same internet protocol layer as the `ListenerProtocol`. It also must have the same security level as any other listener using the same `InstancePort` as this listener. For example, if `ListenerProtocol` is `HTTPS` (application layer, using a secure connection), you can set `InstanceProtocol` to `HTTP` (also at the application layer, using an insecure connection). If, in addition, you set `InstancePort` to `80`, you must set `InstanceProtocol` to `HTTP` in all other listeners with `InstancePort` set to `80`. | `HTTP` when `ListenerProtocol` is `HTTP` or `HTTPS` `TCP` when `ListenerProtocol` is `TCP` or `SSL` | HTTP or HTTPS when ListenerProtocol is HTTP or HTTPS `TCP` or `SSL` when `ListenerProtocol` is `TCP` or `SSL` |
| PolicyNames | A comma-separated list of policy names to apply to the port for this listener. We suggest that you use the LoadBalancerPorts option of the [aws:elb:policies](#command-options-general-elbpolicies) namespace instead. | None | |
| SSLCertificateId | The Amazon Resource Name (ARN) of an SSL certificate to bind to the listener. | None | |
| ListenerEnabled | Specifies whether this listener is enabled. If you specify false, the listener isn't included in the load balancer. | true if any other option is set. false otherwise. | true false |
## aws:elb:policies
Modify the default stickiness and global load balancer policies for a Classic Load Balancer.
**Namespace: `aws:elb:policies`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| ConnectionDrainingEnabled | Specifies whether the load balancer maintains existing connections to instances that have become unhealthy or deregistered to complete in-progress requests. If you use the Elastic Beanstalk console or EB CLI to create an environment, you can't set this option in a [configuration file](ebextensions.md). The console and EB CLI override this option with a [recommended value](command-options.md#configuration-options-recommendedvalues). | `false` | `true` `false` |
| ConnectionDrainingTimeout | The maximum number of seconds that the load balancer maintains existing connections to an instance during connection draining before forcibly closing the connections. If you use the Elastic Beanstalk console to create an environment, you can't set this option in a [configuration file](ebextensions.md). The console overrides this option with a [recommended value](command-options.md#configuration-options-recommendedvalues). | `20` | `1` to `3600` |
| ConnectionSettingIdleTimeout | The amount of time, in seconds, that the load balancer waits for any data to be sent or received over the connection. If no data has been sent or received after this time period elapses, the load balancer closes the connection. | `60` | `1` to `3600` |
| LoadBalancerPorts | A comma-separated list of the listener ports that the default policy (`AWSEB-ELB-StickinessPolicy`) applies to. | None | You can use :all to indicate all listener ports |
| Stickiness Cookie Expiration | The amount of time, in seconds, that each cookie is valid. Uses the default policy (`AWSEB-ELB-StickinessPolicy`) . | `0` | `0` to `1000000` |
| Stickiness Policy | Binds a user's session to a specific server instance so that all requests coming from the user during the session are sent to the same server instance. Uses the default policy (`AWSEB-ELB-StickinessPolicy`) . | `false` | true false |
## aws:elb:policies:policy\$1name
Create additional load balancer policies for a Classic Load Balancer.
**Namespace: `aws:elb:policies:policy_name`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| CookieName | The name of the application-generated cookie that controls the session lifetimes of a AppCookieStickinessPolicyType policy. This policy can be associated only with HTTP/HTTPS listeners. | None | |
| InstancePorts | A comma-separated list of the instance ports that this policy applies to. | None | A list of ports, or :all |
| LoadBalancerPorts | A comma-separated list of the listener ports that this policy applies to. | None | A list of ports, or :all |
| ProxyProtocol | For a `ProxyProtocolPolicyType` policy, specifies whether to include the IP address and port of the originating request for TCP messages. This policy can be associated only with TCP/SSL listeners. | None | true false |
| PublicKey | The contents of a public key for a `PublicKeyPolicyType` policy to use when authenticating the backend server or servers. This policy can't be applied directly to backend servers or listeners. It must be part of a `BackendServerAuthenticationPolicyType` policy. | None | |
| PublicKeyPolicyNames | A comma-separated list of policy names (from the `PublicKeyPolicyType` policies) for a `BackendServerAuthenticationPolicyType` policy that controls authentication to a backend server or servers. This policy can be associated only with backend servers that are using HTTPS/SSL. | None | |
| SSLProtocols | A comma-separated list of SSL protocols to be enabled for a `SSLNegotiationPolicyType` policy that defines the ciphers and protocols that are accepted by the load balancer. This policy can be associated only with HTTPS/SSL listeners. | None | |
| SSLReferencePolicy | The name of a predefined security policy that adheres to AWS security best practices and that you want to activate for a `SSLNegotiationPolicyType` policy that defines the ciphers and protocols that are accepted by the load balancer. This policy can be associated only with HTTPS/SSL listeners. | None | |
| Stickiness Cookie Expiration | The amount of time, in seconds, that each cookie is valid. | `0` | `0` to `1000000` |
| Stickiness Policy | Binds a user's session to a specific server instance so that all requests coming from the user during the session are sent to the same server instance. | `false` | true false |
## aws:elbv2:listener:default
Configure the default listener (port 80) on an Application Load Balancer or a Network Load Balancer.
This namespace doesn't apply to an environment that uses a shared load balancer. Shared load balancers don't have a default listener.
**Namespace: `aws:elbv2:listener:default`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| DefaultProcess | The name of the [process](#command-options-general-environmentprocess) to forward traffic to when no rules match. | `default` | A process name. |
| ListenerEnabled | Set to `false` to disable the listener. You can use this option to disable the default listener on port 80. | `true` | `true` `false` |
| Protocol | The protocol of traffic to process. | With application load balancer: `HTTP` With network load balancer: `TCP` | With application load balancer: `HTTP`, `HTTPS` With network load balancer: `TCP` |
| Rules | A list of [rules](#command-options-general-elbv2-listenerrule) to apply to the listener This option is only applicable to environments with an Application Load Balancer. | None | A comma-separated list of rule names. |
| SSLCertificateArns | The Amazon Resource Name (ARN) of the SSL certificate to bind to the listener. This option is only applicable to environments with an Application Load Balancer. | None | The ARN of a certificate stored in IAM or ACM. |
| SSLPolicy | Specify a security policy to apply to the listener. This option is only applicable to environments with an Application Load Balancer. | None (ELB default) | The name of a load balancer security policy. |
## aws:elbv2:listener:listener\$1port
Configure additional listeners on an Application Load Balancer or a Network Load Balancer.
**Note**
For a shared Application Load Balancer, you can specify only the `Rule` option. The other options aren't applicable to shared load balancers.
**Namespace: `aws:elbv2:listener:listener_port`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| DefaultProcess | The name of the [process](#command-options-general-environmentprocess) where traffic is forwarded when no rules match. | `default` | A process name. |
| ListenerEnabled | Set to `false` to disable the listener. You can use this option to disable the default listener on port 80. | `true` | `true` `false` |
| Protocol | The protocol of traffic to process. | With application load balancer: `HTTP` With network load balancer: `TCP` | With application load balancer: `HTTP`, `HTTPS` With network load balancer: `TCP` |
| Rules | List of [rules](#command-options-general-elbv2-listenerrule) to apply to the listener This option is applicable only to environments with an Application Load Balancer. If your environment uses a shared Application Load Balancer, and you don't specify this option for any listener, Elastic Beanstalk automatically associates the `default` rule with a port 80 listener. | None | A comma-separated list of rule names. |
| SSLCertificateArns | The Amazon Resource Name (ARN) of the SSL certificate to bind to the listener. This option is only applicable to environments with an Application Load Balancer. | None | The ARN of a certificate stored in IAM or ACM. |
| SSLPolicy | Specify a security policy to apply to the listener. This option is only applicable to environments with an Application Load Balancer. | None (ELB default) | The name of a load balancer security policy. |
## aws:elbv2:listenerrule:rule\$1name
Define listener rules for an Application Load Balancer. If a request matches the host names or paths in a rule, the load balancer forwards it to the specified process. To use a rule, add it to a listener with the `Rules` option in the [`aws:elbv2:listener:listener_port`](#command-options-general-elbv2-listener) namespace.
**Note**
This namespace isn't applicable to environments with a network load balancer.
**Namespace: `aws:elbv2:listenerrule:rule_name`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| HostHeaders | A list of host names to match. For example, `my.example.com`. | Dedicated load balancer: None Shared load balancer: The environment's CNAME | Each name can contain up to 128 characters. A pattern can include both uppercase and lowercase letters, numbers, hyphens (–), and up to three wildcard characters (`*` matches zero or more characters; `?` matches exactly one character). You can list more than one name, each separated by a comma. Application Load Balancer supports up to five combined `HostHeader` and `PathPattern` rules. For more information, see [Host conditions](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html#host-conditions) in the *User Guide for Application Load Balancers*. |
| PathPatterns | The path patterns to match (for example, `/img/*`). This option is only applicable to environments with an application load balancer. | None | Each pattern can contain up to 128 characters. A pattern can include uppercase and lowercase letters, numbers, hyphens (–), and up to three wildcard characters (`*` matches zero or more characters; `?` matches exactly one character). You can add multiple comma-separated path patterns. Application Load Balancer supports up to five combined `HostHeader` and `PathPattern` rules. For more information, see [Path conditions](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html#path-conditions) in the *User Guide for Application Load Balancers*. |
| Priority | The precedence of this rule when multiple rules match. The lower number takes precedence. No two rules can have the same priority. With a shared load balancer, Elastic Beanstalk treats rule priorities as relative across sharing environments, and maps them to absolute priorities during creation. | `1` | `1` to `1000` |
| Process | The name of the [process](#command-options-general-environmentprocess) to forward traffic when this rule matches the request. | `default` | A process name. |
## aws:elbv2:loadbalancer
Configure an Application Load Balancer.
For a shared load balancer, only the `SharedLoadBalancer` and `SecurityGroups` options are valid.
**Note**
This namespace isn't applicable to environments with a Network Load Balancer.
**Namespace: `aws:elbv2:loadbalancer`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| AccessLogsS3Bucket | The Amazon S3 bucket where access logs are stored. The bucket must be in the same Region as the environment and allow the load balancer write access. | None | A bucket name. |
| AccessLogsS3Enabled | Enable access log storage. | `false` | `true` `false` |
| AccessLogsS3Prefix | A prefix to prepend to access log names. By default, the load balancer uploads logs to a directory named AWSLogs in the bucket you specify. Specify a prefix to place the AWSLogs directory inside another directory. | None | |
| IdleTimeout | The amount of time, in seconds, to wait for a request to complete before closing connections to client and instance. | None | `1` to `3600` |
| IpAddressType | Specifies the IP address format configuration for the environment's load balancer. Use the *dualstack* option to enable IPv6 protocol, along with IPv4 protocol. Only Application Load Balancers and Network Load Balancers support the *dualstack* option. Single instance environments and environments that use Classic Load Balancers do not support it. You must associate the environment's VPC and all of the VPC subnets with IPv6 CIDR blocks to support the *dualstack* option. For more information, see [Configuring dual-stack Elastic Beanstalk load balancers](environments-cfg-elbv2-ipv6-dualstack.md). | ipv4 | ipv4, dualstack |
| ManagedSecurityGroup | Assign an existing security group to your environment’s load balancer, instead of creating a new one. To use this setting, update the `SecurityGroups` setting in this namespace to include your security group’s ID, and remove the automatically created security group’s ID, if one exists. To allow traffic from the load balancer to the EC2 instances for your environment, Elastic Beanstalk adds a rule to the security group of your instances that allows inbound traffic from the managed security group. | The security group that Elastic Beanstalks creates for your load balancer. | A security group ID. |
| SecurityGroups | A list of security groups to attach to the load balancer. Required if `DisableDefaultEC2SecurityGroup` ([aws:autoscaling:launchconfiguration](#command-options-general-autoscalinglaunchconfiguration)) is set to `true`. Load balanced environments that have opted out of the default Elastic Beanstalk EC2 security group must provide one or more security groups with this option. For more information, see [Managing EC2 security groups](using-features.managing.ec2.instances.sg.md). For a shared load balancer, if you don't specify this value, Elastic Beanstalk checks if an existing security group that it manages is already attached to the load balancer. If one isn't attached to the load balancer, Elastic Beanstalk creates a security group and attaches it to the load balancer. Elastic Beanstalk deletes this security group when the last environment sharing the load balancer terminates. The load balancer security groups are used to set up the Amazon EC2 instance security group ingress rule. | The security group that Elastic Beanstalk creates for your load balancer. | Comma-separated list of security group IDs. |
| SharedLoadBalancer | The Amazon Resource Name (ARN) of a shared load balancer. This option is relevant only to an Application Load Balancer. It's required when the `LoadBalancerIsShared` option of the [aws:elasticbeanstalk:environment](#command-options-general-elasticbeanstalkenvironment) namespace is set to `true`. You can't change the shared load balancer ARN after the environment is created. Criteria for a valid value: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html) Example: `arn:aws:elasticloadbalancing:us-east-2:123456789012:loadbalancer/app/FrontEndLB/0dbf78d8ad96abbc` | None | ARN of a valid load balancer that meets all of the criteria described here. |
## aws:rds:dbinstance
Configure an attached Amazon RDS DB instance.
**Namespace: `aws:rds:dbinstance`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| DBAllocatedStorage | The allocated database storage size, specified in gigabytes. | MySQL: `5` Oracle: `10` sqlserver-se: `200` sqlserver-ex: `30` sqlserver-web: `30` | MySQL: `5`-`1024` Oracle: `10`-`1024` sqlserver: cannot be modified |
| DBDeletionPolicy | Specifies whether to retain, delete, or create snapshot of the DB instance when an environment is terminated. This option works in conjunction with `HasCoupledDatabase`, also an option of this namespace. Deleting a DB instance results in permanent data loss. | `Delete` | `Delete` `Retain` `Snapshot` |
| DBEngine | The name of the database engine to use for this instance. | `mysql` | `mysql` `oracle-se1` `sqlserver-ex` `sqlserver-web` `sqlserver-se` `postgres` |
| DBEngineVersion | The version number of the database engine. | `5.5` | |
| DBInstanceClass | The database instance type. | `db.t2.micro` (`db.m1.large` for an environment not running in an Amazon VPC) | For more information, see [DB Instance Class](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.DBInstanceClass.html) in the * Amazon Relational Database Service User Guide*. |
| DBPassword | The name of master user password for the database instance. | None | |
| DBSnapshotIdentifier | The identifier for the DB snapshot to restore from. | None | |
| DBUser | The name of master user for the DB Instance. | **ebroot** | |
| HasCoupledDatabase | Specifies whether a DB instance is coupled to your environment. If toggled to `true`, Elastic Beanstalk creates a new DB instance coupled to your environment. If toggled to `false`, Elastic Beanstalk initiates decoupling of the DB instance from your environment. This option works in conjunction with `DBDeletionPolicy`, also an option of this namespace. Note: If you toggle this value back to `true` after decoupling the previous database, Elastic Beanstalk creates a new database with the previous database option settings. However, to maintain the security of your environment, it doesn't retain the existing `DBUser` and `DBPassword` settings. You need to specify `DBUser` and `DBPassword` again. | `false` | `true` `false` |
| MultiAZDatabase | Specifies whether a database instance Multi-AZ deployment needs to be created. For more information about Multi-AZ deployments with Amazon Relational Database Service (RDS), see [Regions and Availability Zones](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html) in the * Amazon Relational Database Service User Guide*. | `false` | `true` `false` |
# Platform specific options
Some Elastic Beanstalk platforms define option namespaces that are specific to the platform. These namespaces and their options are listed below for each platform.
**Note**
Previously, in platform versions based on Amazon Linux AMI (preceding Amazon Linux 2), the following two features and their respective namespaces were considered to be platform-specific features, and were listed here per platform:
**Proxy configuration for static files** – `aws:elasticbeanstalk:environment:proxy:staticfiles`
**AWS X-Ray support** – `aws:elasticbeanstalk:xray`
In Amazon Linux 2 platform versions, Elastic Beanstalk implements these features in a consistent way across all supporting platforms. The related namespace are now listed in the [General options for all environments](command-options-general.md) page. We only kept mention of them on this page for platforms who had differently-named namespaces.
**Topics**
+ [
## Docker platform options
](#command-options-docker)
+ [
## Go platform options
](#command-options-golang)
+ [
## Java SE platform options
](#command-options-plain-java)
+ [
## Java with Tomcat platform options
](#command-options-java)
+ [
## .NET Core on Linux platform options
](#command-options-dotnet-core-linux)
+ [
## .NET platform options
](#command-options-net)
+ [
## Node.js platform options
](#command-options-nodejs)
+ [
## PHP platform options
](#command-options-php)
+ [
## Python platform options
](#command-options-python)
+ [
## Ruby platform options
](#command-options-ruby)
## Docker platform options
The following Docker-specific configuration options apply to the Docker and Preconfigured Docker platforms.
**Note**
These configuration options do not apply to
Docker platform (Amazon Linux 2) with Docker Compose
Multicontainer Docker platform (Amazon Linux AMI AL1) - this platform is retired
**Namespace: `aws:elasticbeanstalk:environment:proxy`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| ProxyServer | Specifies the web server to use as a proxy. | `nginx` | `nginx` `none` – *Amazon Linux AM* and *Docker w/DC only* |
## Go platform options
### Amazon Linux AMI (pre-Amazon Linux 2) platform options
#### Namespace: `aws:elasticbeanstalk:container:golang:staticfiles`
You can use the following namespace to configure the proxy server to serve static files. When the proxy server receives a request for a file under the specified path, it serves the file directly instead of routing the request to your application. This reduces the number of requests that your application has to process.
Map a path served by the proxy server to a folder in your source code that contains static assets. Each option that you define in this namespace maps a different path.
| **Name** | **Value** |
| --- | --- |
| Path where the proxy server will serve the files. Example: `/images` to serve files at `subdomain.eleasticbeanstalk.com/images`. | Name of the folder containing the files. Example: `staticimages` to serve files from a folder named `staticimages` at the top level of your source bundle. |
## Java SE platform options
### Amazon Linux AMI (pre-Amazon Linux 2) platform options
#### Namespace: `aws:elasticbeanstalk:container:java:staticfiles`
You can use the following namespace to configure the proxy server to serve static files. When the proxy server receives a request for a file under the specified path, it serves the file directly instead of routing the request to your application. This reduces the number of requests that your application has to process.
Map a path served by the proxy server to a folder in your source code that contains static assets. Each option that you define in this namespace maps a different path.
| **Name** | **Value** |
| --- | --- |
| Path where the proxy server will serve the files. Example: `/images` to serve files at `subdomain.eleasticbeanstalk.com/images`. | Name of the folder containing the files. Example: `staticimages` to serve files from a folder named `staticimages` at the top level of your source bundle. |
## Java with Tomcat platform options
**Namespace: `aws:elasticbeanstalk:application:environment`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| JDBC\$1CONNECTION\$1STRING | The connection string to an external database. | n/a | n/a |
See [Environment variables and other software settings](environments-cfg-softwaresettings.md) for more information.
**Namespace: `aws:elasticbeanstalk:container:tomcat:jvmoptions`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| JVM Options | Pass command-line options to the JVM at startup. | n/a | n/a |
| Xmx | Maximum JVM heap sizes. | `256m` | n/a |
| XX:MaxPermSize | Section of the JVM heap that is used to store class definitions and associated metadata. This option only applies to Java versions earlier than Java 8, and isn't supported on Elastic Beanstalk Tomcat platforms based on Amazon Linux 2 and later. | `64m` | n/a |
| Xms | Initial JVM heap sizes. | `256m` | n/a |
| *optionName* | Specify arbitrary JVM options in addition to the those defined by the Tomcat platform. | n/a | n/a |
**Namespace: `aws:elasticbeanstalk:environment:proxy`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| GzipCompression | Set to `false` to disable response compression. *Only valid on Amazon Linux AMI (preceding Amazon Linux 2) platform versions.* | `true` | `true` `false` |
| ProxyServer | Set the proxy to use on your environment's instances. If you set this option to `apache`, Elastic Beanstalk uses [Apache 2.4](https://httpd.apache.org/docs/2.4/). Set to `apache/2.2` if your application isn't ready to migrate away from [Apache 2.2](https://httpd.apache.org/docs/2.2/) due to incompatible proxy configuration settings. *This value is only valid on Amazon Linux AMI (preceding Amazon Linux 2) platform versions.* Set to `nginx` to use [nginx](https://www.nginx.com/). This is the default starting with Amazon Linux 2 platform versions. For more information, see [Configuring the proxy server](java-tomcat-proxy.md). | `nginx` (Amazon Linux 2) `apache` (Amazon Linux AMI) | `apache` `apache/2.2` – *Amazon Linux AMI only* `nginx` |
## .NET Core on Linux platform options
**Namespace: `aws:elasticbeanstalk:environment:proxy`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| ProxyServer | Specifies the web server to use as a proxy. | `nginx` | `nginx` `none` |
## .NET platform options
**Namespace: `aws:elasticbeanstalk:container:dotnet:apppool`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| Target Runtime | Choose the version of .NET Framework for your application. | `4.0` | `2.0` `4.0` |
| Enable 32-bit Applications | Set to `True` to run 32-bit applications. | `False` | `True` `False` |
## Node.js platform options
**Namespace: `aws:elasticbeanstalk:environment:proxy`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| ProxyServer | Set the proxy to use on your environment's instances. | `nginx` | `apache` `nginx` |
### Amazon Linux AMI (pre-Amazon Linux 2) platform options
#### Namespace: `aws:elasticbeanstalk:container:nodejs`
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| NodeCommand | Command used to start the Node.js application. If an empty string is specified, `app.js` is used, then `server.js`, then `npm start` in that order. | "" | n/a |
| NodeVersion | Version of Node.js. For example, `4.4.6` Supported Node.js versions vary between Node.js platform versions. See [Node.js](https://docs.aws.amazon.com/elasticbeanstalk/latest/platforms/platforms-supported.html#platforms-supported.nodejs) in the *AWS Elastic Beanstalk Platforms* document for a list of the currently supported versions. When support for the version of Node.js that you are using is removed from the platform, you must change or remove the version setting prior to doing a [platform update](using-features.platform.upgrade.md). This might occur when a security vulnerability is identified for one or more versions of Node.js. When this happens, attempting to update to a new version of the platform that doesn't support the configured [NodeVersion](#command-options-nodejs) fails. To avoid needing to create a new environment, change the *NodeVersion* configuration option to a Node.js version that is supported by both the old platform version and the new one, or [remove the option setting](environment-configuration-methods-after.md), and then perform the platform update. | varies | varies |
| GzipCompression | Specifies if gzip compression is enabled. If ProxyServer is set to `none`, then gzip compression is disabled. | `false` | `true` `false` |
| ProxyServer | Specifies which web server should be used to proxy connections to Node.js. If ProxyServer is set to `none`, then static file mappings doesn't take effect and gzip compression is disabled. | `nginx` | `apache` `nginx` `none` |
#### Namespace: `aws:elasticbeanstalk:container:nodejs:staticfiles`
You can use the following namespace to configure the proxy server to serve static files. When the proxy server receives a request for a file under the specified path, it serves the file directly instead of routing the request to your application. This reduces the number of requests that your application has to process.
Map a path served by the proxy server to a folder in your source code that contains static assets. Each option that you define in this namespace maps a different path.
**Note**
Static file settings do not apply if `aws:elasticbeanstalk:container:nodejs::ProxyFiles` is set to `none`.
| **Name** | **Value** |
| --- | --- |
| Path where the proxy server will serve the files. Example: `/images` to serve files at `subdomain.eleasticbeanstalk.com/images`. | Name of the folder containing the files. Example: `staticimages` to serve files from a folder named `staticimages` at the top level of your source bundle. |
## PHP platform options
**Namespace: `aws:elasticbeanstalk:container:php:phpini`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| document\$1root | Specify the child directory of your project that is treated as the public-facing web root. | `/` | A blank string is treated as `/`, or specify a string starting with `/` |
| memory\$1limit | Amount of memory allocated to the PHP environment. | `256M` | n/a |
| zlib.output\$1compression | Specifies whether or not PHP should use compression for output. | `Off` | `On` `Off` `true` `false` |
| allow\$1url\$1fopen | Specifies if PHP's file functions are allowed to retrieve data from remote locations, such as websites or FTP servers. | `On` | `On` `Off` `true` `false` |
| display\$1errors | Specifies if error messages should be part of the output. | `Off` | `On` `Off` |
| max\$1execution\$1time | Sets the maximum time, in seconds, a script is allowed to run before it is terminated by the environment. | `60` | `0` to `9223372036854775807` (PHP\$1INT\$1MAX) |
| composer\$1options | Sets custom options to use when installing dependencies using Composer through the **composer.phar install** command. For more information, see [install](https://getcomposer.org/doc/03-cli.md#install-i) on the *getcomposer.org* website. | n/a | n/a |
**Namespace: `aws:elasticbeanstalk:environment:proxy`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| ProxyServer | Set the proxy to use on your environment's instances. | `nginx` | `apache` `nginx` |
**Note**
For more information about the PHP platform, see [Using the Elastic Beanstalk PHP platform](create_deploy_PHP.container.md).
## Python platform options
**Namespace: `aws:elasticbeanstalk:application:environment`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| DJANGO\$1SETTINGS\$1MODULE | Specifies which settings file to use. | n/a | n/a |
See [Environment variables and other software settings](environments-cfg-softwaresettings.md) for more information.
**Namespace: `aws:elasticbeanstalk:container:python`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| WSGIPath | The file that contains the WSGI application. This file must have an `application` callable. | On Amazon Linux 2 Python platform versions: `application` On Amazon Linux AMI Python platform versions: `application.py` | n/a |
| NumProcesses | The number of daemon processes that should be started for the process group when running WSGI applications. | `1` | n/a |
| NumThreads | The number of threads to be created to handle requests in each daemon process within the process group when running WSGI applications. | `15` | n/a |
**Namespace: `aws:elasticbeanstalk:environment:proxy`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| ProxyServer | Set the proxy to use on your environment's instances. | `nginx` | `apache` `nginx` |
### Amazon Linux AMI (pre-Amazon Linux 2) platform options
#### Namespace: `aws:elasticbeanstalk:container:python:staticfiles`
You can use the following namespace to configure the proxy server to serve static files. When the proxy server receives a request for a file under the specified path, it serves the file directly instead of routing the request to your application. This reduces the number of requests that your application has to process.
