Security group and load balancer config file for Elastic Beanstalk. See http://tmblr.co/ZU9VxvibvDWI.

elb-sg-config.yaml

# vim: ft=yaml
# Elastic Load Balancer and Security Group configuration for the app
#
# - Allow anyone to connect to port 443 and office traffic to connect to
#   port 22
# - Ensure all traffic is encrypted by configuring load balancer to listen on
#   443 and direct traffic to port 443 on app servers
# - Enable cookie-based session stickiness
# - Use /status for health check
# - Enable backend authentication policy by providing public key for cert

Resources:
  AWSEBSecurityGroup:
    Type: "AWS::EC2::SecurityGroup"
    Properties:
      GroupDescription: "Security group to allow HTTPS for all, SSH for office"
      SecurityGroupIngress:
        - {CidrIp: "0.0.0.0/0", IpProtocol: "tcp", FromPort: "443", ToPort: "443"}
        - {CidrIp: "176.35.225.76/32", IpProtocol: "tcp", FromPort: "22", ToPort: "22"}
  AWSEBLoadBalancer:
    Type: "AWS::ElasticLoadBalancing::LoadBalancer"
    Properties:
      Listeners:
        - {LoadBalancerPort: 443, InstancePort: 443, Protocol: "HTTPS", SSLCertificateId: "arn:aws:iam::1234567890:server-certificate/server"}
      AppCookieStickinessPolicy:
        - {PolicyName: "lb-session", CookieName: "lb-session"}
      HealthCheck:
        HealthyThreshold: "3"
        Interval: "30"
        Target: "HTTPS:443/status"
        Timeout: "5"
        UnhealthyThreshold: "5"
      Policies:
        -
          PolicyName: "MyPubKey"
          PolicyType: "PublicKeyPolicyType"
          Attributes:
            -
              Name: "PublicKey"
              Value: "..."
        -
          PolicyName: "BackendAuth"
          PolicyType: "BackendServerAuthenticationPolicyType"
          Attributes:
            -
              Name: "PublicKeyPolicyName"
              Value: "MyPubKey"
          InstancePorts:
            - "443"

I also want to point out that configuring a health check URL for the load balancer alone will not cause an unhealthy instance to be automatically replaced with a new one. But instead, the default behavior is for the unhealthy instance to be removed from the load balancer.

In order to have unhealthy instances be terminated and replaced with new ones, you must also declare the following options for the AutoScaling resource:

Resources:
  AWSEBAutoScalingGroup:
    Type: "AWS::AutoScaling::AutoScalingGroup"
    Properties:
      HealthCheckType: ELB
      HealthCheckGracePeriod: 300

The complete AWS note on the default behavior is pasted below, taken from the following AWS documentation - https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.healthstatus.html#using-features.healthstatus.understanding

Configuring a health check URL does not change the health check behavior of an environment's Auto Scaling group. An unhealthy instance is removed from the load balancer, but is not automatically replaced by Amazon EC2 Auto Scaling unless you configure Amazon EC2 Auto Scaling to use the Elastic Load Balancing health check as a basis for replacing instances.