diff --git a/lib/aws/bootstrap-ec2/ec2-sec-group.tf b/lib/aws/bootstrap-ec2/ec2-sec-group.tf
index 02cd4bfc..a82bd0e9 100644
--- a/lib/aws/bootstrap-ec2/ec2-sec-group.tf
+++ b/lib/aws/bootstrap-ec2/ec2-sec-group.tf
@@ -13,15 +13,22 @@ resource "aws_security_group" "ec2_cluster" {
   tags = local.tags_ec2
 }
 
-# OPTIONAL: Allow inbound traffic from your local workstation external IP
-#           to the Kubernetes. You will need to replace A.B.C.D below with
-#           your real IP. Services like icanhazip.com can help you find this.
-resource "aws_security_group_rule" "cluster_ingress_workstation_https" {
-  cidr_blocks       = var.ec2_access_cidr_blocks
-  description       = "Allow workstation to communicate with the cluster API Server"
+resource "aws_security_group_rule" "https" {
+  cidr_blocks       = "0.0.0.0/0"
+  description       = "HTTPS connectivity"
   from_port         = 443
   protocol          = "tcp"
   security_group_id = aws_security_group.ec2_cluster.id
   to_port           = 443
   type              = "ingress"
 }
+
+resource "aws_security_group_rule" "ssh" {
+  cidr_blocks       = "0.0.0.0/0"
+  description       = "SSH remote access"
+  from_port         = 22
+  protocol          = "tcp"
+  security_group_id = aws_security_group.ec2_cluster.id
+  to_port           = 22
+  type              = "ssh"
+}
\ No newline at end of file
diff --git a/lib/aws/bootstrap-ec2/ec2.j2.tf b/lib/aws/bootstrap-ec2/ec2.j2.tf
index e85ed5f9..2a9bb030 100644
--- a/lib/aws/bootstrap-ec2/ec2.j2.tf
+++ b/lib/aws/bootstrap-ec2/ec2.j2.tf
@@ -31,7 +31,9 @@ resource "aws_instance" "web" {
   associate_public_ip_address = true
 
   # security
-  #vpc_security_group_ids = [aws_vpc.ec2.*.id]
+  vpc_security_group_ids = [aws_vpc.ec2.id]
+  subnet_id = aws_subnet.ec2_zone_a.id
+  security_groups = [aws_security_group.ec2_cluster.id]
 
   user_data = local.bootstrap
 
diff --git a/lib/aws/bootstrap-ec2/tf-providers-aws.j2.tf b/lib/aws/bootstrap-ec2/tf-providers-aws.j2.tf
index c4612160..e5235b07 100644
--- a/lib/aws/bootstrap-ec2/tf-providers-aws.j2.tf
+++ b/lib/aws/bootstrap-ec2/tf-providers-aws.j2.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source = "hashicorp/aws"
-      version    = "~> 3.66.0"
+      version    = "~> 4.11.0"
     }
     external = {
       source = "hashicorp/external"