Map a path served by the proxy server to a folder in your source code that contains static assets. Each option that you define in this namespace maps a different path.
By default, the proxy server in a Python environment serves any files in a folder named `static` at the `/static` path.
**Namespace: `aws:elasticbeanstalk:container:python:staticfiles`**
| **Name** | **Value** |
| --- | --- |
| Path where the proxy server will serve the files. Example: `/images` to serve files at `subdomain.eleasticbeanstalk.com/images`. | Name of the folder containing the files. Example: `staticimages` to serve files from a folder named `staticimages` at the top level of your source bundle. |
## Ruby platform options
**Namespace: `aws:elasticbeanstalk:application:environment`**
| **Name** | **Description** | **Default** | **Valid values** |
| --- | --- | --- | --- |
| RAILS\$1SKIP\$1MIGRATIONS | Specifies whether to run ``rake db:migrate`` on behalf of the users' applications; or whether it should be skipped. This is only applicable to Rails 3 applications. | `false` | `true` `false` |
| RAILS\$1SKIP\$1ASSET\$1COMPILATION | Specifies whether the container should run ``rake assets:precompile` `on behalf of the users' applications; or whether it should be skipped. This is also only applicable to Rails 3 applications. | `false` | `true` `false` |
| BUNDLE\$1WITHOUT | A colon (`:`) separated list of groups to ignore when installing dependencies from a Gemfile. | `test:development` | n/a |
| RACK\$1ENV | Specifies what environment stage an application can be run in. Examples of common environments include development, production, test. | `production` | n/a |
See [Environment variables and other software settings](environments-cfg-softwaresettings.md) for more information.
# Custom options
Use the `aws:elasticbeanstalk:customoption` namespace to define options and values that can be read in `Resources` blocks in other configuration files. Use custom options to collect user specified settings in a single configuration file.
For example, you may have a complex configuration file that defines a resource that can be configured by the user launching the environment. If you use `Fn::GetOptionSetting` to retrieve the value of a custom option, you can put the definition of that option in a different configuration file, where it is more easily discovered and modified by the user.
Also, because they are configuration options, custom options can be set at the API level to override values set in a configuration file. See [Precedence](command-options.md#configuration-options-precedence) for more information.
Custom options are defined like any other option:
```
option_settings:
aws:elasticbeanstalk:customoption:
option name: option value
```
For example, the following configuration file creates an option named `ELBAlarmEmail` and sets the value to `someone@example.com`:
```
option_settings:
aws:elasticbeanstalk:customoption:
ELBAlarmEmail: someone@example.com
```
Elsewhere, a configuration file defines an SNS topic that reads the option with `Fn::GetOptionSetting` to populate the value of the `Endpoint` attribute:
```
Resources:
MySNSTopic:
Type: AWS::SNS::Topic
Properties:
Subscription:
- Endpoint:
Fn::GetOptionSetting:
OptionName: ELBAlarmEmail
DefaultValue: nobody@example.com
Protocol: email
```
You can find more example snippets using `Fn::GetOptionSetting` at [Adding and customizing Elastic Beanstalk environment resources](environment-resources.md).
# Advanced environment customization with configuration files (`.ebextensions`)
You can add AWS Elastic Beanstalk configuration files (`.ebextensions`) to your web application's source code to configure your environment and customize the AWS resources that it contains. Configuration files are YAML- or JSON-formatted documents with a `.config` file extension that you place in a folder named `.ebextensions` and deploy in your application [source bundle](applications-sourcebundle.md).
**Example .ebextensions/network-load-balancer.config**
This example makes a simple configuration change. It modifies a configuration option to set the type of your environment's load balancer to Network Load Balancer.
```
option_settings:
aws:elasticbeanstalk:environment:
LoadBalancerType: network
```
We recommend using YAML for your configuration files, because it's more readable than JSON. YAML supports comments, multi-line commands, several alternatives for using quotes, and more. However, you can make any configuration change in Elastic Beanstalk configuration files identically using either YAML or JSON.
**Tip**
When you are developing or testing new configuration files, launch a clean environment running the default application and deploy to that. Poorly formatted configuration files will cause a new environment launch to fail unrecoverably.
The `option_settings` section of a configuration file defines values for [configuration options](command-options.md). Configuration options let you configure your Elastic Beanstalk environment, the AWS resources in it, and the software that runs your application. Configuration files are only one of several ways to set configuration options.
The [`Resources` section](environment-resources.md) lets you further customize the resources in your application's environment, and define additional AWS resources beyond the functionality provided by configuration options. You can add and configure any resources supported by AWS CloudFormation, which Elastic Beanstalk uses to create environments.
The other sections of a configuration file (`packages`, `sources`, `files`, `users`, `groups`, `commands`, `container_commands`, and `services`) let you configure the EC2 instances that are launched in your environment. Whenever a server is launched in your environment, Elastic Beanstalk runs the operations defined in these sections to prepare the operating system and storage system for your application.
For examples of commonly used .ebextensions, see the [Elastic Beanstalk Configuration Files Repository](https://github.com/awsdocs/elastic-beanstalk-samples/tree/master/configuration-files).
**Requirements**
+ **Location** – Elastic Beanstalk will process all `.ebextensions` folders present in your deployment. However, we recommend that you place all of your configuration files in a single folder, named `.ebextensions`, in the root of your source bundle. Folders starting with a dot can be hidden by file browsers, so make sure that the folder is added when you create your source bundle. For more information, see [Create an Elastic Beanstalk application source bundle](applications-sourcebundle.md).
+ **Naming** – Configuration files must have the `.config` file extension.
+ **Formatting** – Configuration files must conform to YAML or JSON specifications.
When using YAML, always use spaces to indent keys at different nesting levels. For more information about YAML, see [YAML Ain't Markup Language (YAML™) Version 1.1](http://yaml.org/spec/current.html).
+ **Uniqueness** – Use each key only once in each configuration file.
**Warning**
If you use a key (for example, `option_settings`) twice in the same configuration file, one of the sections will be dropped. Combine duplicate sections into a single section, or place them in separate configuration files.
The process for deploying varies slightly depending on the client that you use to manage your environments. See the following sections for details:
+ [Elastic Beanstalk console](environment-configuration-methods-during.md#configuration-options-during-console-ebextensions)
+ [EB CLI](environment-configuration-methods-during.md#configuration-options-during-ebcli-ebextensions)
+ [AWS CLI](environment-configuration-methods-during.md#configuration-options-during-awscli-ebextensions)
**Topics**
+ [
# Option settings
](ebextensions-optionsettings.md)
+ [
# Customizing software on Linux servers
](customize-containers-ec2.md)
+ [
# Customizing software on Windows servers
](customize-containers-windows-ec2.md)
+ [
# Adding and customizing Elastic Beanstalk environment resources
](environment-resources.md)
# Option settings
You can use the `option_settings` key to modify the Elastic Beanstalk configuration and define variables that can be retrieved from your application using environment variables. Some namespaces allow you to extend the number of parameters, and specify the parameter names. For a list of namespaces and configuration options, see [Configuration options](command-options.md).
Option settings can also be applied directly to an environment during environment creation or an environment update. Settings applied directly to the environment override the settings for the same options in configuration files. If you remove settings from an environment's configuration, settings in configuration files will take effect. See [Precedence](command-options.md#configuration-options-precedence) for details.
## Syntax
The standard syntax for option settings is an array of objects, each having a `namespace`, `option_name` and `value` key.
```
option_settings:
- namespace: namespace
option_name: option name
value: option value
- namespace: namespace
option_name: option name
value: option value
```
The `namespace` key is optional. If you do not specify a namespace, the default used is `aws:elasticbeanstalk:application:environment`:
```
option_settings:
- option_name: option name
value: option value
- option_name: option name
value: option value
```
Elastic Beanstalk also supports a shorthand syntax for option settings that lets you specify options as key-value pairs underneath the namespace:
```
option_settings:
namespace:
option name: option value
option name: option value
```
## Examples
The following examples set a Tomcat platform-specific option in the `aws:elasticbeanstalk:container:tomcat:jvmoptions` namespace and an environment property named `MYPARAMETER`.
In standard YAML format:
**Example .ebextensions/options.config**
```
option_settings:
- namespace: aws:elasticbeanstalk:container:tomcat:jvmoptions
option_name: Xmx
value: 256m
- option_name: MYPARAMETER
value: parametervalue
```
In shorthand format:
**Example .ebextensions/options.config**
```
option_settings:
aws:elasticbeanstalk:container:tomcat:jvmoptions:
Xmx: 256m
aws:elasticbeanstalk:application:environment:
MYPARAMETER: parametervalue
```
In JSON:
**Example .ebextensions/options.config**
```
{
"option_settings": [
{
"namespace": "aws:elasticbeanstalk:container:tomcat:jvmoptions",
"option_name": "Xmx",
"value": "256m"
},
{
"option_name": "MYPARAMETER",
"value": "parametervalue"
}
]
}
```
# Customizing software on Linux servers
This section describes the type of information you can include in a configuration file to customize the software on your EC2 instances running Linux. For general information about customizing and configuring your Elastic Beanstalk environments, see [Configuring Elastic Beanstalk environments](customize-containers.md). For information about customizing software on your EC2 instances running Windows, see [Customizing software on Windows servers](customize-containers-windows-ec2.md).
You may want to customize and configure the software that your application depends on. You can add commands to be executed during instance provisioning; define Linux users and groups; and download or directly create files on your environment instances. These files might be either dependencies required by the application—for example, additional packages from the yum repository—or they might be configuration files such as a replacement for a proxy configuration file to override specific settings that are defaulted by Elastic Beanstalk.
**Notes**
On Amazon Linux 2 platforms, instead of providing files and commands in .ebextensions configuration files, we highly recommend that you use *Buildfile*. *Procfile*, and *platform hooks* whenever possible to configure and run custom code on your environment instances during instance provisioning. For details about these mechanisms, see [Extending Elastic Beanstalk Linux platforms](platforms-linux-extend.md).
YAML relies on consistent indentation. Match the indentation level when replacing content in an example configuration file and ensure that your text editor uses spaces, not tab characters, to indent.
Configuration files support the following keys that affect the Linux server your application runs on.
**Topics**
+ [
## Packages
](#linux-packages)
+ [
## Groups
](#linux-groups)
+ [
## Users
](#linux-users)
+ [
## Sources
](#linux-sources)
+ [
## Files
](#linux-files)
+ [
## Commands
](#linux-commands)
+ [
## Services
](#linux-services)
+ [
## Container commands
](#linux-container-commands)
+ [
# Example: Using custom Amazon CloudWatch metrics
](customize-containers-cw.md)
Keys are processed in the order that they are listed here.
Watch your environment's [events](using-features.events.md) while developing and testing configuration files. Elastic Beanstalk ignores a configuration file that contains validation errors, like an invalid key, and doesn't process any of the other keys in the same file. When this happens, Elastic Beanstalk adds a warning event to the event log.
## Packages
You can use the `packages` key to download and install prepackaged applications and components.
### Syntax
```
packages:
name of package manager:
package name: version
...
name of package manager:
package name: version
...
...
```
You can specify multiple packages under each package manager's key.
### Supported package formats
Elastic Beanstalk currently supports the following package managers: yum, rubygems, python, and rpm. Packages are processed in the following order: rpm, yum, and then rubygems and python. There is no ordering between rubygems and python. Within each package manager, package installation order isn't guaranteed. Use a package manager supported by your operating system.
**Note**
Elastic Beanstalk supports two underlying package managers for Python, pip and easy\$1install. However, in the syntax of the configuration file, you must specify the package manager name as `python`. When you use a configuration file to specify a Python package manager, Elastic Beanstalk uses Python 2.7. If your application relies on a different version of Python, you can specify the packages to install in a `requirements.txt` file. For more information, see [Specifying dependencies using a requirements file on Elastic Beanstalk](python-configuration-requirements.md).
### Specifying versions
Within each package manager, each package is specified as a package name and a list of versions. The version can be a string, a list of versions, or an empty string or list. An empty string or list indicates that you want the latest version. For rpm manager, the version is specified as a path to a file on disk or a URL. Relative paths are not supported.
If you specify a version of a package, Elastic Beanstalk attempts to install that version even if a newer version of the package is already installed on the instance. If a newer version is already installed, the deployment fails. Some package managers support multiple versions, but others may not. Please check the documentation for your package manager for more information. If you do not specify a version and a version of the package is already installed, Elastic Beanstalk does not install a new version—it assumes that you want to keep and use the existing version.
### Example snippet
The following snippet specifies a version URL for rpm, requests the latest version from yum, and version 0.10.2 of chef from rubygems.
```
packages:
yum:
libmemcached: []
ruby-devel: []
gcc: []
rpm:
epel: http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
rubygems:
chef: '0.10.2'
```
## Groups
You can use the `groups` key to create Linux/UNIX groups and to assign group IDs. To create a group, add a new key-value pair that maps a new group name to an optional group ID. The groups key can contain one or more group names. The following table lists the available keys.
### Syntax
```
groups:
name of group: {}
name of group:
gid: "group id"
```
### Options
`gid`
A group ID number.
If a group ID is specified, and the group already exists by name, the group creation will fail. If another group has the specified group ID, the operating system may reject the group creation.
### Example snippet
The following snippet specifies a group named groupOne without assigning a group ID and a group named groupTwo that specified a group ID value of 45.
```
groups:
groupOne: {}
groupTwo:
gid: "45"
```
## Users
You can use the `users` key to create Linux/UNIX users on the EC2 instance.
### Syntax
```
users:
name of user:
groups:
- name of group
uid: "id of the user"
homeDir: "user's home directory"
```
### Options
`uid`
A user ID. The creation process fails if the user name exists with a different user ID. If the user ID is already assigned to an existing user, the operating system may reject the creation request.
`groups`
A list of group names. The user is added to each group in the list.
`homeDir`
The user's home directory.
Users are created as noninteractive system users with a shell of `/sbin/nologin`. This is by design and cannot be modified.
### Example snippet
```
users:
myuser:
groups:
- group1
- group2
uid: "50"
homeDir: "/tmp"
```
## Sources
You can use the `sources` key to download an archive file from a public URL and unpack it in a target directory on the EC2 instance.
### Syntax
```
sources:
target directory: location of archive file
```
### Supported formats
Supported formats are tar, tar\$1gzip, tar\$1bz2, and zip. You can reference external locations such as Amazon Simple Storage Service (Amazon S3) (e.g., `https://amzn-s3-demo-bucket.s3.amazonaws.com/myobject`) as long as the URL is publicly accessible.
### Example snippet
The following example downloads a public .zip file from an Amazon S3 bucket and unpacks it into `/etc/myapp`:
```
sources:
/etc/myapp: https://amzn-s3-demo-bucket.s3.amazonaws.com/myobject
```
**Note**
Multiple extractions should not reuse the same target path. Extracting another source to the same target path will replace rather than append to the contents.
## Files
You can use the `files` key to create files on the EC2 instance. The content can be either inline in the configuration file, or the content can be pulled from a URL. The files are written to disk in lexicographic order.
You can use the `files` key to download private files from Amazon S3 by providing an instance profile for authorization.
If the file path you specify already exists on the instance, the existing file is retained with the extension `.bak` appended to its name.
### Syntax
```
files:
"target file location on disk":
mode: "six-digit octal value"
owner: name of owning user for file
group: name of owning group for file
source: URL
authentication: authentication name:
"target file location on disk":
mode: "six-digit octal value"
owner: name of owning user for file
group: name of owning group for file
content: |
# this is my
# file content
encoding: encoding format
authentication: authentication name:
```
### Options
`content`
String content to add to the file. Specify either `content` or `source`, but not both.
`source`
URL of a file to download. Specify either `content` or `source`, but not both.
`encoding`
The encoding format of the string specified with the `content` option.
Valid values: `plain` \$1 `base64`
`group`
Linux group that owns the file.
`owner`
Linux user that owns the file.
`mode`
A six-digit octal value representing the mode for this file. Not supported for Windows systems. Use the first three digits for symlinks and the last three digits for setting permissions. To create a symlink, specify `120xxx`, where `xxx` defines the permissions of the target file. To specify permissions for a file, use the last three digits, such as `000644`.
`authentication`
The name of a [CloudFormation authentication method](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-authentication.html) to use. You can add authentication methods to the Auto Scaling group metadata with the Resources key. See below for an example.
### Example snippet
```
files:
"/home/ec2-user/myfile" :
mode: "000755"
owner: root
group: root
source: http://foo.bar/myfile
"/home/ec2-user/myfile2" :
mode: "000755"
owner: root
group: root
content: |
this is my
file content
```
Example using a symlink. This creates a link `/tmp/myfile2.txt` that points at the existing file `/tmp/myfile1.txt`.
```
files:
"/tmp/myfile2.txt" :
mode: "120400"
content: "/tmp/myfile1.txt"
```
The following example uses the Resources key to add an authentication method named S3Auth and uses it to download a private file from an Amazon S3 bucket:
```
Resources:
AWSEBAutoScalingGroup:
Metadata:
AWS::CloudFormation::Authentication:
S3Auth:
type: "s3"
buckets: ["amzn-s3-demo-bucket2"]
roleName:
"Fn::GetOptionSetting":
Namespace: "aws:autoscaling:launchconfiguration"
OptionName: "IamInstanceProfile"
DefaultValue: "aws-elasticbeanstalk-ec2-role"
files:
"/tmp/data.json" :
mode: "000755"
owner: root
group: root
authentication: "S3Auth"
source: https://elasticbeanstalk-us-west-2-123456789012.s3-us-west-2.amazonaws.com/data.json
```
## Commands
You can use the `commands` key to execute commands on the EC2 instance. The commands run before the application and web server are set up and the application version file is extracted.
The specified commands run as the root user, and are processed in alphabetical order by name. By default, commands run in the root directory. To run commands from another directory, use the `cwd` option.
To troubleshoot issues with your commands, you can find their output in [instance logs](using-features.logging.md).
### Syntax
```
commands:
command name:
command: command to run
cwd: working directory
env:
variable name: variable value
test: conditions for command
ignoreErrors: true
```
### Options
`command`
Either an array ([block sequence collection](http://yaml.org/spec/1.2/spec.html#id2759963) in YAML syntax) or a string specifying the command to run. Some important notes:
+ If you use a string, you don't need to enclose the entire string in quotes. If you do use quotes, escape literal occurrences of the same type of quote.
+ If you use an array, you don't need to escape space characters or enclose command parameters in quotes. Each array element is a single command argument. Don't use an array to specify multiple commands.
The following examples are all equivalent:
```
commands:
command1:
command: git commit -m "This is a comment."
command2:
command: "git commit -m \"This is a comment.\""
command3:
command: 'git commit -m "This is a comment."'
command4:
command:
- git
- commit
- -m
- This is a comment.
```
To specify multiple commands, use a [literal block scalar](http://yaml.org/spec/1.2/spec.html#id2760844), as shown in the following example.
```
commands:
command block:
command: |
git commit -m "This is a comment."
git push
```
`env`
(Optional) Sets environment variables for the command. This property overwrites, rather than appends, the existing environment.
`cwd`
(Optional) The working directory. If not specified, commands run from the root directory (/).
`test`
(Optional) A command that must return the value `true` (exit code 0) in order for Elastic Beanstalk to process the command, such as a shell script, contained in the `command` key.
`ignoreErrors`
(Optional) A boolean value that determines if other commands should run if the command contained in the `command` key fails (returns a nonzero value). Set this value to `true` if you want to continue running commands even if the command fails. Set it to `false` if you want to stop running commands if the command fails. The default value is `false`.
### Example snippet
The following example snippet runs a Python script.
```
commands:
python_install:
command: myscript.py
cwd: /home/ec2-user
env:
myvarname: myvarvalue
test: "[ -x /usr/bin/python ]"
```
## Services
You can use the `services` key to define which services should be started or stopped when the instance is launched. The `services` key also allows you to specify dependencies on sources, packages, and files so that if a restart is needed due to files being installed, Elastic Beanstalk takes care of the service restart.
### Syntax
```
services:
sysvinit:
name of service:
enabled: "true"
ensureRunning: "true"
files:
- "file name"
sources:
- "directory"
packages:
name of package manager:
"package name[: version]"
commands:
- "name of command"
```
### Options
`ensureRunning`
Set to `true` to ensure that the service is running after Elastic Beanstalk finishes.
Set to `false` to ensure that the service is not running after Elastic Beanstalk finishes.
Omit this key to make no changes to the service state.
`enabled`
Set to `true` to ensure that the service is started automatically upon boot.
Set to `false` to ensure that the service is not started automatically upon boot.
Omit this key to make no changes to this property.
`files`
A list of files. If Elastic Beanstalk changes one directly via the files block, the service is restarted.
`sources`
A list of directories. If Elastic Beanstalk expands an archive into one of these directories, the service is restarted.
`packages`
A map of the package manager to a list of package names. If Elastic Beanstalk installs or updates one of these packages, the service is restarted.
`commands`
A list of command names. If Elastic Beanstalk runs the specified command, the service is restarted.
### Example snippet
The following is an example snippet:
```
services:
sysvinit:
myservice:
enabled: true
ensureRunning: true
```
## Container commands
You can use the `container_commands` key to execute commands that affect your application source code. Container commands run after the application and web server have been set up and the application version archive has been extracted, but before the application version is deployed. Non-container commands and other customization operations are performed prior to the application source code being extracted.
The specified commands run as the root user, and are processed in alphabetical order by name. Container commands are run from the staging directory, where your source code is extracted prior to being deployed to the application server. Any changes you make to your source code in the staging directory with a container command will be included when the source is deployed to its final location.
**Note**
The output of your container commands are logged in the `cfn-init-cmd.log` instance log. For more information about retrieving and viewing instance logs, see [Viewing logs from Amazon EC2 instances](using-features.logging.md).
You can use `leader_only` to only run the command on a single instance, or configure a `test` to only run the command when a test command evaluates to `true`. Leader-only container commands are only executed during environment creation and deployments, while other commands and server customization operations are performed every time an instance is provisioned or updated. Leader-only container commands are not executed due to launch configuration changes, such as a change in the AMI Id or instance type.
### Syntax
```
container_commands:
name of container_command:
command: "command to run"
leader_only: true
name of container_command:
command: "command to run"
```
### Options
`command`
A string or array of strings to run.
`env`
(Optional) Set environment variables prior to running the command, overriding any existing value.
`cwd`
(Optional) The working directory. By default, this is the staging directory of the unzipped application.
`leader_only`
(Optional) Only run the command on a single instance chosen by Elastic Beanstalk. Leader-only container commands are run before other container commands. A command can be leader-only or have a `test`, but not both (`leader_only` takes precedence).
`test`
(Optional) Run a test command that must return the `true` in order to run the container command. A command can be leader-only or have a `test`, but not both (`leader_only` takes precedence).
`ignoreErrors`
(Optional) Do not fail deployments if the container command returns a value other than 0 (success). Set to `true` to enable.
### Example snippet
The following is an example snippet.
```
container_commands:
collectstatic:
command: "django-admin.py collectstatic --noinput"
01syncdb:
command: "django-admin.py syncdb --noinput"
leader_only: true
02migrate:
command: "django-admin.py migrate"
leader_only: true
99customize:
command: "scripts/customize.sh"
```
# Example: Using custom Amazon CloudWatch metrics
This topic provides a configuration example that integrates Elastic Beanstalk metrics with Amazon CloudWatch agent for platforms based on Amazon Linux 2 and later. The configuration example uses files and commands in an `.ebextensions` configuration file.
Amazon CloudWatch is a web service that enables you to monitor, manage, and publish various metrics, as well as configure alarm actions based on data from metrics. You can define custom metrics for your own use, and Elastic Beanstalk will push those metrics to Amazon CloudWatch. Once Amazon CloudWatch contains your custom metrics, you can view those in the Amazon CloudWatch console.
**The Amazon CloudWatch agent**
The Amazon CloudWatch agent enables CloudWatch metric and log collection from both Amazon EC2 instances and on-premises servers across operating systems. The agent supports metrics collected at the system level. It also supports custom log and metric collection from your applications or services. For more information about the Amazon CloudWatch agent, see [ Collecting metrics and logs with the CloudWatch agent](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Install-CloudWatch-Agent.html) in the *Amazon CloudWatch User Guide*.
**Note**
Elastic Beanstalk [Enhanced Health Reporting](health-enhanced.md) has native support for publishing a wide range of instance and environment metrics to CloudWatch. See [Publishing Amazon CloudWatch custom metrics for an environment](health-enhanced-cloudwatch.md) for details.
**Topics**
+ [
## .Ebextensions configuration file
](#customize-containers-cw-update-roles)
+ [
## Permissions
](#customize-containers-cw-policy)
+ [
## Viewing metrics in the CloudWatch console
](#customize-containers-cw-console)
## .Ebextensions configuration file
This example uses files and commands in an .ebextensions configuration file to configure and run the Amazon CloudWatch agent on the Amazon Linux 2 platform. The agent is prepackaged with Amazon Linux 2. If you're using a different operating system, additional steps for installing the agent may be necessary. For more information, see [Installing the CloudWatch agent](https://docs.aws.amazon.com//AmazonCloudWatch/latest/monitoring/install-CloudWatch-Agent-on-EC2-Instance.html) in the *Amazon CloudWatch User Guide*.
To use this sample, save it to a file named `cloudwatch.config` in a directory named `.ebextensions` at the top level of your project directory, then deploy your application using the Elastic Beanstalk console (include the .ebextensions directory in your [source bundle](applications-sourcebundle.md)) or the [EB CLI](eb-cli3.md).
For more information about configuration files, see [Advanced environment customization with configuration files (`.ebextensions`)](ebextensions.md).
This file has two sections:
+ `files` — This section adds the agent configuration file. It indicates which metrics and logs the agent should send to Amazon CloudWatch. In this example, we're only sending the *mem\$1used\$1percent* metric. For a complete listing of system level metrics supported by the Amazon CloudWatch agent, see [ Metrics collected by the CloudWatch agent](https://docs.aws.amazon.com//AmazonCloudWatch/latest/monitoring/metrics-collected-by-CloudWatch-agent.html) in the *Amazon CloudWatch User Guide*.
+ `container_commands` — This section contains the command that starts the agent, passing in the configuration file as a parameter. For more details about `container_commands`, see [Container commands](customize-containers-ec2.md#linux-container-commands).
**.ebextensions/cloudwatch.config**
```
files:
"/opt/aws/amazon-cloudwatch-agent/bin/config.json":
mode: "000600"
owner: root
group: root
content: |
{
"agent": {
"metrics_collection_interval": 60,
"run_as_user": "root"
},
"metrics": {
"namespace": "System/Linux",
"append_dimensions": {
"AutoScalingGroupName": "${aws:AutoScalingGroupName}"
},
"metrics_collected": {
"mem": {
"measurement": [
"mem_used_percent"
]
}
}
}
}
container_commands:
start_cloudwatch_agent:
command: /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a append-config -m ec2 -s -c file:/opt/aws/amazon-cloudwatch-agent/bin/config.json
```
## Permissions
The instances in your environment need the proper IAM permissions in order to publish custom Amazon CloudWatch metrics using the Amazon CloudWatch agent. You grant permissions to your environment's instances by adding them to the environment's [instance profile](concepts-roles-instance.md). You can add permissions to the instance profile before or after deploying your application.
**To grant permissions to publish CloudWatch metrics**
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Roles**.
1. Choose your environment's instance profile role. By default, when you create an environment with the Elastic Beanstalk console or [EB CLI](eb-cli3.md), this is `aws-elasticbeanstalk-ec2-role`.
1. Choose the **Permissions** tab.
1. Under **Permissions Policies**, in the **Permissions** section, choose **Attach policies**.
1. Under **Attach Permissions**, choose the AWS managed policy **CloudWatchAgentServerPolicy**. Then click **Attach policy**.
For more information about managing policies, see [Working with Policies](http://docs.aws.amazon.com/IAM/latest/UserGuide/ManagingPolicies.html) in the *IAM User Guide*.
## Viewing metrics in the CloudWatch console
After deploying the CloudWatch configuration file to your environment, check the [Amazon CloudWatch console](https://console.aws.amazon.com/cloudwatch/home) to view your metrics. Custom metrics will be located in the **CWAgent** namespace.
For more information, see [Viewing available metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/viewing_metrics_with_cloudwatch.html) in the *Amazon CloudWatch User Guide*.
# Customizing software on Windows servers
You may want to customize and configure the software that your application depends on. These files could be either dependencies required by the application—for example, additional packages or services that need to be run. For general information on customizing and configuring your Elastic Beanstalk environments, see [Configuring Elastic Beanstalk environments](customize-containers.md).
**Note**
YAML relies on consistent indentation. Match the indentation level when replacing content in an example configuration file and ensure that your text editor uses spaces, not tab characters, to indent.
Configuration files support the following keys that affect the Windows server on which your application runs.
**Topics**
+ [
## Packages
](#windows-packages)
+ [
## Sources
](#windows-sources)
+ [
## Files
](#windows-files)
+ [
## Commands
](#windows-commands)
+ [
## Services
](#windows-services)
+ [
## Container commands
](#windows-container-commands)
Keys are processed in the order that they are listed here.
**Note**
Older (non-versioned) .NET platform versions do not process configuration files in the correct order. Learn more at [Migrating across major versions of the Elastic Beanstalk Windows server platform](dotnet-v2migration.md).
Watch your environment's [events](using-features.events.md) while developing and testing configuration files. Elastic Beanstalk ignores a configuration file that contains validation errors, like an invalid key, and doesn't process any of the other keys in the same file. When this happens, Elastic Beanstalk adds a warning event to the event log.
## Packages
Use the `packages` key to download and install prepackaged applications and components.
In Windows environments, Elastic Beanstalk supports downloading and installing MSI packages. (Linux environments support additional package managers. For details, see [Packages](customize-containers-ec2.md#linux-packages) on the *Customizing Software on Linux Servers* page.)
You can reference any external location, such as an Amazon Simple Storage Service (Amazon S3) object, as long as the URL is publicly accessible.
If you specify several `msi:` packages, their installation order isn't guaranteed.
### Syntax
Specify a name of your choice as the package name, and a URL to an MSI file location as the value. You can specify multiple packages under the `msi:` key.
```
packages:
msi:
package name: package url
...
```
### Examples
The following example specifies a URL to download **mysql** from `https://dev.mysql.com/`.
```
packages:
msi:
mysql: https://dev.mysql.com/get/Downloads/Connector-Net/mysql-connector-net-8.0.11.msi
```
The following example specifies an Amazon S3 object as the MSI file location.
```
packages:
msi:
mymsi: https://amzn-s3-demo-bucket.s3.amazonaws.com/myobject.msi
```
## Sources
Use the `sources` key to download an archive file from a public URL and unpack it in a target directory on the EC2 instance.
### Syntax
```
sources:
target directory: location of archive file
```
### Supported formats
In Windows environments, Elastic Beanstalk supports the .zip format. (Linux environments support additional formats. For details, see [Sources](customize-containers-ec2.md#linux-sources) on the *Customizing Software on Linux Servers* page.)
You can reference any external location, such as an Amazon Simple Storage Service (Amazon S3) object, as long as the URL is publicly accessible.
### Example
The following example downloads a public .zip file from an Amazon S3 and unpacks it into `c:/myproject/myapp`.
```
sources:
"c:/myproject/myapp": https://amzn-s3-demo-bucket.s3.amazonaws.com/myobject.zip
```
## Files
Use the `files` key to create files on the EC2 instance. The content can be either inline in the configuration file, or from a URL. The files are written to disk in lexicographic order. To download private files from Amazon S3, provide an instance profile for authorization.
### Syntax
```
files:
"target file location on disk":
source: URL
authentication: authentication name:
"target file location on disk":
content: |
this is my content
encoding: encoding format
```
### Options
`content`
(Optional) A string.
`source`
(Optional) The URL from which the file is loaded. This option cannot be specified with the content key.
`encoding`
(Optional) The encoding format. This option is only used for a provided content key value. The default value is `plain`.
Valid values: `plain` \$1 `base64`
`authentication`
(Optional) The name of a [CloudFormation authentication method](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-authentication.html) to use. You can add authentication methods to the Auto Scaling group metadata with the Resources key.
### Examples
The following example shows the two ways to provide file content: from a URL, or inline in the configuration file.
```
files:
"c:\\targetdirectory\\targetfile.txt":
source: http://foo.bar/myfile
"c:/targetdirectory/targetfile.txt":
content: |
# this is my file
# with content
```
**Note**
If you use a backslash (\$1) in your file path, you must precede that with another backslash (the escape character) as shown in the previous example.
The following example uses the Resources key to add an authentication method named S3Auth and uses it to download a private file from an Amazon S3 :
```
files:
"c:\\targetdirectory\\targetfile.zip":
source: https://elasticbeanstalk-us-east-2-123456789012.s3.amazonaws.com/prefix/myfile.zip
authentication: S3Auth
Resources:
AWSEBAutoScalingGroup:
Metadata:
AWS::CloudFormation::Authentication:
S3Auth:
type: "s3"
s: ["amzn-s3-demo-bucket"]
roleName:
"Fn::GetOptionSetting":
Namespace: "aws:autoscaling:launchconfiguration"
OptionName: "IamInstanceProfile"
DefaultValue: "aws-elasticbeanstalk-ec2-role"
```
## Commands
Use the `commands` key to execute commands on the EC2 instance. The commands are processed in alphabetical order by name, and they run before the application and web server are set up and the application version file is extracted.
The specified commands run as the Administrator user.
To troubleshoot issues with your commands, you can find their output in [instance logs](using-features.logging.md).
### Syntax
```
commands:
command name:
command: command to run
```
### Options
`command`
Either an array or a string specifying the command to run. If you use an array, you don't need to escape space characters or enclose command parameters in quotation marks.
`cwd`
(Optional) The working directory. By default, Elastic Beanstalk attempts to find the directory location of your project. If not found, it uses `c:\Windows\System32` as the default.
`env`
(Optional) Sets environment variables for the command. This property overwrites, rather than appends, the existing environment.
`ignoreErrors`
(Optional) A Boolean value that determines if other commands should run if the command contained in the `command` key fails (returns a nonzero value). Set this value to `true` if you want to continue running commands even if the command fails. Set it to `false` if you want to stop running commands if the command fails. The default value is `false`.
`test`
(Optional) A command that must return the value `true` (exit code 0) in order for Elastic Beanstalk to process the command contained in the `command` key.
`waitAfterCompletion`
(Optional) Seconds to wait after the command completes before running the next command. The default value is **60** seconds. You can also specify **forever**.
System reboots during deployment are not supported. If the system reboots as a result of a command, instance initialization will fail, causing the deployment to fail.
As a workaround, you can use this [https://github.com/awsdocs/elastic-beanstalk-samples/tree/main/configuration-files/aws-provided/instance-configuration/windows-configuration/scheduled-restart.config](https://github.com/awsdocs/elastic-beanstalk-samples/tree/main/configuration-files/aws-provided/instance-configuration/windows-configuration/scheduled-restart.config) to schedule reboots after deployment is complete.
### Example
The following example saves the output of the `set` command to the specified file. If there is a subsequent command, Elastic Beanstalk runs that command immediately after this command completes. If this command requires a reboot, Elastic Beanstalk reboots the instance immediately after the command completes.
```
commands:
test:
command: set > c:\\myapp\\set.txt
waitAfterCompletion: 0
```
## Services
Use the `services` key to define which services should be started or stopped when the instance is launched. The `services` key also enables you to specify dependencies on sources, packages, and files so that if a restart is needed due to files being installed, Elastic Beanstalk takes care of the service restart.
### Syntax
```
services:
windows:
name of service:
files:
- "file name"
sources:
- "directory"
packages:
name of package manager:
"package name[: version]"
commands:
- "name of command"
```
### Options
`ensureRunning`
(Optional) Set to `true` to ensure that the service is running after Elastic Beanstalk finishes.
Set to `false` to ensure that the service is not running after Elastic Beanstalk finishes.
Omit this key to make no changes to the service state.
`enabled`
(Optional) Set to `true` to ensure that the service is started automatically upon boot.
Set to `false` to ensure that the service is not started automatically upon boot.
Omit this key to make no changes to this property.
`files`
A list of files. If Elastic Beanstalk changes one directly via the files block, the service is restarted.
`sources`
A list of directories. If Elastic Beanstalk expands an archive into one of these directories, the service is restarted.
`packages`
A map of the package manager to a list of package names. If Elastic Beanstalk installs or updates one of these packages, the service is restarted.
`commands`
A list of command names. If Elastic Beanstalk runs the specified command, the service is restarted.
### Example
```
services:
windows:
myservice:
enabled: true
ensureRunning: true
```
## Container commands
Use the `container_commands` key to execute commands that affect your application source code. Container commands run after the application and web server have been set up and the application version archive has been extracted, but before the application version is deployed. Non-container commands and other customization operations are performed prior to the application source code being extracted.
Container commands are run from the staging directory, where your source code is extracted prior to being deployed to the application server. Any changes you make to your source code in the staging directory with a container command will be included when the source is deployed to its final location.
To troubleshoot issues with your container commands, you can find their output in [instance logs](using-features.logging.md).
Use the `leader_only` option to only run the command on a single instance, or configure a `test` to only run the command when a test command evaluates to `true`. Leader-only container commands are only executed during environment creation and deployments, while other commands and server customization operations are performed every time an instance is provisioned or updated. Leader-only container commands are not executed due to launch configuration changes, such as a change in the AMI Id or instance type.
### Syntax
```
container_commands:
name of container_command:
command: command to run
```
### Options
`command`
A string or array of strings to run.
`env`
(Optional) Set environment variables prior to running the command, overriding any existing value.
`cwd`
(Optional) The working directory. By default, this is the staging directory of the unzipped application.
`leader_only`
(Optional) Only run the command on a single instance chosen by Elastic Beanstalk. Leader-only container commands are run before other container commands. A command can be leader-only or have a `test`, but not both (`leader_only` takes precedence).
`test`
(Optional) Run a test command that must return the `true` in order to run the container command. A command can be leader-only or have a `test`, but not both (`leader_only` takes precedence).
`ignoreErrors`
(Optional) Do not fail deployments if the container command returns a value other than 0 (success). Set to `true` to enable.
`waitAfterCompletion`
(Optional) Seconds to wait after the command completes before running the next command. The default value is **60** seconds. You can also specify **forever**.
System reboots during deployment are not supported. If the system reboots as a result of a command, instance initialization will fail, causing the deployment to fail.
As a workaround, you can use this [https://github.com/awsdocs/elastic-beanstalk-samples/tree/main/configuration-files/aws-provided/instance-configuration/windows-configuration/scheduled-restart.config](https://github.com/awsdocs/elastic-beanstalk-samples/tree/main/configuration-files/aws-provided/instance-configuration/windows-configuration/scheduled-restart.config) to schedule reboots after deployment is complete.
### Example
The following example saves the output of the `set` command to the specified file. Elastic Beanstalk runs the command on one instance, and reboots the instance immediately after the command completes.
```
container_commands:
foo:
command: set > c:\\myapp\\set.txt
leader_only: true
waitAfterCompletion: 0
```
# Adding and customizing Elastic Beanstalk environment resources
You may want to customize your environment resources that are part of your Elastic Beanstalk environment. For example, you may want to add an Amazon SQS queue and an alarm on queue depth, or you might want to add an Amazon ElastiCache cluster. You can easily customize your environment at the same time that you deploy your application version by including a configuration file with your source bundle.
You can use the `Resources` key in a [configuration file](ebextensions.md) to create and customize AWS resources in your environment. Resources defined in configuration files are added to the CloudFormation template used to launch your environment. All CloudFormation [resources types](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) are supported.
**Note**
Whenever you add a resource that isn't managed by Elastic Beanstalk, be sure to add a user policy with the appropriate permissions to your AWS Identity and Access Management (IAM) users. The [managed user policies](AWSHowTo.iam.managed-policies.md) that Elastic Beanstalk provides only cover permissions to Elastic Beanstalk-managed resources.
For example, the following configuration file adds an Auto Scaling lifecycle hook to the default Auto Scaling group created by Elastic Beanstalk:
**`~/my-app/.ebextensions/as-hook.config`**
```
Resources:
hookrole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument: {
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
"Service": [ "autoscaling.amazonaws.com" ]
},
"Action": [ "sts:AssumeRole" ]
} ]
}
Policies: [ {
"PolicyName": "SNS",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Resource": "*",
"Action": [
"sqs:SendMessage",
"sqs:GetQueueUrl",
"sns:Publish"
]
}
]
}
} ]
hooktopic:
Type: AWS::SNS::Topic
Properties:
Subscription:
- Endpoint: "my-email@example.com"
Protocol: email
lifecyclehook:
Type: AWS::AutoScaling::LifecycleHook
Properties:
AutoScalingGroupName: { "Ref" : "AWSEBAutoScalingGroup" }
LifecycleTransition: autoscaling:EC2_INSTANCE_TERMINATING
NotificationTargetARN: { "Ref" : "hooktopic" }
RoleARN: { "Fn::GetAtt" : [ "hookrole", "Arn"] }
```
This example defines three resources, `hookrole`, `hooktopic` and `lifecyclehook`. The first two resources are an IAM role, which grants Amazon EC2 Auto Scaling permission to publish messages to Amazon SNS, and an SNS topic, which relays messages from the Auto Scaling group to an email address. Elastic Beanstalk creates these resources with the specified properties and types.
The final resource, `lifecyclehook`, is the lifecycle hook itself:
```
lifecyclehook:
Type: AWS::AutoScaling::LifecycleHook
Properties:
AutoScalingGroupName: { "Ref" : "AWSEBAutoScalingGroup" }
LifecycleTransition: autoscaling:EC2_INSTANCE_TERMINATING
NotificationTargetARN: { "Ref" : "hooktopic" }
RoleARN: { "Fn::GetAtt" : [ "hookrole", "Arn"] }
```
The lifecycle hook definition uses two [functions](ebextensions-functions.md) to populate values for the hook's properties. `{ "Ref" : "AWSEBAutoScalingGroup" }` retrieves the name of the Auto Scaling group created by Elastic Beanstalk for the environment. `AWSEBAutoScalingGroup` is one of the standard [resource names](customize-containers-format-resources-eb.md) provided by Elastic Beanstalk.
For `[AWS::IAM::Role](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#d0e48356)`, `Ref` only returns the name of the role, not the ARN. To get the ARN for the `RoleARN` parameter, you use another intrinsic function, `Fn::GetAtt` instead, which can get any attribute from a resource. `RoleARN: { "Fn::GetAtt" : [ "hookrole", "Arn"] }` gets the `Arn` attribute from the `hookrole` resource.
`{ "Ref" : "hooktopic" }` gets the ARN of the Amazon SNS topic created earlier in the configuration file. The value returned by `Ref` varies per resource type and can be found in the CloudFormation User Guide [topic for the AWS::SNS::Topic resource type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sns-topic.html#d0e62250).
# Modifying the resources that Elastic Beanstalk creates for your environment
The resources that Elastic Beanstalk creates for your environment have names. You can use these names to get information about the resources with a [function](ebextensions-functions.md), or modify properties on the resources to customize their behavior. This topic describes the AWS resources that Elastic Beanstalk uses in the different types of environments.
**Note**
The previous topic [Custom resources](environment-resources.md) provides some uses cases and examples for customizing environment resources. You can also find more examples of configuration files in the later topic [Custom resource examples](customize-environment-resources-examples.md).
Web server environments have the following resources.
**Web server environments**
+ `AWSEBAutoScalingGroup` ([AWS::AutoScaling::AutoScalingGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-as-group.html)) – The Auto Scaling group attached to your environment.
+ One of the following two resources.
+ `AWSEBAutoScalingLaunchConfiguration` ([AWS::AutoScaling::LaunchConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-as-launchconfig.html)) – The launch configuration attached to your environment's Auto Scaling group.
+ `AWSEBEC2LaunchTemplate` ([AWS::EC2::LaunchTemplate](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-launchtemplate.html)) – The Amazon EC2 launch template used by your environment's Auto Scaling group.
**Note**
If your environment uses functionality that requires Amazon EC2 launch templates, and your user policy lacks the required permissions, creating or updating the environment might fail. Use the **AdministratorAccess-AWSElasticBeanstalk** [managed user policy](AWSHowTo.iam.managed-policies.md), or add the required permissions to your [custom policy](AWSHowTo.iam.managed-policies.md#AWSHowTo.iam.policies).
+ `AWSEBEnvironmentName` ([AWS::ElasticBeanstalk::Environment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-beanstalk-environment.html)) – Your environment.
+ `AWSEBSecurityGroup` ([AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html)) – The security group attached to your Auto Scaling group.
+ `AWSEBRDSDatabase` ([AWS::RDS::DBInstance](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html)) – The Amazon RDS DB instance attached to your environment (if applicable).
In a load-balanced environment, you can access additional resources related to the load balancer. Classic load balancers have a resource for the load balancer and one for the security group attached to it. Application and network load balancers have additional resources for the load balancer's default listener, listener rule, and target group.
**Load-balanced environments**
+ `AWSEBLoadBalancer` ([AWS::ElasticLoadBalancing::LoadBalancer](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb.html)) – Your environment's classic load balancer.
+ `AWSEBV2LoadBalancer` ([AWS::ElasticLoadBalancingV2::LoadBalancer](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-loadbalancer.html)) – Your environment's application or network load balancer.
+ `AWSEBLoadBalancerSecurityGroup` ([AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html)) – In a custom [Amazon Virtual Private Cloud](https://docs.aws.amazon.com/vpc/latest/userguide/) (Amazon VPC) only, the name of the security group that Elastic Beanstalk creates for the load balancer. In a default VPC or EC2 classic, Elastic Load Balancing assigns a default security group to the load balancer.
+ `AWSEBV2LoadBalancerListener` ([AWS::ElasticLoadBalancingV2::Listener](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-listener.html)) – A listener that allows the load balancer to check for connection requests and forward them to one or more target groups.
+ `AWSEBV2LoadBalancerListenerRule` ([AWS::ElasticLoadBalancingV2::ListenerRule](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-listenerrule.html)) – Defines which requests an Elastic Load Balancing listener takes action on and the action that it takes.
+ `AWSEBV2LoadBalancerTargetGroup` ([AWS::ElasticLoadBalancingV2::TargetGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-targetgroup.html)) – An Elastic Load Balancing target group that routes requests to one or more registered targets, such as Amazon EC2 instances.
Worker environments have resources for the SQS queue that buffers incoming requests, and a Amazon DynamoDB table that the instances use for leader election.
**Worker environments**
+ `AWSEBWorkerQueue` ([AWS::SQS::Queue](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html)) – The Amazon SQS queue from which the daemon pulls requests that need to be processed.
+ `AWSEBWorkerDeadLetterQueue` ([AWS::SQS::Queue](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html)) – The Amazon SQS queue that stores messages that cannot be delivered or otherwise were not successfully processed by the daemon.
+ `AWSEBWorkerCronLeaderRegistry` ([AWS::DynamoDB::Table](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dynamodb-table.html)) – The Amazon DynamoDB table that is the internal registry used by the daemon for periodic tasks.
# Other CloudFormation template keys
We've already introduced configuration file keys from CloudFormation such as `Resources`, `files`, and `packages`. Elastic Beanstalk adds the contents of configurations files to the CloudFormation template that supports your environment, so you can use other CloudFormation sections to perform advanced tasks in your configuration files.
**Topics**
+ [
## Parameters
](#ebextensions-otherkeys-parameters)
+ [
## Outputs
](#ebextensions-otherkeys-outputs)
+ [
## Mappings
](#ebextensions-otherkeys-mappings)
## Parameters
Parameters are an alternative to Elastic Beanstalk's own [custom options](configuration-options-custom.md) that you can use to define values that you use in other places in your configuration files. Like custom options, you can use parameters to gather user configurable values in one place. Unlike custom options, you can not use Elastic Beanstalk's API to set parameter values, and the number of parameters you can define in a template is limited by CloudFormation.
One reason you might want to use parameters is to make your configuration files double as CloudFormation templates. If you use parameters instead of custom options, you can use the configuration file to create the same resource in CloudFormation as its own stack. For example, you could have a configuration file that adds an Amazon EFS file system to your environment for testing, and then use the same file to create an independent file system that isn't tied to your environment's lifecycle for production use.
The following example shows the use of parameters to gather user-configurable values at the top of a configuration file.
**Example [Loadbalancer-accesslogs-existingbucket.config](https://github.com/awsdocs/elastic-beanstalk-samples/tree/main/configuration-files/aws-provided/resource-configuration/loadbalancer-accesslogs-existingbucket.config) – Parameters**
```
Parameters:
bucket:
Type: String
Description: "Name of the Amazon S3 bucket in which to store load balancer logs"
Default: "amzn-s3-demo-bucket"
bucketprefix:
Type: String
Description: "Optional prefix. Can't start or end with a /, or contain the word AWSLogs"
Default: ""
```
## Outputs
You can use an `Outputs` block to export information about created resources to CloudFormation. You can then use the `Fn::ImportValue` function to pull the value into a CloudFormation template outside of Elastic Beanstalk.
The following example creates an Amazon SNS topic and exports its ARN to CloudFormation with the name `NotificationTopicArn`.
**Example [sns-topic.config](https://github.com/awsdocs/elastic-beanstalk-samples/tree/main/configuration-files/aws-provided/resource-configuration/sns-topic.config)**
```
Resources:
NotificationTopic:
Type: AWS::SNS::Topic
Outputs:
NotificationTopicArn:
Description: Notification topic ARN
Value: { "Ref" : "NotificationTopic" }
Export:
Name: NotificationTopicArn
```
In a configuration file for a different environment, or a CloudFormation template outside of Elastic Beanstalk, you can use the `Fn::ImportValue` function to get the exported ARN. This example assigns the exported value to an environment property named `TOPIC_ARN`.
**Example env.config**
```
option_settings:
aws:elasticbeanstalk:application:environment:
TOPIC_ARN: '`{ "Fn::ImportValue" : "NotificationTopicArn" }`'
```
## Mappings
You can use a mapping to store key-value pairs organized by namespace. A mapping can help you organize values that you use throughout your configs, or change a parameter value depending on another value. For example, the following configuration sets the value of an account ID parameter based on the current region.
**Example [Loadbalancer-accesslogs-newbucket.config](https://github.com/awsdocs/elastic-beanstalk-samples/tree/main/configuration-files/aws-provided/resource-configuration/loadbalancer-accesslogs-newbucket.config) – Mappings**
```
Mappings:
Region2ELBAccountId:
us-east-1:
AccountId: "111122223333"
us-west-2:
AccountId: "444455556666"
us-west-1:
AccountId: "123456789012"
eu-west-1:
AccountId: "777788889999"
...
Principal:
AWS:
? "Fn::FindInMap"
:
- Region2ELBAccountId
-
Ref: "AWS::Region"
- AccountId
```
# Functions
You can use functions in your configuration files to populate values for resource properties with information from other resources or from Elastic Beanstalk configuration option settings. Elastic Beanstalk supports CloudFormation functions (`Ref`, `Fn::GetAtt`, `Fn::Join`), and one Elastic Beanstalk-specific function, `Fn::GetOptionSetting`.
**Topics**
+ [
## Ref
](#ebextensions-functions-ref)
+ [
## Fn::GetAtt
](#ebextensions-functions-getatt)
+ [
## Fn::Join
](#ebextensions-functions-join)
+ [
## Fn::GetOptionSetting
](#ebextensions-functions-getoptionsetting)
## Ref
Use `Ref` to retrieve the default string representation of an AWS resource. The value returned by `Ref` depends on the resource type, and sometimes depends on other factors as well. For example, a security group ([AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html)) returns either the name or ID of the security group, depending on if the security group is in a default [Amazon Virtual Private Cloud](https://docs.aws.amazon.com/vpc/latest/userguide/) (Amazon VPC), EC2 classic, or a custom VPC.
```
{ "Ref" : "resource name" }
```
**Note**
For details on each resource type, including the return value(s) of `Ref`, see [AWS Resource Types Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) in the *CloudFormation User Guide*.
From the sample [Auto Scaling lifecycle hook](environment-resources.md):
```
Resources:
lifecyclehook:
Type: AWS::AutoScaling::LifecycleHook
Properties:
AutoScalingGroupName: { "Ref" : "AWSEBAutoScalingGroup" }
```
You can also use `Ref` to retrieve the value of a CloudFormation parameter defined elsewhere in the same file or in a different configuration file.
## Fn::GetAtt
Use `Fn::GetAtt` to retrieve the value of an attribute on an AWS resource.
```
{ "Fn::GetAtt" : [ "resource name", "attribute name"] }
```
From the sample [Auto Scaling lifecycle hook](environment-resources.md):
```
Resources:
lifecyclehook:
Type: AWS::AutoScaling::LifecycleHook
Properties:
RoleARN: { "Fn::GetAtt" : [ "hookrole", "Arn"] }
```
See [Fn::GetAtt](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getatt.html) for more information.
## Fn::Join
Use `Fn::Join` to combine strings with a delimiter. The strings can be hard-coded or use the output from `Fn::GetAtt` or `Ref`.
```
{ "Fn::Join" : [ "delimiter", [ "string1", "string2" ] ] }
```
See [Fn::Join](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-join.html) for more information.
## Fn::GetOptionSetting
Use `Fn::GetOptionSetting` to retrieve the value of a [configuration option](command-options.md) setting applied to the environment.
```
"Fn::GetOptionSetting":
Namespace: "namespace"
OptionName: "option name"
DefaultValue: "default value"
```
From the [storing private keys](https-storingprivatekeys.md) example:
```
Resources:
AWSEBAutoScalingGroup:
Metadata:
AWS::CloudFormation::Authentication:
S3Auth:
type: "s3"
buckets: ["elasticbeanstalk-us-west-2-123456789012"]
roleName:
"Fn::GetOptionSetting":
Namespace: "aws:autoscaling:launchconfiguration"
OptionName: "IamInstanceProfile"
DefaultValue: "aws-elasticbeanstalk-ec2-role"
```
# Custom resource examples
The following is a list of example configuration files that you can use to customize your Elastic Beanstalk environments:
+ [DynamoDB, CloudWatch, and SNS](https://elasticbeanstalk.s3.amazonaws.com/extensions/DynamoDB-with-CloudWatch-Alarms.config)
+ [Elastic Load Balancing and CloudWatch](https://elasticbeanstalk.s3.amazonaws.com/extensions/ELB-Alarms.config)
+ [ElastiCache](https://elasticbeanstalk.s3.amazonaws.com/extensions/ElastiCache.config)
+ [RDS and CloudWatch](https://elasticbeanstalk.s3.amazonaws.com/extensions/RDS-Alarms.config)
+ [SQS, SNS, and CloudWatch](https://elasticbeanstalk.s3.amazonaws.com/extensions/SNS.config)
Subtopics of this page provide some extended examples for adding and configuring custom resources in an Elastic Beanstalk environment.
**Topics**
+ [
# Example: ElastiCache
](customize-environment-resources-elasticache.md)
+ [
# Example: SQS, CloudWatch, and SNS
](customize-environment-resources-sqs.md)
+ [
# Example: DynamoDB, CloudWatch, and SNS
](customize-environment-resources-dynamodb.md)
# Example: ElastiCache
The following samples add an Amazon ElastiCache cluster to EC2-Classic and EC2-VPC (both default and custom [Amazon Virtual Private Cloud](https://docs.aws.amazon.com/vpc/latest/userguide/) (Amazon VPC)) platforms. For more information about these platforms and how you can determine which ones EC2 supports for your region and your AWS account, see [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-platforms.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-platforms.html). Then refer to the section in this topic that applies to your platform.
+ [EC2-classic platforms](#customize-environment-resources-elasticache-classic)
+ [EC2-VPC (default)](#customize-environment-resources-elasticache-defaultvpc)
+ [EC2-VPC (custom)](#customize-environment-resources-elasticache-targetedvpc)
## EC2-classic platforms
This sample adds an Amazon ElastiCache cluster to an environment with instances launched into the EC2-Classic platform. All of the properties that are listed in this example are the minimum required properties that must be set for each resource type. You can download the example at [ElastiCache example](https://elasticbeanstalk.s3.amazonaws.com/extensions/ElastiCache.config).
**Note**
This example creates AWS resources, which you might be charged for. For more information about AWS pricing, see [https://aws.amazon.com/pricing/](https://aws.amazon.com/pricing/). Some services are part of the AWS Free Usage Tier. If you are a new customer, you can test drive these services for free. See [https://aws.amazon.com/free/](https://aws.amazon.com/free/) for more information.
To use this example, do the following:
1. Create an `[.ebextensions](ebextensions.md)` directory in the top-level directory of your source bundle.
1. Create two configuration files with the `.config` extension and place them in your `.ebextensions` directory. One configuration file defines the resources, and the other configuration file defines the options.
1. Deploy your application to Elastic Beanstalk.
YAML relies on consistent indentation. Match the indentation level when replacing content in an example configuration file and ensure that your text editor uses spaces, not tab characters, to indent.
Create a configuration file (e.g., `elasticache.config`) that defines the resources. In this example, we create the ElastiCache cluster by specifying the name of the ElastiCache cluster resource (`MyElastiCache`), declaring its type, and then configuring the properties for the cluster. The example references the name of the ElastiCache security group resource that gets created and defined in this configuration file. Next, we create an ElastiCache security group. We define the name for this resource, declare its type, and add a description for the security group. Finally, we set the ingress rules for the ElastiCache security group to allow access only from instances inside the ElastiCache security group (`MyCacheSecurityGroup`) and the Elastic Beanstalk security group (`AWSEBSecurityGroup`). The parameter name, `AWSEBSecurityGroup`, is a fixed resource name provided by Elastic Beanstalk. You must add `AWSEBSecurityGroup` to your ElastiCache security group ingress rules in order for your Elastic Beanstalk application to connect to the instances in your ElastiCache cluster.
```
#This sample requires you to create a separate configuration file that defines the custom option settings for CacheCluster properties.
Resources:
MyElastiCache:
Type: AWS::ElastiCache::CacheCluster
Properties:
CacheNodeType:
Fn::GetOptionSetting:
OptionName : CacheNodeType
DefaultValue: cache.m1.small
NumCacheNodes:
Fn::GetOptionSetting:
OptionName : NumCacheNodes
DefaultValue: 1
Engine:
Fn::GetOptionSetting:
OptionName : Engine
DefaultValue: memcached
CacheSecurityGroupNames:
- Ref: MyCacheSecurityGroup
MyCacheSecurityGroup:
Type: AWS::ElastiCache::SecurityGroup
Properties:
Description: "Lock cache down to webserver access only"
MyCacheSecurityGroupIngress:
Type: AWS::ElastiCache::SecurityGroupIngress
Properties:
CacheSecurityGroupName:
Ref: MyCacheSecurityGroup
EC2SecurityGroupName:
Ref: AWSEBSecurityGroup
```
For more information about the resources used in this example configuration file, see the following references:
+ [AWS::ElastiCache::CacheCluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-cache-cluster.html)
+ [AWS::ElastiCache::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-security-group.html)
+ [AWS::ElastiCache:SecurityGroupIngress](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-security-group-ingress.html)
Create a separate configuration file called `options.config` and define the custom option settings.
```
option_settings:
"aws:elasticbeanstalk:customoption":
CacheNodeType : cache.m1.small
NumCacheNodes : 1
Engine : memcached
```
These lines tell Elastic Beanstalk to get the values for the **CacheNodeType, NumCacheNodes, and Engine** properties from the **CacheNodeType, NumCacheNodes, and Engine** values in a config file (options.config in our example) that contains an option\$1settings section with an **aws:elasticbeanstalk:customoption** section that contains a name-value pair that contains the actual value to use. In the example above, this means cache.m1.small, 1, and memcached would be used for the values. For more information about `Fn::GetOptionSetting`, see [Functions](ebextensions-functions.md).
## EC2-VPC (default)
This sample adds an Amazon ElastiCache cluster to an environment with instances launched into the EC2-VPC platform. Specifically, the information in this section applies to a scenario where EC2 launches instances into the default VPC. All of the properties in this example are the minimum required properties that must be set for each resource type. For more information about default VPCs, see [Your Default VPC and Subnets](https://docs.aws.amazon.com/vpc/latest/userguide/default-vpc.html).
**Note**
This example creates AWS resources, which you might be charged for. For more information about AWS pricing, see [https://aws.amazon.com/pricing/](https://aws.amazon.com/pricing/). Some services are part of the AWS Free Usage Tier. If you are a new customer, you can test drive these services for free. See [https://aws.amazon.com/free/](https://aws.amazon.com/free/) for more information.
To use this example, do the following:
1. Create an `[.ebextensions](ebextensions.md)` directory in the top-level directory of your source bundle.
1. Create two configuration files with the `.config` extension and place them in your `.ebextensions` directory. One configuration file defines the resources, and the other configuration file defines the options.
1. Deploy your application to Elastic Beanstalk.
YAML relies on consistent indentation. Match the indentation level when replacing content in an example configuration file and ensure that your text editor uses spaces, not tab characters, to indent.
Now name the resources configuration file `elasticache.config`. To create the ElastiCache cluster, this example specifies the name of the ElastiCache cluster resource (`MyElastiCache`), declares its type, and then configures the properties for the cluster. The example references the ID of the security group resource that we create and define in this configuration file.
Next, we create an EC2 security group. We define the name for this resource, declare its type, add a description, and set the ingress rules for the security group to allow access only from instances inside the Elastic Beanstalk security group (`AWSEBSecurityGroup`). (The parameter name, `AWSEBSecurityGroup`, is a fixed resource name provided by Elastic Beanstalk. You must add `AWSEBSecurityGroup` to your ElastiCache security group ingress rules in order for your Elastic Beanstalk application to connect to the instances in your ElastiCache cluster.)
The ingress rules for the EC2 security group also define the IP protocol and port numbers on which the cache nodes can accept connections. For Redis, the default port number is `6379`.
```
#This sample requires you to create a separate configuration file that defines the custom option settings for CacheCluster properties.
Resources:
MyCacheSecurityGroup:
Type: "AWS::EC2::SecurityGroup"
Properties:
GroupDescription: "Lock cache down to webserver access only"
SecurityGroupIngress :
- IpProtocol : "tcp"
FromPort :
Fn::GetOptionSetting:
OptionName : "CachePort"
DefaultValue: "6379"
ToPort :
Fn::GetOptionSetting:
OptionName : "CachePort"
DefaultValue: "6379"
SourceSecurityGroupName:
Ref: "AWSEBSecurityGroup"
MyElastiCache:
Type: "AWS::ElastiCache::CacheCluster"
Properties:
CacheNodeType:
Fn::GetOptionSetting:
OptionName : "CacheNodeType"
DefaultValue : "cache.t2.micro"
NumCacheNodes:
Fn::GetOptionSetting:
OptionName : "NumCacheNodes"
DefaultValue : "1"
Engine:
Fn::GetOptionSetting:
OptionName : "Engine"
DefaultValue : "redis"
VpcSecurityGroupIds:
-
Fn::GetAtt:
- MyCacheSecurityGroup
- GroupId
Outputs:
ElastiCache:
Description : "ID of ElastiCache Cache Cluster with Redis Engine"
Value :
Ref : "MyElastiCache"
```
For more information about the resources used in this example configuration file, see the following references:
+ [AWS::ElastiCache::CacheCluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-cache-cluster.html)
+ [AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html)
Next, name the options configuration file `options.config` and define the custom option settings.
```
option_settings:
"aws:elasticbeanstalk:customoption":
CacheNodeType : cache.t2.micro
NumCacheNodes : 1
Engine : redis
CachePort : 6379
```
These lines tell Elastic Beanstalk to get the values for the `CacheNodeType`, `NumCacheNodes`, `Engine`, and `CachePort` properties from the `CacheNodeType`, `NumCacheNodes`, `Engine`, and `CachePort` values in a config file (`options.config` in our example). That file includes an `aws:elasticbeanstalk:customoption` section (under `option_settings`) that contains name-value pairs with the actual values to use. In the preceding example, `cache.t2.micro`, `1`, `redis`, and `6379` would be used for the values. For more information about `Fn::GetOptionSetting`, see [Functions](ebextensions-functions.md).
## EC2-VPC (custom)
If you create a custom VPC on the EC2-VPC platform and specify it as the VPC into which EC2 launches instances, the process of adding an Amazon ElastiCache cluster to your environment differs from that of a default VPC. The main difference is that you must create a subnet group for the ElastiCache cluster. All of the properties in this example are the minimum required properties that must be set for each resource type.
**Note**
This example creates AWS resources, which you might be charged for. For more information about AWS pricing, see [https://aws.amazon.com/pricing/](https://aws.amazon.com/pricing/). Some services are part of the AWS Free Usage Tier. If you are a new customer, you can test drive these services for free. See [https://aws.amazon.com/free/](https://aws.amazon.com/free/) for more information.
To use this example, do the following:
1. Create an `[.ebextensions](ebextensions.md)` directory in the top-level directory of your source bundle.
1. Create two configuration files with the `.config` extension and place them in your `.ebextensions` directory. One configuration file defines the resources, and the other configuration file defines the options.
1. Deploy your application to Elastic Beanstalk.
YAML relies on consistent indentation. Match the indentation level when replacing content in an example configuration file and ensure that your text editor uses spaces, not tab characters, to indent.
Now name the resources configuration file `elasticache.config`. To create the ElastiCache cluster, this example specifies the name of the ElastiCache cluster resource (`MyElastiCache`), declares its type, and then configures the properties for the cluster. The properties in the example reference the name of the subnet group for the ElastiCache cluster as well as the ID of security group resource that we create and define in this configuration file.
Next, we create an EC2 security group. We define the name for this resource, declare its type, add a description, the VPC ID, and set the ingress rules for the security group to allow access only from instances inside the Elastic Beanstalk security group (`AWSEBSecurityGroup`). (The parameter name, `AWSEBSecurityGroup`, is a fixed resource name provided by Elastic Beanstalk. You must add `AWSEBSecurityGroup` to your ElastiCache security group ingress rules in order for your Elastic Beanstalk application to connect to the instances in your ElastiCache cluster.)
The ingress rules for the EC2 security group also define the IP protocol and port numbers on which the cache nodes can accept connections. For Redis, the default port number is `6379`. Finally, this example creates a subnet group for the ElastiCache cluster. We define the name for this resource, declare its type, and add a description and ID of the subnet in the subnet group.
**Note**
We recommend that you use private subnets for the ElastiCache cluster. For more information about a VPC with a private subnet, see [https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html).
```
#This sample requires you to create a separate configuration file that defines the custom option settings for CacheCluster properties.
Resources:
MyElastiCache:
Type: "AWS::ElastiCache::CacheCluster"
Properties:
CacheNodeType:
Fn::GetOptionSetting:
OptionName : "CacheNodeType"
DefaultValue : "cache.t2.micro"
NumCacheNodes:
Fn::GetOptionSetting:
OptionName : "NumCacheNodes"
DefaultValue : "1"
Engine:
Fn::GetOptionSetting:
OptionName : "Engine"
DefaultValue : "redis"
CacheSubnetGroupName:
Ref: "MyCacheSubnets"
VpcSecurityGroupIds:
- Ref: "MyCacheSecurityGroup"
MyCacheSecurityGroup:
Type: "AWS::EC2::SecurityGroup"
Properties:
GroupDescription: "Lock cache down to webserver access only"
VpcId:
Fn::GetOptionSetting:
OptionName : "VpcId"
SecurityGroupIngress :
- IpProtocol : "tcp"
FromPort :
Fn::GetOptionSetting:
OptionName : "CachePort"
DefaultValue: "6379"
ToPort :
Fn::GetOptionSetting:
OptionName : "CachePort"
DefaultValue: "6379"
SourceSecurityGroupId:
Ref: "AWSEBSecurityGroup"
MyCacheSubnets:
Type: "AWS::ElastiCache::SubnetGroup"
Properties:
Description: "Subnets for ElastiCache"
SubnetIds:
Fn::GetOptionSetting:
OptionName : "CacheSubnets"
Outputs:
ElastiCache:
Description : "ID of ElastiCache Cache Cluster with Redis Engine"
Value :
Ref : "MyElastiCache"
```
For more information about the resources used in this example configuration file, see the following references:
+ [AWS::ElastiCache::CacheCluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-cache-cluster.html)
+ [AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html)
+ [AWS::ElastiCache::SubnetGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-subnetgroup.html)
Next, name the options configuration file `options.config` and define the custom option settings.
**Note**
In the following example, replace the example `CacheSubnets` and `VpcId` values with your own subnets and VPC.
```
option_settings:
"aws:elasticbeanstalk:customoption":
CacheNodeType : cache.t2.micro
NumCacheNodes : 1
Engine : redis
CachePort : 6379
CacheSubnets:
- subnet-1a1a1a1a
- subnet-2b2b2b2b
- subnet-3c3c3c3c
VpcId: vpc-4d4d4d4d
```
These lines tell Elastic Beanstalk to get the values for the `CacheNodeType`, `NumCacheNodes`, `Engine`, `CachePort`, `CacheSubnets`, and `VpcId` properties from the `CacheNodeType`, `NumCacheNodes`, `Engine`, `CachePort`, `CacheSubnets`, and `VpcId` values in a config file (`options.config` in our example). That file includes an `aws:elasticbeanstalk:customoption` section (under `option_settings`) that contains name-value pairs with sample values. In the example above, `cache.t2.micro`, `1`, `redis`, `6379`, `subnet-1a1a1a1a`, `subnet-2b2b2b2b`, `subnet-3c3c3c3c`, and `vpc-4d4d4d4d` would be used for the values. For more information about `Fn::GetOptionSetting`, see [Functions](ebextensions-functions.md).
# Example: SQS, CloudWatch, and SNS
This example adds an Amazon SQS queue and an alarm on queue depth to the environment. The properties that you see in this example are the minimum required properties that you must set for each of these resources. You can download the example at [SQS, SNS, and CloudWatch](https://elasticbeanstalk.s3.amazonaws.com/extensions/SNS.config).
**Note**
This example creates AWS resources, which you might be charged for. For more information about AWS pricing, see [https://aws.amazon.com/pricing/](https://aws.amazon.com/pricing/). Some services are part of the AWS Free Usage Tier. If you are a new customer, you can test drive these services for free. See [https://aws.amazon.com/free/](https://aws.amazon.com/free/) for more information.
To use this example, do the following:
1. Create an `[.ebextensions](ebextensions.md)` directory in the top-level directory of your source bundle.
1. Create two configuration files with the `.config` extension and place them in your `.ebextensions` directory. One configuration file defines the resources, and the other configuration file defines the options.
1. Deploy your application to Elastic Beanstalk.
YAML relies on consistent indentation. Match the indentation level when replacing content in an example configuration file and ensure that your text editor uses spaces, not tab characters, to indent.
Create a configuration file (e.g., sqs.config) that defines the resources. In this example, we create an SQS queue and define the `VisbilityTimeout` property in the `MySQSQueue` resource. Next, we create an SNS `Topic` and specify that email gets sent to `someone@example.com` when the alarm is fired. Finally, we create a CloudWatch alarm if the queue grows beyond 10 messages. In the `Dimensions` property, we specify the name of the dimension and the value representing the dimension measurement. We use `Fn::GetAtt` to return the value of `QueueName` from `MySQSQueue`.
```
#This sample requires you to create a separate configuration file to define the custom options for the SNS topic and SQS queue.
Resources:
MySQSQueue:
Type: AWS::SQS::Queue
Properties:
VisibilityTimeout:
Fn::GetOptionSetting:
OptionName: VisibilityTimeout
DefaultValue: 30
AlarmTopic:
Type: AWS::SNS::Topic
Properties:
Subscription:
- Endpoint:
Fn::GetOptionSetting:
OptionName: AlarmEmail
DefaultValue: "nobody@amazon.com"
Protocol: email
QueueDepthAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmDescription: "Alarm if queue depth grows beyond 10 messages"
Namespace: "AWS/SQS"
MetricName: ApproximateNumberOfMessagesVisible
Dimensions:
- Name: QueueName
Value : { "Fn::GetAtt" : [ "MySQSQueue", "QueueName"] }
Statistic: Sum
Period: 300
EvaluationPeriods: 1
Threshold: 10
ComparisonOperator: GreaterThanThreshold
AlarmActions:
- Ref: AlarmTopic
InsufficientDataActions:
- Ref: AlarmTopic
Outputs :
QueueURL:
Description : "URL of newly created SQS Queue"
Value : { Ref : "MySQSQueue" }
QueueARN :
Description : "ARN of newly created SQS Queue"
Value : { "Fn::GetAtt" : [ "MySQSQueue", "Arn"]}
QueueName :
Description : "Name newly created SQS Queue"
Value : { "Fn::GetAtt" : [ "MySQSQueue", "QueueName"]}
```
For more information about the resources used in this example configuration file, see the following references:
+ [AWS::SQS::Queue](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html)
+ [AWS::SNS::Topic](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sns-topic.html)
+ [AWS::CloudWatch::Alarm](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cw-alarm.html)
Create a separate configuration file called `options.config` and define the custom option settings.
```
option_settings:
"aws:elasticbeanstalk:customoption":
VisibilityTimeout : 30
AlarmEmail : "nobody@example.com"
```
These lines tell Elastic Beanstalk to get the values for the **VisibilityTimeout and Subscription Endpoint** properties from the **VisibilityTimeout and Subscription Endpoint** values in a config file (options.config in our example) that contains an option\$1settings section with an **aws:elasticbeanstalk:customoption** section that contains a name-value pair that contains the actual value to use. In the example above, this means 30 and "nobody@amazon.com" would be used for the values. For more information about `Fn::GetOptionSetting`, see [Functions](ebextensions-functions.md).
# Example: DynamoDB, CloudWatch, and SNS
This configuration file sets up the DynamoDB table as a session handler for a PHP-based application using the AWS SDK for PHP 2. To use this example, you must have an IAM instance profile, which is added to the instances in your environment and used to access the DynamoDB table.
You can download the sample that we'll use in this step at [DynamoDB session Support example](https://elasticbeanstalk.s3.amazonaws.com/extensions/PHP-DynamoDB-Session-Support.zip). The sample contains the following files:
+ The sample application, `index.php`
+ A configuration file, `dynamodb.config`, to create and configure a DynamoDB table and other AWS resources and install software on the EC2 instances that host the application in an Elastic Beanstalk environment
+ A configuration file, `options.config`, that overrides the defaults in `dynamodb.config` with specific settings for this particular installation
**`index.php`**
```
$region));
$handler = $dynamodb->registerSessionHandler(array('table_name' => $tableName, 'hash_key' => 'username'));
// Grab the instance ID so we can display the EC2 instance that services the request
$instanceId = file_get_contents("http://169.254.169.254/latest/meta-data/instance-id");
?>
Elastic Beanstalk PHP Sessions Sample
This sample application shows the integration of the Elastic Beanstalk PHP
container and the session support for DynamoDB from the AWS SDK for PHP 2.
Using DynamoDB session support, the application can be scaled out across
multiple web servers. For more details, see the
PHP Developer Center.
```
**`.ebextensions/dynamodb.config`**
```
Resources:
SessionTable:
Type: AWS::DynamoDB::Table
Properties:
KeySchema:
HashKeyElement:
AttributeName:
Fn::GetOptionSetting:
OptionName : SessionHashKeyName
DefaultValue: "username"
AttributeType:
Fn::GetOptionSetting:
OptionName : SessionHashKeyType
DefaultValue: "S"
ProvisionedThroughput:
ReadCapacityUnits:
Fn::GetOptionSetting:
OptionName : SessionReadCapacityUnits
DefaultValue: 1
WriteCapacityUnits:
Fn::GetOptionSetting:
OptionName : SessionWriteCapacityUnits
DefaultValue: 1
SessionWriteCapacityUnitsLimit:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmDescription: { "Fn::Join" : ["", [{ "Ref" : "AWSEBEnvironmentName" }, " write capacity limit on the session table." ]]}
Namespace: "AWS/DynamoDB"
MetricName: ConsumedWriteCapacityUnits
Dimensions:
- Name: TableName
Value: { "Ref" : "SessionTable" }
Statistic: Sum
Period: 300
EvaluationPeriods: 12
Threshold:
Fn::GetOptionSetting:
OptionName : SessionWriteCapacityUnitsAlarmThreshold
DefaultValue: 240
ComparisonOperator: GreaterThanThreshold
AlarmActions:
- Ref: SessionAlarmTopic
InsufficientDataActions:
- Ref: SessionAlarmTopic
SessionReadCapacityUnitsLimit:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmDescription: { "Fn::Join" : ["", [{ "Ref" : "AWSEBEnvironmentName" }, " read capacity limit on the session table." ]]}
Namespace: "AWS/DynamoDB"
MetricName: ConsumedReadCapacityUnits
Dimensions:
- Name: TableName
Value: { "Ref" : "SessionTable" }
Statistic: Sum
Period: 300
EvaluationPeriods: 12
Threshold:
Fn::GetOptionSetting:
OptionName : SessionReadCapacityUnitsAlarmThreshold
DefaultValue: 240
ComparisonOperator: GreaterThanThreshold
AlarmActions:
- Ref: SessionAlarmTopic
InsufficientDataActions:
- Ref: SessionAlarmTopic
SessionThrottledRequestsAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmDescription: { "Fn::Join" : ["", [{ "Ref" : "AWSEBEnvironmentName" }, ": requests are being throttled." ]]}
Namespace: AWS/DynamoDB
MetricName: ThrottledRequests
Dimensions:
- Name: TableName
Value: { "Ref" : "SessionTable" }
Statistic: Sum
Period: 300
EvaluationPeriods: 1
Threshold:
Fn::GetOptionSetting:
OptionName: SessionThrottledRequestsThreshold
DefaultValue: 1
ComparisonOperator: GreaterThanThreshold
AlarmActions:
- Ref: SessionAlarmTopic
InsufficientDataActions:
- Ref: SessionAlarmTopic
SessionAlarmTopic:
Type: AWS::SNS::Topic
Properties:
Subscription:
- Endpoint:
Fn::GetOptionSetting:
OptionName: SessionAlarmEmail
DefaultValue: "nobody@amazon.com"
Protocol: email
files:
"/var/app/sessiontable":
mode: "000444"
content: |
`{"Ref" : "SessionTable"}`
`{"Ref" : "AWS::Region"}`
"/var/app/composer.json":
mode: "000744"
content:
{
"require": {
"aws/aws-sdk-php": "*"
}
}
container_commands:
"1-install-composer":
command: "cd /var/app; curl -s http://getcomposer.org/installer | php"
"2-install-dependencies":
command: "cd /var/app; php composer.phar install"
"3-cleanup-composer":
command: "rm -Rf /var/app/composer.*"
```
In the sample configuration file, we first create the DynamoDB table and configure the primary key structure for the table and the capacity units to allocate sufficient resources to provide the requested throughput. Next, we create CloudWatch alarms for `WriteCapacity` and `ReadCapacity`. We create an SNS topic that sends email to "nobody@amazon.com" if the alarm thresholds are breached.
After we create and configure our AWS resources for our environment, we need to customize the EC2 instances. We use the `files` key to pass the details of the DynamoDB table to the EC2 instances in our environment as well as add a "require" in the `composer.json` file for the AWS SDK for PHP 2. Finally, we run container commands to install composer, the required dependencies, and then remove the installer.
**`.ebextensions/options.config`**
```
option_settings:
"aws:elasticbeanstalk:customoption":
SessionHashKeyName : username
SessionHashKeyType : S
SessionReadCapacityUnits : 1
SessionReadCapacityUnitsAlarmThreshold : 240
SessionWriteCapacityUnits : 1
SessionWriteCapacityUnitsAlarmThreshold : 240
SessionThrottledRequestsThreshold : 1
SessionAlarmEmail : me@example.com
```
Replace the SessionAlarmEmail value with the email where you want alarm notifications sent. The `options.config` file contains the values used for some of the variables defined in `dynamodb.config`. For example, `dynamodb.config` contains the following lines:
```
Subscription:
- Endpoint:
Fn::GetOptionSetting:
OptionName: SessionAlarmEmail
DefaultValue: "nobody@amazon.com"
```
These lines that tell Elastic Beanstalk to get the value for the **Endpoint** property from the **SessionAlarmEmail** value in a config file (`options.config` in our sample application) that contains an option\$1settings section with an **aws:elasticbeanstalk:customoption** section that contains a name-value pair that contains the actual value to use. In the example above, this means **SessionAlarmEmail** would be assigned the value `nobody@amazon.com`.
For more information about the CloudFormation resources used in this example, see the following references:
+ [AWS::DynamoDB::Table](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dynamodb-table.html)
+ [AWS::CloudWatch::Alarm](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cw-alarm.html)
+ [AWS::SNS::Topic](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sns-topic.html)
# Using Elastic Beanstalk saved configurations
You can save your environment's configuration as an object in Amazon Simple Storage Service (Amazon S3) that can be applied to other environments during environment creation, or applied to a running environment. *Saved configurations* are YAML formatted templates that define an environment's [platform version](concepts.platforms.md), [tier](concepts.md#concepts-tier), [configuration option](command-options.md) settings, and tags.
You can apply tags to a saved configuration when you create it, and edit tags of existing saved configurations. The tags applied to a saved configuration aren't related to the tags specified in a saved configuration using the `Tags:` key. The latter are applied to an environment when you apply the saved configuration to the environment. For details, see [Tagging saved configurations](environment-configuration-savedconfig-tagging.md).
**Note**
You can create and apply saved configurations to your Elastic Beanstalk environments using several methods. These include the Elastic Beanstalk console, the EB CLI, and the AWS CLI.
See the following topics for examples of alternate methods for creating and applying saved configurations:
[Setting configuration options before environment creation](environment-configuration-methods-before.md)
[Setting configuration options during environment creation](environment-configuration-methods-during.md)
[Setting configuration options after environment creation](environment-configuration-methods-after.md)
Create a saved configuration from the current state of your environment in the Elastic Beanstalk management console.
**To save an environment's configuration**
1. Open the [Elastic Beanstalk console](https://console.aws.amazon.com/elasticbeanstalk), and in the **Regions** list, select your AWS Region.
1. In the navigation pane, choose **Environments**, and then choose the name of your environment from the list.
1. Choose **Actions**, and then choose **Save configuration**.
1. Use the on-screen form to name the saved configuration. Optionally, provide a brief description, and add tag keys and values.
1. Choose **Save**.
![\[Save Configuration page on the Elastic Beanstalk console\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/images/environment-cfg-saveconfiguration-dialog.png)
The saved configuration includes any settings that you have applied to the environment with the console or any other client that uses the Elastic Beanstalk API. You can then apply the saved configuration to your environment at a later date to restore it to its previous state, or apply it to a new environment during [environment creation](environments-create-wizard.md).
You can download a configuration using the EB CLI [**eb config**](eb3-config.md) command, as shown in the following example. *NAME* is the name of your saved configuration.
```
eb config get NAME
```
**To apply a saved configuration during environment creation (Elastic Beanstalk console)**
1. Open the [Elastic Beanstalk console](https://console.aws.amazon.com/elasticbeanstalk), and in the **Regions** list, select your AWS Region.
1. In the navigation pane, choose **Applications**, and then choose your application's name from the list.
1. In the navigation pane, find your application's name and choose **Saved configurations**.
1. Select the saved configuration you want to apply, and then choose **Launch environment**.
1. Proceed through the wizard to create your environment.
Saved configurations don't include settings applied with [configuration files](ebextensions.md) in your application's source code. If the same setting is applied in both a configuration file and saved configuration, the setting in the saved configuration takes precedence. Likewise, options specified in the Elastic Beanstalk console override options in saved configurations. For more information, see [Precedence](command-options.md#configuration-options-precedence).
Saved configurations are stored in the Elastic Beanstalk S3 bucket in a folder named after your application. For example, configurations for an application named `my-app` in the us-west-2 region for account number 123456789012 can be found at `s3://elasticbeanstalk-us-west-2-123456789012/resources/templates/my-app/`.
View the contents of a saved configuration by opening it in a text editor. The following example configuration shows the configuration of a web server environment launched with the Elastic Beanstalk management console.
```
EnvironmentConfigurationMetadata:
Description: Saved configuration from a multicontainer Docker environment created with the Elastic Beanstalk Management Console
DateCreated: '1520633151000'
DateModified: '1520633151000'
Platform:
PlatformArn: arn:aws:elasticbeanstalk:us-east-2::platform/Java 8 running on 64bit Amazon Linux/2.5.0
OptionSettings:
aws:elasticbeanstalk:command:
BatchSize: '30'
BatchSizeType: Percentage
aws:elasticbeanstalk:sns:topics:
Notification Endpoint: me@example.com
aws:elb:policies:
ConnectionDrainingEnabled: true
ConnectionDrainingTimeout: '20'
aws:elb:loadbalancer:
CrossZone: true
aws:elasticbeanstalk:environment:
ServiceRole: aws-elasticbeanstalk-service-role
aws:elasticbeanstalk:application:
Application Healthcheck URL: /
aws:elasticbeanstalk:healthreporting:system:
SystemType: enhanced
aws:autoscaling:launchconfiguration:
IamInstanceProfile: aws-elasticbeanstalk-ec2-role
InstanceType: t2.micro
EC2KeyName: workstation-uswest2
aws:autoscaling:updatepolicy:rollingupdate:
RollingUpdateType: Health
RollingUpdateEnabled: true
EnvironmentTier:
Type: Standard
Name: WebServer
AWSConfigurationTemplateVersion: 1.1.0.0
Tags:
Cost Center: WebApp Dev
```
You can modify the contents of a saved configuration and save it in the same location in Amazon S3. Any properly formatted saved configuration stored in the right location can be applied to an environment by using the Elastic Beanstalk management console.
The following keys are supported.
+ **AWSConfigurationTemplateVersion** (required) – The configuration template version (1.1.0.0).
```
AWSConfigurationTemplateVersion: 1.1.0.0
```
+ **Platform** – The Amazon Resource Name (ARN) of the environment's platform version. You can specify the platform by ARN or solution stack name.
```
Platform:
PlatformArn: arn:aws:elasticbeanstalk:us-east-2::platform/Java 8 running on 64bit Amazon Linux/2.5.0
```
+ **SolutionStack** – The full name of the [solution stack](concepts.platforms.md) used to create the environment.
```
SolutionStack: 64bit Amazon Linux 2017.03 v2.5.0 running Java 8
```
+ **OptionSettings** – [Configuration option](command-options.md) settings to apply to the environment. For example, the following entry sets the instance type to t2.micro.
```
OptionSettings:
aws:autoscaling:launchconfiguration:
InstanceType: t2.micro
```
+ **Tags** – Up to 47 tags to apply to resources created within the environment.
```
Tags:
Cost Center: WebApp Dev
```
+ **EnvironmentTier** – The type of environment to create. For a web server environment, you can exclude this section (web server is the default). For a worker environment, use the following.
```
EnvironmentTier:
Name: Worker
Type: SQS/HTTP
```
**Note**
You can create and apply saved configurations to your Elastic Beanstalk environments using several methods. These include the Elastic Beanstalk console, the EB CLI, and the AWS CLI.
See the following topics for examples of alternate methods for creating and applying saved configurations:
[Setting configuration options before environment creation](environment-configuration-methods-before.md)
[Setting configuration options during environment creation](environment-configuration-methods-during.md)
[Setting configuration options after environment creation](environment-configuration-methods-after.md)
# Tagging saved configurations
You can apply tags to your AWS Elastic Beanstalk saved configurations. Tags are key-value pairs associated with AWS resources. For information about Elastic Beanstalk resource tagging, use cases, tag key and value constraints, and supported resource types, see [Tagging Elastic Beanstalk application resources](applications-tagging-resources.md).
You can specify tags when you create a saved configuration. In an existing saved configuration, you can add or remove tags, and update the values of existing tags. You can add up to 50 tags to each saved configuration.
## Adding tags during saved configuration creation
When you use the Elastic Beanstalk console to [save a configuration](environment-configuration-savedconfig.md), you can specify tag keys and values on the **Save Configuration** page.
If you use the EB CLI to save a configuration, use the `--tags` option with **[eb config](eb3-config.md)** to add tags.
```
~/workspace/my-app$ eb config --tags mytag1=value1,mytag2=value2
```
With the AWS CLI or other API-based clients, add tags by using the `--tags` parameter on the **[create-configuration-template](https://docs.aws.amazon.com/cli/latest/reference/elasticbeanstalk/create-configuration-template.html)** command.
```
$ aws elasticbeanstalk create-configuration-template \
--tags Key=mytag1,Value=value1 Key=mytag2,Value=value2 \
--application-name my-app --template-name my-template --solution-stack-name solution-stack
```
## Managing tags of an existing saved configuration
You can add, update, and delete tags in an existing Elastic Beanstalk saved configuration.
**To manage a saved configuration's tags using the Elastic Beanstalk console**
1. Open the [Elastic Beanstalk console](https://console.aws.amazon.com/elasticbeanstalk), and in the **Regions** list, select your AWS Region.
1. In the navigation pane, choose **Applications**, and then choose your application's name from the list.
1. In the navigation pane, find your application's name and choose **Saved configurations**.
1. Select the saved configuration you want to manage.
1. Choose **Actions**, and then choose **Manage tags**.
1. Use the on-screen form to add, update, or delete tags.
1. To save the changes choose **Apply** at the bottom of the page.
If you use the EB CLI to update your saved configuration, use **[eb tags](eb3-tags.md)** to add, update, delete, or list tags.
For example, the following command lists the tags in a saved configuration.
```
~/workspace/my-app$ eb tags --list --resource "arn:aws:elasticbeanstalk:us-east-2:my-account-id:configurationtemplate/my-app/my-template"
```
The following command updates the tag `mytag1` and deletes the tag `mytag2`.
```
~/workspace/my-app$ eb tags --update mytag1=newvalue --delete mytag2 \
--resource "arn:aws:elasticbeanstalk:us-east-2:my-account-id:configurationtemplate/my-app/my-template"
```
For a complete list of options and more examples, see `eb tags`.
With the AWS CLI or other API-based clients, use the **[list-tags-for-resource](https://docs.aws.amazon.com/cli/latest/reference/elasticbeanstalk/list-tags-for-resource.html)** command to list the tags of a saved configuration.
```
$ aws elasticbeanstalk list-tags-for-resource --resource-arn "arn:aws:elasticbeanstalk:us-east-2:my-account-id:configurationtemplate/my-app/my-template"
```
Use the **[update-tags-for-resource](https://docs.aws.amazon.com/cli/latest/reference/elasticbeanstalk/update-tags-for-resource.html)** command to add, update, or delete tags in a saved configuration.
```
$ aws elasticbeanstalk update-tags-for-resource \
--tags-to-add Key=mytag1,Value=newvalue --tags-to-remove mytag2 \
--resource-arn "arn:aws:elasticbeanstalk:us-east-2:my-account-id:configurationtemplate/my-app/my-template"
```
Specify both tags to add and tags to update in the `--tags-to-add` parameter of **update-tags-for-resource**. A nonexisting tag is added, and an existing tag's value is updated.
**Note**
To use some of the EB CLI and AWS CLI commands with an Elastic Beanstalk saved configuration, you need the saved configuration's ARN. To construct the ARN, first use the following command to retrieve the saved configuration's name.
```
$ aws elasticbeanstalk describe-applications --application-names my-app
```
Look for the `ConfigurationTemplates` key in the command's output. This element shows the saved configuration's name. Use this name where `my-template` is specified in the commands mentioned on this page.
# Environment manifest (`env.yaml`)
You can include a YAML formatted environment manifest in the root of your application source bundle to configure the environment name, solution stack and [environment links](environment-cfg-links.md) to use when creating your environment.
This file format includes support for environment groups. To use groups, specify the environment name in the manifest with a \$1 symbol at the end. When you create or update the environment, specify the group name with `--group-name` (AWS CLI) or `--env-group-suffix` (EB CLI). For more information on groups, see [Creating and updating groups of Elastic Beanstalk environments](environment-mgmt-compose.md).
The following example manifest defines a web server environment with a link to a worker environment component that it is dependent upon. The manifest uses groups to allow creating multiple environments with the same source bundle:
**`~/myapp/frontend/env.yaml`**
```
AWSConfigurationTemplateVersion: 1.1.0.0
SolutionStack: 64bit Amazon Linux 2015.09 v2.0.6 running Multi-container Docker 1.7.1 (Generic)
OptionSettings:
aws:elasticbeanstalk:command:
BatchSize: '30'
BatchSizeType: Percentage
aws:elasticbeanstalk:sns:topics:
Notification Endpoint: me@example.com
aws:elb:policies:
ConnectionDrainingEnabled: true
ConnectionDrainingTimeout: '20'
aws:elb:loadbalancer:
CrossZone: true
aws:elasticbeanstalk:environment:
ServiceRole: aws-elasticbeanstalk-service-role
aws:elasticbeanstalk:application:
Application Healthcheck URL: /
aws:elasticbeanstalk:healthreporting:system:
SystemType: enhanced
aws:autoscaling:launchconfiguration:
IamInstanceProfile: aws-elasticbeanstalk-ec2-role
InstanceType: t2.micro
EC2KeyName: workstation-uswest2
aws:autoscaling:updatepolicy:rollingupdate:
RollingUpdateType: Health
RollingUpdateEnabled: true
Tags:
Cost Center: WebApp Dev
CName: front-A08G28LG+
EnvironmentName: front+
EnvironmentLinks:
"WORKERQUEUE" : "worker+"
```
The following keys are supported.
+ **AWSConfigurationTemplateVersion** (required) – The configuration template version (1.1.0.0).
```
AWSConfigurationTemplateVersion: 1.1.0.0
```
+ **Platform** – The Amazon Resource Name (ARN) of the environment's platform version. You can specify the platform by ARN or solution stack name.
```
Platform:
PlatformArn: arn:aws:elasticbeanstalk:us-east-2::platform/Java 8 running on 64bit Amazon Linux/2.5.0
```
+ **SolutionStack** – The full name of the [solution stack](concepts.platforms.md) used to create the environment.
```
SolutionStack: 64bit Amazon Linux 2017.03 v2.5.0 running Java 8
```
+ **OptionSettings** – [Configuration option](command-options.md) settings to apply to the environment. For example, the following entry sets the instance type to t2.micro.
```
OptionSettings:
aws:autoscaling:launchconfiguration:
InstanceType: t2.micro
```
+ **Tags** – Up to 47 tags to apply to resources created within the environment.
```
Tags:
Cost Center: WebApp Dev
```
+ **EnvironmentTier** – The type of environment to create. For a web server environment, you can exclude this section (web server is the default). For a worker environment, use the following.
```
EnvironmentTier:
Name: Worker
Type: SQS/HTTP
```
+ **CName** – The CNAME for the environment. Include a \$1 character at the end of the name to enable groups.
```
CName: front-A08G28LG+
```
+ **EnvironmentName** – The name of the environment to create. Include a \$1 character at the end of the name to enable groups.
```
EnvironmentName: front+
```
With groups enabled, you must specify a group name when you create the environments. Elastic Beanstalk appends the group name to the environment name with a hyphen. For example, with the environment name `front+` and the group name `dev`, Elastic Beanstalk will create the environment with the name `front-dev`.
+ **EnvironmentLinks** – A map of variable names and environment names of dependencies. The following example makes the `worker+` environment a dependency and tells Elastic Beanstalk to save the link information to a variable named `WORKERQUEUE`.
```
EnvironmentLinks:
"WORKERQUEUE" : "worker+"
```
The value of the link variable varies depending on the type of the linked environment. For a web server environment, the link is the environment's CNAME. For a worker environment, the link is the name of the environment's Amazon Simple Queue Service (Amazon SQS) queue.
The **CName**, **EnvironmentName** and **EnvironmentLinks** keys can be used to create [environment groups](environment-mgmt-compose.md) and [links to other environments](environment-cfg-links.md). These features are currently supported when using the EB CLI, AWS CLI or an SDK.
# Using a custom Amazon machine image (AMI) in your Elastic Beanstalk environment
This section explains when to consider using a custom AMI and provides the procedures to configure and manage the custom AMI in your environment. When you create an AWS Elastic Beanstalk environment, you can specify an Amazon Machine Image (AMI) to use instead of the standard Elastic Beanstalk AMI included in your platform version. A custom AMI can improve provisioning times when instances are launched in your environment if you need to install a lot of software that isn't included in the standard AMIs.
The use of [configuration files](ebextensions.md) is effective to customize your environment quickly and consistently. Although applying configurations can start to take a long time during environment creation and updates. If you do a lot of server configuration in configuration files, you can reduce this time by making a custom AMI that already has the software and configuration that you need.
A custom AMI also allows you to make changes to low-level components, such as the Linux kernel, that are difficult to implement or take a long time to apply in configuration files. To create a custom AMI, launch an Elastic Beanstalk platform AMI in Amazon EC2, customize the software and configuration to your needs, and then stop the instance and save an AMI from it.
## Creating a custom AMI
You can use [EC2 Image Builder](https://aws.amazon.com/image-builder) to create and manage custom AMIs as an alternative to these procedures. For more information, see the [Image Builder User Guide](https://docs.aws.amazon.com/imagebuilder/latest/userguide/what-is-image-builder.html).
**To identify the base Elastic Beanstalk AMI**
1. In a command window, run a command like the following. For more information, see [describe-platform-version](https://docs.aws.amazon.com/cli/latest/reference/elasticbeanstalk/describe-platform-version.html) in the *AWS CLI Command Reference*.
Specify the AWS Region where you want to use your custom AMI, and replace the platform ARN and version number with the Elastic Beanstalk platform that your application is based on.
**Example - Mac OS / Linux OS**
```
$ aws elasticbeanstalk describe-platform-version --region us-east-2 \
--platform-arn "arn:aws:elasticbeanstalk:us-east-2::platform/Node.js 20 running on 64bit Amazon Linux 2023/6.1.7" \
--query PlatformDescription.CustomAmiList
[
{
"VirtualizationType": "pv",
"ImageId": ""
},
{
"VirtualizationType": "hvm",
"ImageId": "ami-020ae06fdda6a0f66"
}
]
```
**Example - Windows OS**
```
C:\> aws elasticbeanstalk describe-platform-version --region us-east-2 --platform-arn"arn:aws:elasticbeanstalk:us-east-2::platform/
IIS 10.0 running on 64bit Windows Server 2022/2.15.3" --query PlatformDescription.CustomAmiList
[
{
"VirtualizationType": "pv",
"ImageId": ""
},
{
"VirtualizationType": "hvm",
"ImageId": "ami-020ae06fdda6a0f66"
}
]
```
1. Take note of the `ImageId` value that looks like `ami-020ae06fdda6a0f66` in the result.
The value is the stock Elastic Beanstalk AMI for the platform version, EC2 instance architecture, and AWS Region that are relevant for your application. If you need to create AMIs for multiple platforms, architectures or AWS Regions, repeat this process to identify the correct base AMI for each combination.
**Note**
Don't create an AMI from an instance that has been launched in an Elastic Beanstalk environment. Elastic Beanstalk makes changes to instances during provisioning that can cause issues in the saved AMI. Saving an image from an instance in an Elastic Beanstalk environment will also make the version of your application that was deployed to the instance a fixed part of the image.
For Linux, it is also possible to create a custom AMI from a community AMI that wasn't published by Elastic Beanstalk. You can use the latest [Amazon Linux](https://aws.amazon.com/amazon-linux-ami/) AMI as a starting point. When you launch an environment with a Linux AMI that isn't managed by Elastic Beanstalk, Elastic Beanstalk attempts to install platform software (language, framework, proxy server, etc.) and additional components to support features such as [Enhanced Health Reporting](health-enhanced.md).
**Note**
Custom AMIs based on Windows Server require the stock Elastic Beanstalk AMI returned from `describe-platform-version`, as shown earlier in Step 1.
Although Elastic Beanstalk can use an AMI that isn't managed by Elastic Beanstalk, the increase in provisioning time that results from Elastic Beanstalk installing missing components can reduce or eliminate the benefits of creating a custom AMI in the first place. Other Linux distributions might work with some troubleshooting but are not officially supported. If your application requires a specific Linux distribution, one alternative is to create a Docker image and run it on the Elastic Beanstalk [Docker platform](docker.md) or [Multicontainer Docker platform](create_deploy_docker_ecs.md).
**To create a custom AMI**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. Choose **Launch Instance**.
1. If you identified a base Elastic Beanstalk AMI (using `describe-platform-version`) or an Amazon Linux AMI, enter its AMI ID in the search box. Then press **Enter**.
You can also search the list for another community AMI that suits your needs.
**Note**
We recommend that you choose an AMI that uses HVM virtualization. These AMIs show **Virtualization type: hvm** in their description.
For more information, see [Virtualization types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ComponentsAMIs.html#virtualization_types) in the *Amazon EC2 User Guide*.
1. Choose **Select** to select the AMI.
1. Select an instance type, and then choose **Next: Configure Instance Details**.
1. **(For retired Amazon Linux AMI (AL1) platforms)** Skip this step if your environment runs on a supported Linux-based platform or on a Windows platform.
Expand the **Advanced Details** section and paste the following text in the **User Data** field.
```
#cloud-config
repo_releasever: repository version number
repo_upgrade: none
```
The *repository version number* is the year and month version in the AMI name. For example, AMIs based on the March 2015 release of Amazon Linux have a repository version number `2015.03`. For an Elastic Beanstalk image, this matches the date shown in the solution stack name for your [platform version](concepts.platforms.md) based on Amazon Linux AMI (preceding Amazon Linux 2).
**Note**
The `repo_releasever` setting configures the lock-on-launch feature for an Amazon Linux AMI. This causes the AMI to use a fixed, specific repository version when it launches. This feature isn't supported on Amazon Linux 2—don't specify it if your environment uses a current Amazon Linux 2 platform branch. The setting is required if you're using a custom AMI with Elastic Beanstalk only on Amazon Linux AMI platform branches (preceding Amazon Linux 2).
The `repo_upgrade` setting disables the automatic installation of security updates. It's required to use a custom AMI with Elastic Beanstalk.
1. Proceed through the wizard to [launch the EC2 instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/launching-an-instance.html). When prompted, select a key pair that you have access to so that you can connect to the instance for the next steps.
1. [Connect to the instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstances.html) with SSH or RDP.
1. Perform any customizations you want.
1. **(Windows platforms)** Run the EC2Config service Sysprep. For information about EC2Config, see [Configuring a Windows Instance Using the EC2Config Service](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/UsingConfig_WinAMI.html). Ensure that Sysprep is configured to generate a random password that can be retrieved from the AWS Management Console.
1. In the Amazon EC2 console, stop the EC2 instance. Then on the **Instance Actions** menu, choose **Create Image (EBS AMI)**.
1. To avoid incurring additional AWS charges, [terminate the EC2 instance](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-instances.html).
**To use your custom AMI in an Elastic Beanstalk environment**
1. Open the [Elastic Beanstalk console](https://console.aws.amazon.com/elasticbeanstalk), and in the **Regions** list, select your AWS Region.
1. In the navigation pane, choose **Environments**, and then choose the name of your environment from the list.
1. In the navigation pane, choose **Configuration**.
1. In the **Capacity** configuration category, choose **Edit**.
1. For **AMI ID**, enter your custom AMI ID.
1. To save the changes choose **Apply** at the bottom of the page.
When you create a new environment with the custom AMI, you should use the same platform version that you used as a base to create the AMI.
## Managing an environment with a custom AMI
### Platform updates
When using a custom AMI, Elastic Beanstalk will continue to use the same custom AMI in an environment when its platform version is updated, regardless of whether the update is applied manually or via managed platform updates. The environment will **not** be reset to use the stock AMI of the new platform version.
We recommend that you create a new custom AMI based on the stock AMI of the new platform version. Doing so will apply the patches available in the new platform version and will also minimize deployment failures due to incompatible package or library versions.
For more information about creating a new custom AMI, see the [Creating a custom AMI](#using-features.customenv.create) earlier in this topic.
### Removing a custom AMI
If you would like to remove a custom AMI from an environment and reset it to use the stock AMI for the environment’s platform version, use the following CLI command.
```
aws elasticbeanstalk update-environment \
--application-name my-application \
--environment-name my-environment \
--region us-east-1 \
--options-to-remove Namespace=aws:autoscaling:launchconfiguration,OptionName=ImageId
```
**Note**
To avoid disruption of your service, test your application with a stock AMI before applying this change to your production environment.
## Cleaning up a custom AMI
When you are done with a custom AMI and don't need it to launch Elastic Beanstalk environments anymore, consider cleaning it up to minimize storage cost. Cleaning up a custom AMI involves deregistering it from Amazon EC2 and deleting other associated resources. For details, see [Deregistering Your Linux AMI](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/deregister-ami.html) or [Deregistering Your Windows AMI](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/deregister-ami.html).
# Preserving access to an Amazon Machine Image (AMI) for a retired platform
Elastic Beanstalk sets a platform branch status to *retired* when the operating system or major component used by the branch reaches End of Life. The *base *Elastic Beanstalk AMI for the platform branch may also be made private to prevent the use of this out-of-date AMI. Environments using AMIs that have been made private will no longer be able to launch instances.
If you're unable to migrate your application to a supported environment before it's retired, your environment may be in this situation. The need to update an environment for a Beanstalk platform branch, where its base Elastic Beanstalk AMI has been made private, may arise. An alternative approach is available. You can update an existing environment based on a *copy* of the base Elastic Beanstalk AMI used by your environment.
This topic offers some steps and a standalone script to update an existing environment based on a *copy* of the base Elastic Beanstalk AMI used by your environment. Once you're able to migrate your application to a supported platform you can continue to use the standard procedures for maintaining your application and supported environments.
## Manual steps
**To update an environment based on an AMI copy of the base Elastic Beanstalk AMI**
1. **Determine which AMI your environment is using.** This command returns the AMI used by the Elastic Beanstalk environment that you provide in the parameters. The returned value is used as the *source-ami-id* in the next step.
In a command window, run a command like the following. For more information, see [describe-configuration-settings](https://docs.aws.amazon.com/cli/latest/reference/elasticbeanstalk/describe-configuration-settings.html) in the *AWS CLI Command Reference*.
Specify the AWS Region that stores the source AMI you want to copy. Replace the application name and environment name with those based on the source AMI. Enter the text for the query parameter as shown.
**Example**
```
>aws elasticbeanstalk describe-configuration-settings \
--application-name my-application \
--environment-name my-environment \
--region us-east-2 \
--query "ConfigurationSettings[0].OptionSettings[?OptionName=='ImageId'] | [0].Value"
```
1. **Copy the AMI into your account.** This command returns the new AMI that results from copying the *source-ami-id* that was returned in the prior step.
**Note**
Be sure to make a note of the new AMI id that is output by this command. You'll need to enter it in the next step, replacing *copied-ami-id* in the example command.
In a command window, run a command like the following. For more information, see [copy-image](https://docs.aws.amazon.com/cli/latest/reference/ec2/copy-image.html) in the *AWS CLI Command Reference*.
Specify the AWS Region of the source AMI you want to copy (**--source-region**) and the Region where you want to use your new custom AMI (**--region**). Replace *source-ami-id *with the AMI of the image that you're copying. The *source-ami-id* was returned by the command in the prior step. Replace *new-ami-name* with a name to describe the new AMI in the destination Region. The script that follows this procedure generates the new AMI name by appending the string "*Copy of*" to the beginning of the name of the *source-ami-id.*
```
>aws ec2 copy-image \
--region us-east-2 \
--source-image-id source-ami-id \
--source-region us-east-2 \
--name new-ami-name
```
1. **Update an environment to use the copied AMI.** After the command runs it returns the status of the environment.
In a command window, run a command like the following. For more information, see [update-environment](https://docs.aws.amazon.com/cli/latest/reference/elasticbeanstalk/update-environment.html) in the *AWS CLI Command Reference*.
Specify the AWS Region of the environment and application you need to update. Replace the application name and environment name with those you need to associate with the *copied-ami-id* from the prior step. For the **--option-setttings** parameter, replace *copied-ami-id* with the AMI id you noted from the output of the prior command.
```
>aws elasticbeanstalk update-environment \
--application-name my-application \
--environment-name my-environment \
--region us-east-2 \
--option-settings "Namespace=aws:autoscaling:launchconfiguration,OptionName=ImageId,Value=copied-ami-id"
```
**Note**
To minimize storage costs, consider cleaning up your custom AMI when you don't need it to launch Elastic Beanstalk environments anymore. For more information, see [Cleaning up a custom AMI](using-features.customenv.md#using-features.customenv.cleanup).
## Standalone script
The following script provides the same results as the previous manual steps. Download the script by selecting this link: [copy\$1ami\$1and\$1update\$1env.zip](samples/copy_ami_and_update_env.zip).
### Script source: copy\$1ami\$1and\$1update\$1env.sh
```
#!/bin/bash
set -ue
USAGE="This script is used to copy an AMI used by your Elastic Beanstalk environment into your account to use in your environment.\n\n"
USAGE+="Usage:\n\n"
USAGE+="./$(basename $0) [OPTIONS]\n"
USAGE+="OPTIONS:\n"
USAGE+="\t--application-name \tThe name of your Elastic Beanstalk application.\n"
USAGE+="\t--environment-name \tThe name of your Elastic Beanstalk environment.\n"
USAGE+="\t--region \t\t\tThe AWS region your Elastic Beanstalk environment is deployed to.\n"
USAGE+="\n\n"
USAGE+="Script Usage Example(s):\n"
USAGE+="./$(basename $0) --application-name my-application --environment-name my-environment --region us-east-1\n"
if [ $# -eq 0 ]; then
echo -e $USAGE
exit
fi
while [[ $# -gt 0 ]]; do
case $1 in
--application-name) APPLICATION_NAME="$2"; shift ;;
--environment-name) ENVIRONMENT_NAME="$2"; shift ;;
--region) REGION="$2"; shift ;;
*) echo "Unknown option $1" ; echo -e $USAGE ; exit ;;
esac
shift
done
aws_cli_version="$(aws --version)"
if [ $? -ne 0 ]; then
echo "aws CLI not found. Please install it: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html. Exiting."
exit 1
fi
echo "Using aws CLI version: ${aws_cli_version}"
account=$(aws sts get-caller-identity --query "Account" --output text)
echo "Using account ${account}"
environment_ami_id=$(aws elasticbeanstalk describe-configuration-settings \
--application-name "$APPLICATION_NAME" \
--environment-name "$ENVIRONMENT_NAME" \
--region "$REGION" \
--query "ConfigurationSettings[0].OptionSettings[?OptionName=='ImageId'] | [0].Value" \
--output text)
echo "Image associated with environment ${ENVIRONMENT_NAME} is ${environment_ami_id}"
owned_image=$(aws ec2 describe-images \
--owners self \
--image-ids "$environment_ami_id" \
--region "$REGION" \
--query "Images[0]" \
--output text)
if [ "$owned_image" != "None" ]; then
echo "${environment_ami_id} is already owned by account ${account}. Exiting."
exit
fi
source_image_name=$(aws ec2 describe-images \
--image-ids "$environment_ami_id" \
--region "$REGION" \
--query "Images[0].Name" \
--output text)
if [ "$source_image_name" = "None" ]; then
echo "Cannot find ${environment_ami_id}. Please contact AWS support if you need additional help: https://aws.amazon.com/support."
exit 1
fi
copied_image_name="Copy of ${source_image_name}"
copied_ami_id=$(aws ec2 describe-images \
--owners self \
--filters Name=name,Values="${copied_image_name}" \
--region "$REGION" \
--query "Images[0].ImageId" \
--output text)
if [ "$copied_ami_id" != "None" ]; then
echo "Detected that ${environment_ami_id} has already been copied by account ${account}. Skipping image copy."
else
echo "Copying ${environment_ami_id} to account ${account} with name ${copied_image_name}"
copied_ami_id=$(aws ec2 copy-image \
--source-image-id "$environment_ami_id" \
--source-region "$REGION" \
--name "$copied_image_name" \
--region "$REGION" \
--query "ImageId" \
--output text)
echo "New AMI ID is ${copied_ami_id}"
echo "Waiting for ${copied_ami_id} to become available"
aws ec2 wait image-available \
--image-ids "$copied_ami_id" \
--region "$REGION"
echo "${copied_ami_id} is now available"
fi
echo "Updating environment ${ENVIRONMENT_NAME} to use ${copied_ami_id}"
environment_status=$(aws elasticbeanstalk update-environment \
--application-name "$APPLICATION_NAME" \
--environment-name "$ENVIRONMENT_NAME" \
--option-settings "Namespace=aws:autoscaling:launchconfiguration,OptionName=ImageId,Value=${copied_ami_id}" \
--region "$REGION" \
--query "Status" \
--output text)
echo "Environment ${ENVIRONMENT_NAME} is now ${environment_status}"
echo "Waiting for environment ${ENVIRONMENT_NAME} update to complete"
aws elasticbeanstalk wait environment-updated \
--application-name "$APPLICATION_NAME" \
--environment-names "$ENVIRONMENT_NAME" \
--region "$REGION"
echo "Environment ${ENVIRONMENT_NAME} update complete"
```
**Note**
You must have the AWS CLI installed to execute the script. For installation instructions, see [Install or update the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the *AWS Command Line Interface User Guide*.
After installing the AWS CLI, you must also configure it to use the AWS account that owns the environment. For more information, see [Configure the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) in the *AWS Command Line Interface User Guide*. The account must also have permissions to create an AMI and update the Elastic Beanstalk environment.
These steps describe the process that the script follows.
1. Print the account in use.
1. Determine which AMI is used by the environment (source AMI).
1. Check if the source AMI is already owned by the account. If yes, exit.
1. Determine the name of the source AMI so it can be used in the new AMI name. This also serves to confirm access to the source AMI.
1. Check if the source AMI has already been copied to the account. This is done by searching for AMIs with the name of the copied AMI owned by the account. If the AMI name has been changed in between script executions, it will copy the image again.
1. If the source AMI has not already been copied, copy the source AMI to the account and wait for the new AMI to be available.
1. Update the environment configuration to use the new AMI.
1. Wait for the environment update to complete.
After you extract the script from the [copy\$1ami\$1and\$1update\$1env.zip](samples/copy_ami_and_update_env.zip) file, run it by executing the following example. Replace the application name and environment name in the example with your own values.
```
>sh copy_ami_and_update_env.sh \
--application-name my-application \
--environment-name my-environment \
--region us-east-1
```
**Note**
To minimize storage costs, consider cleaning up your custom AMI when you don't need it to launch Elastic Beanstalk environments anymore. For more information, see [Cleaning up a custom AMI](using-features.customenv.md#using-features.customenv.cleanup).
# Serving static files
To improve performance, you can configure the proxy server to serve static files (for example, HTML or images) from a set of directories inside your web application. When the proxy server receives a request for a file under the specified path, it serves the file directly instead of routing the request to your application.
Elastic Beanstalk supports configuring the proxy to serve static files on most platform branches based on Amazon Linux 2. The one exception is Docker.
**Note**
On the Python and Ruby platforms, Elastic Beanstalk configures some static file folders by default. For details, see the static file configuration sections for [Python](create-deploy-python-container.md#python-platform-staticfiles) and [Ruby](create_deploy_Ruby.container.md#create_deploy_Ruby.container.console.staticfiles). You can configure additional folders as explained on this page.
## Configure static files using the console
**To configure the proxy server to serve static files**
1. Open the [Elastic Beanstalk console](https://console.aws.amazon.com/elasticbeanstalk), and in the **Regions** list, select your AWS Region.
1. In the navigation pane, choose **Environments**, and then choose the name of your environment from the list.
1. In the navigation pane, choose **Configuration**.
1. In the **Updates, monitoring, and logging** configuration category, choose **Edit**.
1. Scroll to the **Platform software** section and locate the **Static files** group.
1. To add a static file mapping, select **Add static files**. In the extra row that appears you'll enter a *path* for serving static files and the *directory* that contains the static files to serve.
+ In the **Path** field, start the path name with a slash (`/`) (for example, "*/images*").
+ In the **Directory** field, specify a directory name located in the root of your application's source code. Don't start it with a slash (for example, "*static/image-files*").
**Note**
If you aren't seeing the **Static files** section, you have to add at least one mapping by using a [configuration file](ebextensions.md). For details, see [Configure static files using configuration options](#environment-cfg-staticfiles.namespace) on this page.
1. To remove a mapping, select **Remove**.
1. To save the changes choose **Apply** at the bottom of the page.
## Configure static files using configuration options
You can use a [configuration file](ebextensions.md) to configure static file paths and directory locations using configuration options. You can add a configuration file to your application's source bundle and deploy it during environment creation or a later deployment.
If your environment uses a platform branch based on Amazon Linux 2, use the `aws:elasticbeanstalk:environment:proxy:staticfiles` namespace.
The following example configuration file tells the proxy server to serve files in the `statichtml` folder at the path `/html`, and files in the `staticimages` folder at the path `/images`.
**Example .ebextensions/static-files.config**
```
option_settings:
aws:elasticbeanstalk:environment:proxy:staticfiles:
/html: statichtml
/images: staticimages
```
If your Elastic Beanstalk environment uses an Amazon Linux AMI platform version (preceding Amazon Linux 2), read the following additional information:
### Amazon Linux AMI platform-specific namespaces
On Amazon Linux AMI platform branches, static file configuration namespaces vary by platform. For details, see one of the following pages:
+ [Go configuration namespace](go-environment.md#go-namespaces)
+ [Java SE configuration namespace](java-se-platform.md#java-se-namespaces)
+ [Tomcat configuration namespaces](java-tomcat-platform.md#java-tomcat-namespaces)
+ [Node.js configuration namespace](create_deploy_nodejs.container.md#nodejs-namespaces)
+ [Python configuration namespaces](create-deploy-python-container.md#python-namespaces)
# Configuring HTTPS for your Elastic Beanstalk environment
This topics in this section explain how to configure HTTPS for your Elastic Beanstalk environment. HTTPS is a must for any application that transmits user data or login information.
If you've purchased and configured a [custom domain name](customdomains.md) for your Elastic Beanstalk environment, you can use HTTPS to allow users to connect to your web site securely.
If you don't own a domain name, you can still use HTTPS with a self-signed certificate for development and testing purposes. For more information, see [Server certificates](configuring-https.certificate.md).
**Configuring HTTPS Termination at the load balancer**
A load balancer distributes requests to the EC2 instances running your application. A load balancer also eliminates the need to expose your instances directly to the internet. The simplest way to use HTTPS with an Elastic Beanstalk multi-instance environment is to configure a secure listener for the load balancer. The connection between the client and the load balancer remains secure, so you can configure the load balancer to terminate HTTPS. The back end connections between the load balancer and EC2 instances use HTTP, so no additional configuration of the instances is required. For detailed instructions to configure a secure listenter, see [Configuring HTTPS Termination at the load balancer](configuring-https-elb.md).
**Configuring HTTPS Termination at the EC2 instance**
If you run your application in a single instance environment, or need to secure the connection all the way to the EC2 instances behind the load balancer, you can configure the proxy server that runs on the instance to terminate HTTPS. Configuring your instances to terminate HTTPS connections requires the use of [configuration files](ebextensions.md) to modify the software running on the instances, and to modify security groups to allow secure connections. For more information, see [Configuring HTTPS Termination at the instance](https-singleinstance.md).
**Configuring HTTPS end-to-end**
For end-to-end HTTPS in a load-balanced environment, you can combine instance and load balancer termination to encrypt both connections. By default, if you configure the load balancer to forward traffic using HTTPS, it will trust any certificate presented to it by the backend instances. For maximum security, you can attach policies to the load balancer that prevent it from connecting to instances that don't present a public certificate that it trusts. For more information, see [Configuring end-to-end encryption in a load-balanced Elastic Beanstalk environment](configuring-https-endtoend.md).
**Configuring HTTPS with TCP Passthrough**
You can also configure the load balancer to relay HTTPS traffic without decrypting it. For more information, see [Configuring your environment's load balancer for TCP Passthrough](https-tcp-passthrough.md).
**Note**
The [Does it have Snakes?](https://github.com/awslabs/eb-tomcat-snakes) sample application on GitHub includes configuration files and instructions for each method of configuring HTTPS with a Tomcat web application. See the [readme file](https://github.com/awslabs/eb-tomcat-snakes/blob/master/README.md) and [HTTPS instructions](https://github.com/awslabs/eb-tomcat-snakes/blob/master/src/.ebextensions/inactive/HTTPS.md) for details.
**Topics**
+ [
# Server certificates
](configuring-https.certificate.md)
+ [
# Configuring HTTPS Termination at the load balancer
](configuring-https-elb.md)
+ [
# Configuring HTTPS Termination at the instance
](https-singleinstance.md)
+ [
# Configuring end-to-end encryption in a load-balanced Elastic Beanstalk environment
](configuring-https-endtoend.md)
+ [
# Configuring your environment's load balancer for TCP Passthrough
](https-tcp-passthrough.md)
+ [
# Configuring HTTP to HTTPS redirection
](configuring-https-httpredirect.md)
# Server certificates
This topic describes the different types of certificates you can use to configure HTTPS and when to apply each. The subtopics in this section provide instructions to create your own certificate and how to upload it.
**AWS Certificate Manager (ACM)**
ACM is the preferred tool to provision, manage, and deploy your server certificates. You can do so programmatically or using the AWS CLI. With ACM you can create a trusted certificate for your domain names for free.
ACM certificates can only be used with AWS load balancers and Amazon CloudFront distributions, and ACM is available only in certain AWS Regions. To use an ACM certificate with Elastic Beanstalk, see [Configuring HTTPS Termination at the load balancer](configuring-https-elb.md). For more information about ACM see the [https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html](https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html).
**Note**
For a list of regions where ACM is available, see [ACM endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/acm.html) in the *Amazon Web Services General Reference*.
If ACM is not available in your AWS Region, you can upload a third-party or self-signed certificate and private key to AWS Identity and Access Management (IAM). You can use the AWS CLI to upload the certificate. Certificates stored in IAM can be used with load balancers and CloudFront distributions. For more information, see [Upload a certificate to IAM](configuring-https-ssl-upload.md).
**Third party certificate**
If ACM is not available in your region, you can purchase a trusted certificate from a third party. A third-party certificate can be used to decrypt HTTPS traffic at your load balancer, on the backend instances, or both.
**Self-signed certificate**
For development and testing, you can [create and sign a certificate](configuring-https-ssl.md) yourself with open source tools. Self-signed certificates are free and easy to create, but cannot be used for front-end decryption on public sites. If you attempt to use a self-signed certificate for an HTTPS connection to a client, the user's browser displays an error message indicating that your web site is unsafe. You can, however, use a self-signed certificate to secure backend connections without issue.
# Create and sign an X509 certificate
You can create an X509 certificate for your application with `OpenSSL`. OpenSSL is a standard, open source library that supports a wide range of cryptographic functions, including the creation and signing of x509 certificates. For more information about OpenSSL, visit [www.openssl.org](https://www.openssl.org/).
**Note**
You only need to create a certificate locally if you want to [use HTTPS in a single instance environment](https-singleinstance.md) or [re-encrypt on the backend](configuring-https-endtoend.md) with a self-signed certificate. If you own a domain name, you can create a certificate in AWS and use it with a load-balanced environment for free by using AWS Certificate Manager (ACM). See [Request a Certificate](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request.html) in the *AWS Certificate Manager User Guide* for instructions.
Run `openssl version` at the command line to see if you already have OpenSSL installed. If you don't, you can build and install the source code using the instructions at the [public GitHub repository](https://github.com/openssl/openssl), or use your favorite package manager. OpenSSL is also installed on Elastic Beanstalk's Linux images, so a quick alternative is to connect to an EC2 instance in a running environment by using the [EB CLI](eb-cli3.md)'s **eb ssh** command:
```
~/eb$ eb ssh
[ec2-user@ip-255-55-55-255 ~]$ openssl version
OpenSSL 1.0.1k-fips 8 Jan 2015
```
You need to create an RSA private key to create your certificate signing request (CSR). To create your private key, use the **openssl genrsa** command:
```
[ec2-user@ip-255-55-55-255 ~]$ openssl genrsa 2048 > privatekey.pem
Generating RSA private key, 2048 bit long modulus
.................................................................................................................................+++
...............+++
e is 65537 (0x10001)
```
*privatekey.pem*
The name of the file where you want to save the private key. Normally, the **openssl genrsa** command prints the private key contents to the screen, but this command pipes the output to a file. Choose any file name, and store the file in a secure place so that you can retrieve it later. If you lose your private key, you won't be able to use your certificate.
A CSR is a file you send to a certificate authority (CA) to apply for a digital server certificate. To create a CSR, use the **openssl req** command:
```
$ openssl req -new -key privatekey.pem -out csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
```
Enter the information requested and press **Enter**. The following table describes and shows examples for each field.
****
| Name | Description | Example |
| --- | --- | --- |
| Country Name | The two-letter ISO abbreviation for your country. | US = United States |
| State or Province | The name of the state or province where your organization is located. You cannot abbreviate this name. | Washington |
| Locality Name | The name of the city where your organization is located. | Seattle |
| Organization Name | The full legal name of your organization. Do not abbreviate your organization name. | Example Corporation |
| Organizational Unit | Optional, for additional organization information. | Marketing |
| Common Name | The fully qualified domain name for your web site. This must match the domain name that users see when they visit your site, otherwise certificate errors will be shown. | www.example.com |
| Email address | The site administrator's email address. | someone@example.com |
You can submit the signing request to a third party for signing, or sign it yourself for development and testing. Self-signed certificates can also be used for backend HTTPS between a load balancer and EC2 instances.
To sign the certificate, use the **openssl x509** command. The following example uses the private key from the previous step (*privatekey.pem*) and the signing request (*csr.pem*) to create a public certificate named *public.crt* that is valid for *365* days.
```
$ openssl x509 -req -days 365 -in csr.pem -signkey privatekey.pem -out public.crt
Signature ok
subject=/C=us/ST=washington/L=seattle/O=example corporation/OU=marketing/CN=www.example.com/emailAddress=someone@example.com
Getting Private key
```
Keep the private key and public certificate for later use. You can discard the signing request. Always [store the private key in a secure location](https-storingprivatekeys.md) and avoid adding it to your source code.
To use the certificate with the Windows Server platform, you must convert it to a PFX format. Use the following command to create a PFX certificate from the private key and public certificate files:
```
$ openssl pkcs12 -export -out example.com.pfx -inkey privatekey.pem -in public.crt
Enter Export Password: password
Verifying - Enter Export Password: password
```
Now that you have a certificate, you can [upload it to IAM](configuring-https-ssl-upload.md) for use with a load balancer, or [configure the instances in your environment to terminate HTTPS](https-singleinstance.md).
# Upload a certificate to IAM
To use your certificate with your Elastic Beanstalk environment's load balancer, upload the certificate and private key to AWS Identity and Access Management (IAM). You can use a certificate stored in IAM with Elastic Load Balancing load balancers and Amazon CloudFront distributions.
**Note**
AWS Certificate Manager (ACM) is the preferred tool to provision, manage, and deploy your server certificates. For more information about requesting an ACM certificate, see [Request a Certificate](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request.html) in the *AWS Certificate Manager User Guide*. For more information about importing third-party certificates into ACM, see [Importing Certificates](https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html) in the *AWS Certificate Manager User Guide*. Use IAM to upload a certificate only if ACM is not [available in your AWS Region](https://docs.aws.amazon.com/general/latest/gr/acm.html).
You can use the AWS Command Line Interface (AWS CLI) to upload your certificate. The following command uploads a self-signed certificate named *https-cert.crt* with a private key named *private-key.pem*:
```
$ aws iam upload-server-certificate --server-certificate-name elastic-beanstalk-x509 --certificate-body file://https-cert.crt --private-key file://private-key.pem
{
"ServerCertificateMetadata": {
"ServerCertificateId": "AS5YBEIONO2Q7CAIHKNGC",
"ServerCertificateName": "elastic-beanstalk-x509",
"Expiration": "2017-01-31T23:06:22Z",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:server-certificate/elastic-beanstalk-x509",
"UploadDate": "2016-02-01T23:10:34.167Z"
}
}
```
The `file://` prefix tells the AWS CLI to load the contents of a file in the current directory. *elastic-beanstalk-x509* specifies the name to call the certificate in IAM.
If you purchased a certificate from a certificate authority and received a certificate chain file, upload that as well by including the `--certificate-chain` option:
```
$ aws iam upload-server-certificate --server-certificate-name elastic-beanstalk-x509 --certificate-chain file://certificate-chain.pem --certificate-body file://https-cert.crt --private-key file://private-key.pem
```
Make note of the Amazon Resource Name (ARN) for your certificate. You'll use it when you update your load balancer configuration settings to use HTTPS.
**Note**
A certificate uploaded to IAM stays stored even after it's no longer used in any environment's load balancer. It contains sensitive data. When you no longer need the certificate for any environment, be sure to delete it. For details about deleting a certificate from IAM, see [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html#delete-server-certificate](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html#delete-server-certificate).
For more information about server certificates in IAM, see [Working with Server Certificates](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html) in the *IAM User Guide*.
# Storing private keys securely in Amazon S3
The private key that you use to sign your public certificate is private and should not be committed to source code. You can avoid storing private keys in configuration files by uploading them to Amazon S3, and configuring Elastic Beanstalk to download the file from Amazon S3 during application deployment.
The following example shows the [Resources](environment-resources.md) and [files](customize-containers-ec2.md#linux-files) sections of a [configuration file](ebextensions.md) downloads a private key file from an Amazon S3 bucket.
**Example .ebextensions/privatekey.config**
```
Resources:
AWSEBAutoScalingGroup:
Metadata:
AWS::CloudFormation::Authentication:
S3Auth:
type: "s3"
buckets: ["elasticbeanstalk-us-west-2-123456789012"]
roleName:
"Fn::GetOptionSetting":
Namespace: "aws:autoscaling:launchconfiguration"
OptionName: "IamInstanceProfile"
DefaultValue: "aws-elasticbeanstalk-ec2-role"
files:
# Private key
"/etc/pki/tls/certs/server.key":
mode: "000400"
owner: root
group: root
authentication: "S3Auth"
source: https://elasticbeanstalk-us-west-2-123456789012.s3.us-west-2.amazonaws.com/server.key
```
Replace the bucket name and URL in the example with your own. The first entry in this file adds an authentication method named `S3Auth` to the environment's Auto Scaling group's metadata. If you have configured a custom [instance profile](concepts-roles-instance.md) for your environment, that will be used, otherwise the default value of `aws-elasticbeanstalk-ec2-role` is applied. The default instance profile has permission to read from the Elastic Beanstalk storage bucket. If you use a different bucket, [add permissions to the instance profile](iam-instanceprofile.md#iam-instanceprofile-addperms).
The second entry uses the `S3Auth` authentication method to download the private key from the specified URL and save it to `/etc/pki/tls/certs/server.key`. The proxy server can then read the private key from this location to [terminate HTTPS connections at the instance](https-singleinstance.md).
The instance profile assigned to your environment's EC2 instances must have permission to read the key object from the specified bucket. [Verify that the instance profile has permission](iam-instanceprofile.md#iam-instanceprofile-verify) to read the object in IAM, and that the permissions on the bucket and object do not prohibit the instance profile.
**To view a bucket's permissions**
1. Open the [Amazon S3 Management Console](https://console.aws.amazon.com/s3/home).
1. Choose a bucket.
1. Choose **Properties** and then choose **Permissions**.
1. Verify that your account is a grantee on the bucket with read permission.
1. If a bucket policy is attached, choose **Bucket policy** to view the permissions assigned to the bucket.
# Configuring HTTPS Termination at the load balancer
To update your AWS Elastic Beanstalk environment to use HTTPS, you need to configure an HTTPS listener for the load balancer in your environment. Two types of load balancer support an HTTPS listener: Classic Load Balancer and Application Load Balancer.
You can use the Elastic Beanstalk console or a configuration file to configure a secure listener and assign the certificate.
**Note**
Single-instance environments don't have a load balancer and don't support HTTPS termination at the load balancer.
## Configuring a secure listener using the Elastic Beanstalk console
**To assign a certificate to your environment's load balancer**
1. Open the [Elastic Beanstalk console](https://console.aws.amazon.com/elasticbeanstalk), and in the **Regions** list, select your AWS Region.
1. In the navigation pane, choose **Environments**, and then choose the name of your environment from the list.
1. In the navigation pane, choose **Configuration**.
1. In the **Load balancer** configuration category, choose **Edit**.
**Note**
If the **Load balancer** configuration category doesn't have an **Edit** button, your environment doesn't have a [load balancer](using-features-managing-env-types.md#using-features.managing.changetype).
1. On the **Modify load balancer** page, the procedure varies depending on the type of load balancer associated with your environment.
+ **Classic Load Balancer**
1. Choose **Add listener**.
1. In the **Classic Load Balancer listener** dialog box, configure the following settings:
+ For **Listener port**, type the incoming traffic port, typically `443`.
+ For **Listener protocol**, choose **HTTPS**.
+ For **Instance port**, type `80`.
+ For **Instance protocol**, choose **HTTP**.
+ For **SSL certificate**, choose your certificate.
1. Choose **Add**.
+ **Application Load Balancer**
1. Choose **Add listener**.
1. In the **Application Load Balancer listener** dialog box, configure the following settings:
+ For **Port**, type the incoming traffic port, typically `443`.
+ For **Protocol**, choose **HTTPS**.
+ For **SSL certificate**, choose your certificate.
1. Choose **Add**.
**Note**
For Classic Load Balancer and Application Load Balancer, if the drop-down menu doesn't show any certificates, you should create or upload a certificate for your [custom domain name](customdomains.md) in [AWS Certificate Manager (ACM)](https://docs.aws.amazon.com/acm/latest/userguide/) (preferred). Alternatively, upload a certificate to IAM with the AWS CLI.
+ **Network Load Balancer**
1. Choose **Add listener**.
1. In the **Network Load Balancer listener** dialog box, for **Port**, type the incoming traffic port, typically `443`.
1. Choose **Add**.
1. To save the changes choose **Apply** at the bottom of the page.
## Configuring a secure listener using a configuration file
You can configure a secure listener on your load balancer with one of the following [configuration files](ebextensions.md).
**Example .ebextensions/securelistener-clb.config**
Use this example when your environment has a Classic Load Balancer. The example uses options in the `aws:elb:listener` namespace to configure an HTTPS listener on port 443 with the specified certificate, and to forward the decrypted traffic to the instances in your environment on port 80.
```
option_settings:
aws:elb:listener:443:
SSLCertificateId: arn:aws:acm:us-east-2:1234567890123:certificate/####################################
ListenerProtocol: HTTPS
InstancePort: 80
```
Replace the highlighted text with the ARN of your certificate. The certificate can be one that you created or uploaded in AWS Certificate Manager (ACM) (preferred), or one that you uploaded to IAM with the AWS CLI.
For more information about Classic Load Balancer configuration options, see [Classic Load Balancer configuration namespaces](environments-cfg-clb.md#environments-cfg-clb-namespace).
**Example .ebextensions/securelistener-alb.config**
Use this example when your environment has an Application Load Balancer. The example uses options in the `aws:elbv2:listener` namespace to configure an HTTPS listener on port 443 with the specified certificate. The listener routes traffic to the default process.
```
option_settings:
aws:elbv2:listener:443:
ListenerEnabled: 'true'
Protocol: HTTPS
SSLCertificateArns: arn:aws:acm:us-east-2:1234567890123:certificate/####################################
```
**Example .ebextensions/securelistener-nlb.config**
Use this example when your environment has a Network Load Balancer. The example uses options in the `aws:elbv2:listener` namespace to configure a listener on port 443. The listener routes traffic to the default process.
```
option_settings:
aws:elbv2:listener:443:
ListenerEnabled: 'true'
```
## Configuring a security group
If you configure your load balancer to forward traffic to an instance port other than port 80, you must add a rule to your security group that allows inbound traffic over the instance port from your load balancer. If you create your environment in a custom VPC, Elastic Beanstalk adds this rule for you.
You add this rule by adding a `Resources` key to a [configuration file](ebextensions.md) in the `.ebextensions` directory for your application.
The following example configuration file adds an ingress rule to the `AWSEBSecurityGroup` security group. This allows traffic on port 1000 from the load balancer's security group.
**Example .ebextensions/sg-ingressfromlb.config**
```
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 1000
FromPort: 1000
SourceSecurityGroupId: {"Fn::GetAtt" : ["AWSEBLoadBalancerSecurityGroup", "GroupId"]}
```
# Configuring HTTPS Termination at the instance
You can use [configuration files](ebextensions.md) to configure the proxy server that passes traffic to your application to terminate HTTPS connections. This is useful if you want to use HTTPS with a single instance environment, or if you configure your load balancer to pass traffic through without decrypting it.
To enable HTTPS, you must allow incoming traffic on port 443 to the EC2 instance that your Elastic Beanstalk application is running on. You do this by using the `Resources` key in the configuration file to add a rule for port 443 to the ingress rules for the AWSEBSecurityGroup security group.
The following snippet adds an ingress rule to the `AWSEBSecurityGroup` security group that opens port 443 to all traffic for a single instance environment:
**`.ebextensions/https-instance-securitygroup.config`**
```
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
```
In a load-balanced environment in a default [Amazon Virtual Private Cloud](https://docs.aws.amazon.com/vpc/latest/userguide/) (Amazon VPC), you can modify this policy to only accept traffic from the load balancer. See [Configuring end-to-end encryption in a load-balanced Elastic Beanstalk environment](configuring-https-endtoend.md) for an example.
**Topics**
+ [
# Terminating HTTPS on EC2 instances running Docker
](https-singleinstance-docker.md)
+ [
# Terminating HTTPS on EC2 instances running Go
](https-singleinstance-go.md)
+ [
# Terminating HTTPS on EC2 instances running Java SE
](https-singleinstance-java.md)
+ [
# Terminating HTTPS on EC2 instances running Node.js
](https-singleinstance-nodejs.md)
+ [
# Terminating HTTPS on EC2 instances running PHP
](https-singleinstance-php.md)
+ [
# Terminating HTTPS on EC2 instances running Python
](https-singleinstance-python.md)
+ [
# Terminating HTTPS on EC2 instances running Ruby
](https-singleinstance-ruby.md)
+ [
# Terminating HTTPS on EC2 instances running Tomcat
](https-singleinstance-tomcat.md)
+ [
# Terminating HTTPS on Amazon EC2 instances running .NET Core on Linux
](https-singleinstance-dotnet-linux.md)
+ [
# Terminating HTTPS on Amazon EC2 instances running .NET
](SSLNET.SingleInstance.md)
# Terminating HTTPS on EC2 instances running Docker
For Docker containers, you use a [configuration file](ebextensions.md) to enable HTTPS.
Add the following snippet to your configuration file, replacing the certificate and private key material as instructed, and save it in your source bundle's `.ebextensions` directory. The configuration file performs the following tasks:
+ The `files` key creates the following files on the instance:
`/etc/nginx/conf.d/https.conf`
Configures the nginx server. This file is loaded when the nginx service starts.
`/etc/pki/tls/certs/server.crt`
Creates the certificate file on the instance. Replace *certificate file contents* with the contents of your certificate.
YAML relies on consistent indentation. Match the indentation level when replacing content in an example configuration file and ensure that your text editor uses spaces, not tab characters, to indent.
If you have intermediate certificates, include them in `server.crt` after your site certificate.
```
-----BEGIN CERTIFICATE-----
certificate file contents
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
first intermediate certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
second intermediate certificate
-----END CERTIFICATE-----
```
`/etc/pki/tls/certs/server.key`
Creates the private key file on the instance. Replace *private key contents* with the contents of the private key used to create the certificate request or self-signed certificate.
**Example .ebextensions/https-instance.config**
```
files:
/etc/nginx/conf.d/https.conf:
mode: "000644"
owner: root
group: root
content: |
# HTTPS Server
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/pki/tls/certs/server.crt;
ssl_certificate_key /etc/pki/tls/certs/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://docker;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
certificate file contents
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN RSA PRIVATE KEY-----
private key contents # See note below.
-----END RSA PRIVATE KEY-----
```
**Note**
Avoid committing a configuration file that contains your private key to source control. After you have tested the configuration and confirmed that it works, store your private key in Amazon S3 and modify the configuration to download it during deployment. For instructions, see [Storing private keys securely in Amazon S3](https-storingprivatekeys.md).
In a single instance environment, you must also modify the instance's security group to allow traffic on port 443. The following configuration file retrieves the security group's ID using an CloudFormation [function](ebextensions-functions.md) and adds a rule to it.
**Example .ebextensions/https-instance-single.config**
```
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
```
For a load-balanced environment, you configure the load balancer to either [pass secure traffic through untouched](https-tcp-passthrough.md), or [decrypt and re-encrypt](configuring-https-endtoend.md) for end-to-end encryption.
# Terminating HTTPS on EC2 instances running Go
For Go container types, you enable HTTPS with a [configuration file](ebextensions.md) and an nginx configuration file that configures the nginx server to use HTTPS.
Add the following snippet to your configuration file, replacing the certificate and private key placeholders as instructed, and save it in your source bundle's `.ebextensions` directory. The configuration file performs the following tasks:
+ The `Resources` key enables port 443 on the security group used by your environment's instance.
+ The `files` key creates the following files on the instance:
`/etc/pki/tls/certs/server.crt`
Creates the certificate file on the instance. Replace *certificate file contents* with the contents of your certificate.
YAML relies on consistent indentation. Match the indentation level when replacing content in an example configuration file and ensure that your text editor uses spaces, not tab characters, to indent.
If you have intermediate certificates, include them in `server.crt` after your site certificate.
```
-----BEGIN CERTIFICATE-----
certificate file contents
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
first intermediate certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
second intermediate certificate
-----END CERTIFICATE-----
```
`/etc/pki/tls/certs/server.key`
Creates the private key file on the instance. Replace *private key contents* with the contents of the private key used to create the certificate request or self-signed certificate.
**Example .ebextensions/https-instance.config**
```
files:
/etc/pki/tls/certs/server.crt:
content: |
-----BEGIN CERTIFICATE-----
certificate file contents
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
content: |
-----BEGIN RSA PRIVATE KEY-----
private key contents # See note below.
-----END RSA PRIVATE KEY-----
```
**Note**
Avoid committing a configuration file that contains your private key to source control. After you have tested the configuration and confirmed that it works, store your private key in Amazon S3 and modify the configuration to download it during deployment. For instructions, see [Storing private keys securely in Amazon S3](https-storingprivatekeys.md).
Place the following in a file with the `.conf` extension in the `.ebextensions/nginx/conf.d/` directory of your source bundle (e.g., `.ebextensions/nginx/conf.d/https.conf`). Replace *app\$1port* with the port number that your application listens on. This example configures the nginx server to listen on port 443 using SSL. For more information about these configuration files on the Go platform, see [Configuring the proxy server](go-nginx.md).
**Example .ebextensions/nginx/conf.d/https.conf**
```
# HTTPS server
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/pki/tls/certs/server.crt;
ssl_certificate_key /etc/pki/tls/certs/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://localhost:app_port;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
```
In a single instance environment, you must also modify the instance's security group to allow traffic on port 443. The following configuration file retrieves the security group's ID using an CloudFormation [function](ebextensions-functions.md) and adds a rule to it.
**Example .ebextensions/https-instance-single.config**
```
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
```
For a load-balanced environment, you configure the load balancer to either [pass secure traffic through untouched](https-tcp-passthrough.md), or [decrypt and re-encrypt](configuring-https-endtoend.md) for end-to-end encryption.
# Terminating HTTPS on EC2 instances running Java SE
For Java SE container types, you enable HTTPS with an .ebextensions [configuration file](ebextensions.md), and an nginx configuration file that configures the nginx server to use HTTPS.
All AL2023/AL2 platforms support a uniform proxy configuration feature. For more information about configuring the proxy server on your platform versions running AL2023/AL2, see [Reverse proxy configuration](platforms-linux-extend.proxy.md).
Add the following snippet to your configuration file, replacing the certificate and private key placeholders as instructed, and save it in the `.ebextensions` directory. The configuration file performs the following tasks:
+ The `files` key creates the following files on the instance:
`/etc/pki/tls/certs/server.crt`
Creates the certificate file on the instance. Replace *certificate file contents* with the contents of your certificate.
YAML relies on consistent indentation. Match the indentation level when replacing content in an example configuration file and ensure that your text editor uses spaces, not tab characters, to indent.
If you have intermediate certificates, include them in `server.crt` after your site certificate.
```
-----BEGIN CERTIFICATE-----
certificate file contents
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
first intermediate certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
second intermediate certificate
-----END CERTIFICATE-----
```
`/etc/pki/tls/certs/server.key`
Creates the private key file on the instance. Replace *private key contents* with the contents of the private key used to create the certificate request or self-signed certificate.
**Example .ebextensions/https-instance.config**
```
files:
/etc/pki/tls/certs/server.crt:
content: |
-----BEGIN CERTIFICATE-----
certificate file contents
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
content: |
-----BEGIN RSA PRIVATE KEY-----
private key contents # See note below.
-----END RSA PRIVATE KEY-----
```
**Note**
Avoid committing a configuration file that contains your private key to source control. After you have tested the configuration and confirmed that it works, store your private key in Amazon S3 and modify the configuration to download it during deployment. For instructions, see [Storing private keys securely in Amazon S3](https-storingprivatekeys.md).
Place the following in a file with the `.conf` extension in the `.ebextensions/nginx/conf.d/` directory of your source bundle (e.g., `.ebextensions/nginx/conf.d/https.conf`). Replace *app\$1port* with the port number that your application listens on. This example configures the nginx server to listen on port 443 using SSL. For more information about these configuration files on the Java SE platform, see [Configuring the proxy server](java-se-nginx.md).
**Example .ebextensions/nginx/conf.d/https.conf**
```
# HTTPS server
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/pki/tls/certs/server.crt;
ssl_certificate_key /etc/pki/tls/certs/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://localhost:app_port;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
```
In a single instance environment, you must also modify the instance's security group to allow traffic on port 443. The following configuration file retrieves the security group's ID using an CloudFormation [function](ebextensions-functions.md) and adds a rule to it.
**Example .ebextensions/https-instance-single.config**
```
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
```
For a load-balanced environment, you configure the load balancer to either [pass secure traffic through untouched](https-tcp-passthrough.md), or [decrypt and re-encrypt](configuring-https-endtoend.md) for end-to-end encryption.
# Terminating HTTPS on EC2 instances running Node.js
The following example configuration file [extends the default nginx configuration](nodejs-platform-proxy.md) to listen on port 443 and terminate SSL/TLS connections with a public certificate and private key.
If you configured your environment for [enhanced health reporting](health-enhanced.md), you need to configure nginx to generate access logs. To do that, uncomment the block of lines under the comment that reads `# For enhanced health...` by removing the leading `#` characters.
**Example .ebextensions/https-instance.config**
```
files:
/etc/nginx/conf.d/https.conf:
mode: "000644"
owner: root
group: root
content: |
# HTTPS server
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/pki/tls/certs/server.crt;
ssl_certificate_key /etc/pki/tls/certs/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
# For enhanced health reporting support, uncomment this block:
#if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2})") {
# set $year $1;
# set $month $2;
# set $day $3;
# set $hour $4;
#}
#access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd;
#access_log /var/log/nginx/access.log main;
location / {
proxy_pass http://nodejs;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
certificate file contents
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN RSA PRIVATE KEY-----
private key contents # See note below.
-----END RSA PRIVATE KEY-----
```
The `files` key creates the following files on the instance:
`/etc/nginx/conf.d/https.conf`
Configures the nginx server. This file is loaded when the nginx service starts.
`/etc/pki/tls/certs/server.crt`
Creates the certificate file on the instance. Replace *certificate file contents* with the contents of your certificate.
YAML relies on consistent indentation. Match the indentation level when replacing content in an example configuration file and ensure that your text editor uses spaces, not tab characters, to indent.
If you have intermediate certificates, include them in `server.crt` after your site certificate.
```
-----BEGIN CERTIFICATE-----
certificate file contents
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
first intermediate certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
second intermediate certificate
-----END CERTIFICATE-----
```
`/etc/pki/tls/certs/server.key`
Creates the private key file on the instance. Replace *private key contents* with the contents of the private key used to create the certificate request or self-signed certificate.
**Note**
Avoid committing a configuration file that contains your private key to source control. After you have tested the configuration and confirmed that it works, store your private key in Amazon S3 and modify the configuration to download it during deployment. For instructions, see [Storing private keys securely in Amazon S3](https-storingprivatekeys.md).
In a single instance environment, you must also modify the instance's security group to allow traffic on port 443. The following configuration file retrieves the security group's ID using an CloudFormation [function](ebextensions-functions.md) and adds a rule to it.
**Example .ebextensions/https-instance-single.config**
```
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
```
For a load-balanced environment, you configure the load balancer to either [pass secure traffic through untouched](https-tcp-passthrough.md), or [decrypt and re-encrypt](configuring-https-endtoend.md) for end-to-end encryption.
# Terminating HTTPS on EC2 instances running PHP
For PHP container types, you use a [configuration file](ebextensions.md) to enable the Apache HTTP Server to use HTTPS.
Add the following snippet to your configuration file, replacing the certificate and private key material as instructed, and save it in your source bundle's `.ebextensions` directory.
The configuration file performs the following tasks:
+ The `packages` key uses yum to install `mod24_ssl`.
+ The `files` key creates the following files on the instance:
`/etc/httpd/conf.d/ssl.conf`
Configures the Apache server. This file loads when the Apache service starts.
`/etc/pki/tls/certs/server.crt`
Creates the certificate file on the instance. Replace *certificate file contents* with the contents of your certificate.
YAML relies on consistent indentation. Match the indentation level when replacing content in an example configuration file and ensure that your text editor uses spaces, not tab characters, to indent.
If you have intermediate certificates, include them in `server.crt` after your site certificate.
```
-----BEGIN CERTIFICATE-----
certificate file contents
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
first intermediate certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
second intermediate certificate
-----END CERTIFICATE-----
```
`/etc/pki/tls/certs/server.key`
Creates the private key file on the instance. Replace *private key contents* with the contents of the private key used to create the certificate request or self-signed certificate.
**Example .ebextensions/https-instance.config**
```
packages:
yum:
mod24_ssl : []
files:
/etc/httpd/conf.d/ssl.conf:
mode: "000644"
owner: root
group: root
content: |
LoadModule ssl_module modules/mod_ssl.so
Listen 443
Order deny,allow
Allow from all
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLSessionTickets Off
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
ProxyPass / http://localhost:80/ retry=0
ProxyPassReverse / http://localhost:80/
ProxyPreserveHost on
RequestHeader set X-Forwarded-Proto "https" early
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
certificate file contents
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN RSA PRIVATE KEY-----
private key contents # See note below.
-----END RSA PRIVATE KEY-----
```
**Note**
Avoid committing a configuration file that contains your private key to source control. After you have tested the configuration and confirmed that it works, store your private key in Amazon S3 and modify the configuration to download it during deployment. For instructions, see [Storing private keys securely in Amazon S3](https-storingprivatekeys.md).
In a single instance environment, you must also modify the instance's security group to allow traffic on port 443. The following configuration file retrieves the security group's ID using an CloudFormation [function](ebextensions-functions.md) and adds a rule to it.
**Example .ebextensions/https-instance-single.config**
```
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
```
For a load-balanced environment, you configure the load balancer to either [pass secure traffic through untouched](https-tcp-passthrough.md), or [decrypt and re-encrypt](configuring-https-endtoend.md) for end-to-end encryption.
# Terminating HTTPS on EC2 instances running Python
For Python container types using Apache HTTP Server with the Web Server Gateway Interface (WSGI), you use a [configuration file](ebextensions.md) to enable the Apache HTTP Server to use HTTPS.
Add the following snippet to your [configuration file](ebextensions.md), replacing the certificate and private key material as instructed, and save it in your source bundle's `.ebextensions` directory. The configuration file performs the following tasks:
+ The `packages` key uses yum to install `mod_ssl`.
+ The `files` key creates the following files on the instance:
`/etc/httpd/conf.d/ssl.conf`
Configures the Apache server. If your application is not named `application.py`, replace the highlighted text in the value for `WSGIScriptAlias` with the local path to your application. For example, a django application's may be at `django/wsgi.py`. The location should match the value of the `WSGIPath` option that you set for your environment.
Depending on your application requirements, you may also need to add other directories to the **python-path** parameter.
`/etc/pki/tls/certs/server.crt`
Creates the certificate file on the instance. Replace *certificate file contents* with the contents of your certificate.
YAML relies on consistent indentation. Match the indentation level when replacing content in an example configuration file and ensure that your text editor uses spaces, not tab characters, to indent.
If you have intermediate certificates, include them in `server.crt` after your site certificate.
```
-----BEGIN CERTIFICATE-----
certificate file contents
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
first intermediate certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
second intermediate certificate
-----END CERTIFICATE-----
```
`/etc/pki/tls/certs/server.key`
Creates the private key file on the instance. Replace *private key contents* with the contents of the private key used to create the certificate request or self-signed certificate.
+ The `container_commands` key stops the httpd service after everything has been configured so that the service uses the new `https.conf` file and certificate.
**Note**
The example works only in environments using the [Python](create-deploy-python-container.md) platform.
**Example .ebextensions/https-instance.config**
```
packages:
yum:
mod_ssl: []
files:
/etc/httpd/conf.d/ssl.conf:
mode: "000644"
owner: root
group: root
content: |
LoadModule wsgi_module modules/mod_wsgi.so
WSGIPythonHome /var/app/venv/staging-LQM1lest
WSGISocketPrefix run/wsgi
WSGIRestrictEmbedded On
Listen 443
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
Alias /static/ /var/app/current/static/
Order allow,deny
Allow from all
WSGIScriptAlias / /var/app/current/application.py
Require all granted
WSGIDaemonProcess wsgi-ssl processes=1 threads=15 display-name=%{GROUP} \
python-path=/var/app/current \
python-home=/var/app/venv/staging-LQM1lest \
home=/var/app/current \
user=webapp \
group=webapp
WSGIProcessGroup wsgi-ssl
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
certificate file contents
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN RSA PRIVATE KEY-----
private key contents # See note below.
-----END RSA PRIVATE KEY-----
container_commands:
01killhttpd:
command: "killall httpd"
02waitforhttpddeath:
command: "sleep 3"
```
**Note**
Avoid committing a configuration file that contains your private key to source control. After you have tested the configuration and confirmed that it works, store your private key in Amazon S3 and modify the configuration to download it during deployment. For instructions, see [Storing private keys securely in Amazon S3](https-storingprivatekeys.md).
**Note for Amazon Linux 2023 environments**
On Amazon Linux 2023, `mod_wsgi` must be installed separately as it's not available in the package repositories. For installation instructions, see [mod\$1wsgi](https://pypi.org/project/mod-wsgi/) on PyPI.
In a single instance environment, you must also modify the instance's security group to allow traffic on port 443. The following configuration file retrieves the security group's ID using an CloudFormation [function](ebextensions-functions.md) and adds a rule to it.
**Example .ebextensions/https-instance-single.config**
```
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
```
For a load-balanced environment, you configure the load balancer to either [pass secure traffic through untouched](https-tcp-passthrough.md), or [decrypt and re-encrypt](configuring-https-endtoend.md) for end-to-end encryption.
# Terminating HTTPS on EC2 instances running Ruby
For Ruby container types, the way you enable HTTPS depends on the type of application server used.
**Topics**
+ [
## Configure HTTPS for Ruby with Puma
](#Puma)
+ [
## Configure HTTPS for Ruby with Passenger
](#Passenger)
## Configure HTTPS for Ruby with Puma
For Ruby container types that use Puma as the application server, you use a [configuration file](ebextensions.md) to enable HTTPS.
Add the following snippet to your configuration file, replacing the certificate and private key material as instructed, and save it in your source bundle's `.ebextensions` directory. The configuration file performs the following tasks:
+ The `files` key creates the following files on the instance:
`/etc/nginx/conf.d/https.conf`
Configures the nginx server. This file is loaded when the nginx service starts.
`/etc/pki/tls/certs/server.crt`
Creates the certificate file on the instance. Replace *certificate file contents* with the contents of your certificate.
YAML relies on consistent indentation. Match the indentation level when replacing content in an example configuration file and ensure that your text editor uses spaces, not tab characters, to indent.
If you have intermediate certificates, include them in `server.crt` after your site certificate.
```
-----BEGIN CERTIFICATE-----
certificate file contents
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
first intermediate certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
second intermediate certificate
-----END CERTIFICATE-----
```
`/etc/pki/tls/certs/server.key`
Creates the private key file on the instance. Replace *private key contents* with the contents of the private key used to create the certificate request or self-signed certificate.
**Example .ebextensions/https-instance.config**
```
files:
/etc/nginx/conf.d/https.conf:
content: |
# HTTPS server
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/pki/tls/certs/server.crt;
ssl_certificate_key /etc/pki/tls/certs/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://my_app;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
location /assets {
alias /var/app/current/public/assets;
gzip_static on;
gzip on;
expires max;
add_header Cache-Control public;
}
location /public {
alias /var/app/current/public;
gzip_static on;
gzip on;
expires max;
add_header Cache-Control public;
}
}
/etc/pki/tls/certs/server.crt:
content: |
-----BEGIN CERTIFICATE-----
certificate file contents
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
content: |
-----BEGIN RSA PRIVATE KEY-----
private key contents # See note below.
-----END RSA PRIVATE KEY-----
```
**Note**
Avoid committing a configuration file that contains your private key to source control. After you have tested the configuration and confirmed that it works, store your private key in Amazon S3 and modify the configuration to download it during deployment. For instructions, see [Storing private keys securely in Amazon S3](https-storingprivatekeys.md).
In a single instance environment, you must also modify the instance's security group to allow traffic on port 443. The following configuration file retrieves the security group's ID using an CloudFormation [function](ebextensions-functions.md) and adds a rule to it.
**Example .ebextensions/https-instance-single.config**
```
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
```
For a load-balanced environment, you configure the load balancer to either [pass secure traffic through untouched](https-tcp-passthrough.md), or [decrypt and re-encrypt](configuring-https-endtoend.md) for end-to-end encryption.
## Configure HTTPS for Ruby with Passenger
For Ruby container types that use Passenger as the application server, you use both a configuration file and a JSON file to enable HTTPS.
**To configure HTTPS for Ruby with Passenger**
1. Add the following snippet to your configuration file, replacing the certificate and private key material as instructed, and save it in your source bundle's `.ebextensions` directory. The configuration file performs the following tasks:
+ The `files` key creates the following files on the instance:
`/etc/pki/tls/certs/server.crt`
Creates the certificate file on the instance. Replace *certificate file contents* with the contents of your certificate.
YAML relies on consistent indentation. Match the indentation level when replacing content in an example configuration file and ensure that your text editor uses spaces, not tab characters, to indent.
If you have intermediate certificates, include them in `server.crt` after your site certificate.
```
-----BEGIN CERTIFICATE-----
certificate file contents
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
first intermediate certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
second intermediate certificate
-----END CERTIFICATE-----
```
`/etc/pki/tls/certs/server.key`
Creates the private key file on the instance. Replace *private key contents* with the contents of the private key used to create the certificate request or self-signed certificate.
**Example .Ebextensions snippet for configuring HTTPS for Ruby with Passenger**
```
files:
/etc/pki/tls/certs/server.crt:
content: |
-----BEGIN CERTIFICATE-----
certificate file contents
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
content: |
-----BEGIN RSA PRIVATE KEY-----
private key contents # See note below.
-----END RSA PRIVATE KEY-----
```
**Note**
Avoid committing a configuration file that contains your private key to source control. After you have tested the configuration and confirmed that it works, store your private key in Amazon S3 and modify the configuration to download it during deployment. For instructions, see [Storing private keys securely in Amazon S3](https-storingprivatekeys.md).
1. Create a text file and add the following JSON to the file. Save it in your source bundle's root directory with the name `passenger-standalone.json`. This JSON file configures Passenger to use HTTPS.
**Important**
This JSON file must not contain a byte order mark (BOM). If it does, the Passenger JSON library will not read the file correctly and the Passenger service will not start.
**Example passenger-standalone.json**
```
{
"ssl" : true,
"ssl_port" : 443,
"ssl_certificate" : "/etc/pki/tls/certs/server.crt",
"ssl_certificate_key" : "/etc/pki/tls/certs/server.key"
}
```
In a single instance environment, you must also modify the instance's security group to allow traffic on port 443. The following configuration file retrieves the security group's ID using an CloudFormation [function](ebextensions-functions.md) and adds a rule to it.
**Example .ebextensions/https-instance-single.config**
```
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
```
For a load-balanced environment, you configure the load balancer to either [pass secure traffic through untouched](https-tcp-passthrough.md), or [decrypt and re-encrypt](configuring-https-endtoend.md) for end-to-end encryption.
# Terminating HTTPS on EC2 instances running Tomcat
For Tomcat container types, you use a [configuration file](ebextensions.md) to enable the Apache HTTP Server to use HTTPS when acting as the reverse proxy for Tomcat.
Add the following snippet to your configuration file, replacing the certificate and private key material as instructed, and save it in your source bundle's `.ebextensions` directory. The configuration file performs the following tasks:
+ The `files` key creates the following files on the instance:
`/etc/pki/tls/certs/server.crt`
Creates the certificate file on the instance. Replace *certificate file contents* with the contents of your certificate.
YAML relies on consistent indentation. Match the indentation level when replacing content in an example configuration file and ensure that your text editor uses spaces, not tab characters, to indent.
`/etc/pki/tls/certs/server.key`
Creates the private key file on the instance. Replace *private key contents* with the contents of the private key used to create the certificate request or self-signed certificate.
`/opt/elasticbeanstalk/hooks/appdeploy/post/99_start_httpd.sh`
Creates a post-deployment hook script to restart the httpd service.
**Example .ebextensions/https-instance.config**
```
files:
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
certificate file contents
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN RSA PRIVATE KEY-----
private key contents # See note below.
-----END RSA PRIVATE KEY-----
/opt/elasticbeanstalk/hooks/appdeploy/post/99_start_httpd.sh:
mode: "000755"
owner: root
group: root
content: |
#!/usr/bin/env bash
sudo service httpd restart
```
You must also configure your environment's proxy server to listen on port 443. The following Apache 2.4 configuration adds a listener on port 443. To learn more, see [Configuring the proxy server](java-tomcat-proxy.md).
**Example .ebextensions/httpd/conf.d/ssl.conf**
```
Listen 443
ServerName server-name
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
Require all granted
ProxyPass / http://localhost:8080/ retry=0
ProxyPassReverse / http://localhost:8080/
ProxyPreserveHost on
ErrorLog /var/log/httpd/elasticbeanstalk-ssl-error_log
```
Your certificate vendor may include intermediate certificates that you can install for better compatibility with mobile clients. Configure Apache with an intermediate certificate authority (CA) bundle by adding the following to your SSL configuration file (see [Extending and overriding the default Apache configuration — Amazon Linux AMI (AL1)](java-tomcat-proxy.md#java-tomcat-proxy-apache) for the location):
+ In the `ssl.conf` file contents, specify the chain file:
```
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
SSLCertificateChainFile "/etc/pki/tls/certs/gd_bundle.crt"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
```
+ Add a new entry to the `files` key with the contents of the intermediate certificates:
```
files:
/etc/pki/tls/certs/gd_bundle.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
First intermediate certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Second intermediate certificate
-----END CERTIFICATE-----
```
**Note**
Avoid committing a configuration file that contains your private key to source control. After you have tested the configuration and confirmed that it works, store your private key in Amazon S3 and modify the configuration to download it during deployment. For instructions, see [Storing private keys securely in Amazon S3](https-storingprivatekeys.md).
In a single instance environment, you must also modify the instance's security group to allow traffic on port 443. The following configuration file retrieves the security group's ID using an CloudFormation [function](ebextensions-functions.md) and adds a rule to it.
**Example .ebextensions/https-instance-single.config**
```
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
```
For a load-balanced environment, you configure the load balancer to either [pass secure traffic through untouched](https-tcp-passthrough.md), or [decrypt and re-encrypt](configuring-https-endtoend.md) for end-to-end encryption.
# Terminating HTTPS on Amazon EC2 instances running .NET Core on Linux
For .NET Core on Linux container types, you enable HTTPS with an `.ebextensions` [configuration file](ebextensions.md), and an nginx configuration file that configures the nginx server to use HTTPS.
Add the following snippet to your configuration file, replacing the certificate and private key placeholders as instructed, and save it in the `.ebextensions` directory. The configuration file performs the following tasks:
+ The `files` key creates the following files on the instance:
`/etc/pki/tls/certs/server.crt`
Creates the certificate file on the instance. Replace *certificate file contents* with the contents of your certificate.
YAML relies on consistent indentation. Match the indentation level when replacing content in an example configuration file and ensure that your text editor uses spaces, not tab characters, to indent.
If you have intermediate certificates, include them in `server.crt` after your site certificate.
```
-----BEGIN CERTIFICATE-----
certificate file contents
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
first intermediate certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
second intermediate certificate
-----END CERTIFICATE-----
```
`/etc/pki/tls/certs/server.key`
Creates the private key file on the instance. Replace *private key contents* with the contents of the private key used to create the certificate request or self-signed certificate.
**Example .ebextensions/https-instance.config**
```
files:
/etc/pki/tls/certs/server.crt:
content: |
-----BEGIN CERTIFICATE-----
certificate file contents
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
content: |
-----BEGIN RSA PRIVATE KEY-----
private key contents # See note below.
-----END RSA PRIVATE KEY-----
```
**Note**
Avoid committing a configuration file that contains your private key to source control. After you have tested the configuration and confirmed that it works, store your private key in Amazon S3 and modify the configuration to download it during deployment. For instructions, see [Storing private keys securely in Amazon S3](https-storingprivatekeys.md).
Place the following in a file with the `.conf` extension in the `.platform/nginx/conf.d/` directory of your source bundle (for example, `.platform/nginx/conf.d/https.conf`). Replace *app\$1port* with the port number that your application listens on. This example configures the nginx server to listen on port 443 using SSL. For more information about these configuration files on the .NET Core on Linux platform, see [Configuring the proxy server](dotnet-linux-platform-nginx.md).
**Example .platform/nginx/conf.d/https.conf**
```
# HTTPS server
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/pki/tls/certs/server.crt;
ssl_certificate_key /etc/pki/tls/certs/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://localhost:app_port;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
```
In a single instance environment, you must also modify the instance's security group to allow traffic on port 443. The following configuration file retrieves the security group's ID using an CloudFormation [function](ebextensions-functions.md) and adds a rule to it.
**Example .ebextensions/https-instance-single.config**
```
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
```
For a load-balanced environment, you configure the load balancer to either [pass secure traffic through untouched](https-tcp-passthrough.md), or [decrypt and re-encrypt](configuring-https-endtoend.md) for end-to-end encryption.
# Terminating HTTPS on Amazon EC2 instances running .NET
The following [configuration file](ebextensions.md) creates and runs a Windows PowerShell script that performs the following tasks:
+ Checks for an existing HTTPS certificate binding to port 443.
+ Gets the [PFX certificate](configuring-https-ssl.md) from an Amazon S3 bucket.
**Note**
Add an `AmazonS3ReadOnlyAccess` policy to the `aws-elasticbeanstalk-ec2-role` to access the SSL certificate in the Amazon S3 bucket.
+ Gets the password from AWS Secrets Manager.
**Note**
Add a statement in `aws-elasticbeanstalk-ec2-role` that allows the `secretsmanager:GetSecretValue` action for the secret that contains the certificate password
+ Installs the certificate.
+ Binds the certificate to port 443.
**Note**
To remove the HTTP endpoint (port 80), include the `Remove-WebBinding` command under the **Remove the HTTP binding** section of the example.
**Example .ebextensions/https-instance-dotnet.config**
```
files:
"C:\\certs\\install-cert.ps1":
content: |
import-module webadministration
## Settings - replace the following values with your own
$bucket = "amzn-s3-demo-bucket" ## S3 bucket name
$certkey = "example.com.pfx" ## S3 object key for your PFX certificate
$secretname = "example_secret" ## AWS Secrets Manager name for a secret that contains the certificate's password
##
# Set variables
$certfile = "C:\cert.pfx"
$pwd = Get-SECSecretValue -SecretId $secretname | select -expand SecretString
# Clean up existing binding
if ( Get-WebBinding "Default Web Site" -Port 443 ) {
Echo "Removing WebBinding"
Remove-WebBinding -Name "Default Web Site" -BindingInformation *:443:
}
if ( Get-Item -path IIS:\SslBindings\0.0.0.0!443 ) {
Echo "Deregistering WebBinding from IIS"
Remove-Item -path IIS:\SslBindings\0.0.0.0!443
}
# Download certificate from S3
Read-S3Object -BucketName $bucket -Key $certkey -File $certfile
# Install certificate
Echo "Installing cert..."
$securepwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText
$cert = Import-PfxCertificate -FilePath $certfile cert:\localMachine\my -Password $securepwd
# Create site binding
Echo "Creating and registering WebBinding"
New-WebBinding -Name "Default Web Site" -IP "*" -Port 443 -Protocol https
New-Item -path IIS:\SslBindings\0.0.0.0!443 -value $cert -Force
## Remove the HTTP binding
## (optional) Uncomment the following line to unbind port 80
# Remove-WebBinding -Name "Default Web Site" -BindingInformation *:80:
##
# Update firewall
netsh advfirewall firewall add rule name="Open port 443" protocol=TCP localport=443 action=allow dir=OUT
commands:
00_install_ssl:
command: powershell -NoProfile -ExecutionPolicy Bypass -file C:\\certs\\install-cert.ps1
```
In a single instance environment, you must also modify the instance's security group to allow traffic on port 443. The following configuration file retrieves the security group's ID using an CloudFormation [function](ebextensions-functions.md) and adds a rule to it.
**Example .ebextensions/https-instance-single.config**
```
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
```
For a load-balanced environment, you configure the load balancer to either [pass secure traffic through untouched](https-tcp-passthrough.md), or [decrypt and re-encrypt](configuring-https-endtoend.md) for end-to-end encryption.
# Configuring end-to-end encryption in a load-balanced Elastic Beanstalk environment
Terminating secure connections at the load balancer and using HTTP on the backend might be sufficient for your application. Network traffic between AWS resources can't be listened to by instances that are not part of the connection, even if they are running under the same account.
However, if you are developing an application that needs to comply with strict external regulations, you might be required to secure all network connections. You can use the Elastic Beanstalk console or [configuration files](ebextensions.md) to make your Elastic Beanstalk environment's load balancer connect to backend instances securely to meet these requirements. The following procedure focuses on configuration files.
First, [add a secure listener to your load balancer](configuring-https-elb.md), if you haven't already.
You must also configure the instances in your environment to listen on the secure port and terminate HTTPS connections. The configuration varies per platform. See [Configuring HTTPS Termination at the instance](https-singleinstance.md) for instructions. You can use a [self-signed certificate](configuring-https-ssl.md) for the EC2 instances without issue.
Next, configure the listener to forward traffic using HTTPS on the secure port used by your application. Use one of the following configuration files, based on the type of load balancer that your environment uses.
**`.ebextensions/https-reencrypt-clb.config`**
Use this configuration file with a Classic Load Balancer. In addition to configuring the load balancer, the configuration file also changes the default health check to use port 443 and HTTPS, to ensure that the load balancer can connect securely.
```
option_settings:
aws:elb:listener:443:
InstancePort: 443
InstanceProtocol: HTTPS
aws:elasticbeanstalk:application:
Application Healthcheck URL: HTTPS:443/
```
**`.ebextensions/https-reencrypt-alb.config`**
Use this configuration file with an Application Load Balancer.
```
option_settings:
aws:elbv2:listener:443:
DefaultProcess: https
ListenerEnabled: 'true'
Protocol: HTTPS
aws:elasticbeanstalk:environment:process:https:
Port: '443'
Protocol: HTTPS
```
**`.ebextensions/https-reencrypt-nlb.config`**
Use this configuration file with a Network Load Balancer.
```
option_settings:
aws:elbv2:listener:443:
DefaultProcess: https
ListenerEnabled: 'true'
aws:elasticbeanstalk:environment:process:https:
Port: '443'
```
The `DefaultProcess` option is named this way because of Application Load Balancers, which can have nondefault listeners on the same port for traffic to specific paths (see [Application Load Balancer](environments-cfg-alb.md) for details). For a Network Load Balancer the option specifies the only target process for this listener.
In this example, we named the process `https` because it listens to secure (HTTPS) traffic. The listener sends traffic to the process on the designated port using the TCP protocol, because a Network Load Balancer works only with TCP. This is okay, because network traffic for HTTP and HTTPS is implemented on top of TCP.
**Note**
The EB CLI and Elastic Beanstalk console apply recommended values for the preceding options. You must remove these settings if you want to use configuration files to configure the same. See [Recommended values](command-options.md#configuration-options-recommendedvalues) for details.
In the next task, you need to modify the load balancer's security group to allow traffic. Depending on the [Amazon Virtual Private Cloud](https://docs.aws.amazon.com/vpc/latest/userguide/) (Amazon VPC) in which you launch your environment—the default VPC or a custom VPC—the load balancer's security group will vary. In a default VPC, Elastic Load Balancing provides a default security group that all load balancers can use. In an Amazon VPC that you create, Elastic Beanstalk creates a security group for the load balancer to use.
To support both scenarios, you can create a security group and tell Elastic Beanstalk to use it. The following configuration file creates a security group and attaches it to the load balancer.
**`.ebextensions/https-lbsecuritygroup.config`**
```
option_settings:
# Use the custom security group for the load balancer
aws:elb:loadbalancer:
SecurityGroups: '`{ "Ref" : "loadbalancersg" }`'
ManagedSecurityGroup: '`{ "Ref" : "loadbalancersg" }`'
Resources:
loadbalancersg:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: load balancer security group
VpcId: vpc-########
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
```
Replace the highlighted text with your default or custom VPC ID. The previous example includes ingress and egress over port 80 to allow HTTP connections. You can remove those properties if you want to allow only secure connections.
Finally, add ingress and egress rules that allow communication over port 443 between the load balancer's security group and the instances' security group.
**`.ebextensions/https-backendsecurity.config`**
```
Resources:
# Add 443-inbound to instance security group (AWSEBSecurityGroup)
httpsFromLoadBalancerSG:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
SourceSecurityGroupId: {"Fn::GetAtt" : ["loadbalancersg", "GroupId"]}
# Add 443-outbound to load balancer security group (loadbalancersg)
httpsToBackendInstances:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: {"Fn::GetAtt" : ["loadbalancersg", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
DestinationSecurityGroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
```
Doing this separately from security group creation enables you to restrict the source and destination security groups without creating a circular dependency.
After you have completed all the previous tasks, the load balancer connects to your backend instances securely using HTTPS. The load balancer doesn't care if your instance's certificate is self-signed or issued by a trusted certificate authority, and will accept any certificate presented to it.
You can change this behavior by adding policies to the load balancer that tell it to trust only a specific certificate. The following configuration file creates two policies. One policy specifies a public certificate, and the other tells the load balancer to only trust that certificate for connections to instance port 443.
**`.ebextensions/https-backendauth.config`**
```
option_settings:
# Backend Encryption Policy
aws:elb:policies:backendencryption:
PublicKeyPolicyNames: backendkey
InstancePorts: 443
# Public Key Policy
aws:elb:policies:backendkey:
PublicKey: |
-----BEGIN CERTIFICATE-----
################################################################
################################################################
################################################################
################################################################
################################################
-----END CERTIFICATE-----
```
Replace the highlighted text with the contents of your EC2 instance's public certificate.
# Configuring your environment's load balancer for TCP Passthrough
If you do not want the load balancer in your AWS Elastic Beanstalk environment to decrypt the HTTPS traffic, you can configure the secure listener to relay requests to backend instances as-is.
**Important**
Configuring the load balancer to relay HTTPS traffic without decrypting it presents a disadvantage. The load balancer cannot see the encrypted requests and thus cannot optimize routing or report response metrics.
First [configure your environment's EC2 instances to terminate HTTPS](https-singleinstance.md). Test the configuration on a single instance environment to make sure everything works before adding a load balancer to the mix.
Add a [configuration file](ebextensions.md) to your project to configure a listener on port 443 that passes TCP packets as-is to port 443 on backend instances:
**`.ebextensions/https-lb-passthrough.config`**
```
option_settings:
aws:elb:listener:443:
ListenerProtocol: TCP
InstancePort: 443
InstanceProtocol: TCP
```
In a default [Amazon Virtual Private Cloud](https://docs.aws.amazon.com/vpc/latest/userguide/) (Amazon VPC), you also need to add a rule to the instances' security group to allow inbound traffic on 443 from the load balancer:
**`.ebextensions/https-instance-securitygroup.config`**
```
Resources:
443inboundfromloadbalancer:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
SourceSecurityGroupName: { "Fn::GetAtt": ["AWSEBLoadBalancer", "SourceSecurityGroup.GroupName"] }
```
In a custom VPC, Elastic Beanstalk updates the security group configuration for you.
# Configuring HTTP to HTTPS redirection
This topic describes how to handle HTTP traffic to your application if end users still initiate it. You do this by configuring *HTTP to HTTPS redirection*, sometimes referred to as *forcing HTTPS*.
To configure redirection, you first configure your environment to handle HTTPS traffic. Then you redirect HTTP traffic to HTTPS. These two steps are discussed in the following subsections.
## Configure your environment to handle HTTPS traffic
Depending on your environment's load balancing configuration, do one of the following:
+ **Load-balanced environment** – [Configure your load balancer to terminate HTTPS](configuring-https-elb.md).
+ **Single-instance environment** – [Configure your application to terminate HTTPS connections at the instance](https-singleinstance.md). This configuration depends on your environment's platform.
## Redirect HTTP traffic to HTTPS
To redirect HTTP traffic to HTTPS for your application you can either configure the web servers on your environment's instances or you can configure the environment's Application Load Balancer.
**Configure the instance web servers**
This method works on any web server environment. Configure web servers on your Amazon EC2 instances to respond to HTTP traffic with an HTTP redirection response status.
This configuration depends on your environment's platform. Find the folder for your platform in the [https://github.com/awsdocs/elastic-beanstalk-samples/tree/master/configuration-files/aws-provided/security-configuration/https-redirect](https://github.com/awsdocs/elastic-beanstalk-samples/tree/master/configuration-files/aws-provided/security-configuration/https-redirect) collection on GitHub, and use the example configuration file in that folder.
If your environment uses [Elastic Load Balancing health checks](using-features.healthstatus.md#using-features.healthstatus.understanding), the load balancer expects a healthy instance to respond to the HTTP health check messages with HTTP 200 (OK) responses. Therefore, your web server shouldn't redirect these messages to HTTPS. The example configuration files in [https://github.com/awsdocs/elastic-beanstalk-samples/tree/master/configuration-files/aws-provided/security-configuration/https-redirect](https://github.com/awsdocs/elastic-beanstalk-samples/tree/master/configuration-files/aws-provided/security-configuration/https-redirect) handle this requirement correctly.
**Configure the load balancer**
This method works if you have a load-balanced environment that uses an [Application Load Balancer](environments-cfg-alb.md). An Application Load Balancer can send redirection responses as HTTP traffic comes in. In this case, you don't need to configure redirection on your environment's instances.
We have two example configuration files on GitHub that show how to configure an Application Load Balancer for redirection.
+ The [https://github.com/awsdocs/elastic-beanstalk-samples/blob/master/configuration-files/aws-provided/resource-configuration/alb-http-to-https-redirection-full.config](https://github.com/awsdocs/elastic-beanstalk-samples/blob/master/configuration-files/aws-provided/resource-configuration/alb-http-to-https-redirection-full.config) configuration file creates an HTTPS listener on port 443, and modifies the default port 80 listener to redirect incoming HTTP traffic to HTTPS.
+ The [https://github.com/awsdocs/elastic-beanstalk-samples/blob/master/configuration-files/aws-provided/resource-configuration/alb-http-to-https-redirection.config](https://github.com/awsdocs/elastic-beanstalk-samples/blob/master/configuration-files/aws-provided/resource-configuration/alb-http-to-https-redirection.config) configuration file expects the 443 listener to be defined. To define it, you can use standard Elastic Beanstalk configuration namespaces, or the Elastic Beanstalk console. Then it takes care of modifying the port 80 listener for redirection.