diff --git a/README.md b/README.md
index 3f7a1c0..22eefbe 100644
--- a/README.md
+++ b/README.md
@@ -50,6 +50,7 @@ Available targets:
 | name | The Name of the application or solution  (e.g. `bastion` or `portal`) | string | `bastion` | no |
 | namespace | Namespace (e.g. `cp` or `cloudposse`) | string | `global` | no |
 | security_groups | AWS security group ids | list | - | yes |
+| allowed_cidr_blocks | A list of CIDR blocks allowed to connect | list | ["0.0.0.0/0"] | no |
 | ssh_user | Default SSH user for this AMI. e.g. `ec2user` for Amazon Linux and `ubuntu` for Ubuntu systems | string | - | yes |
 | stage | Stage (e.g. `prod`, `dev`, `staging`) | string | `default` | no |
 | subnets | AWS subnet ids | list | `<list>` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index 4b7a0f6..ac3d97f 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -9,6 +9,7 @@
 | name | The Name of the application or solution  (e.g. `bastion` or `portal`) | string | `bastion` | no |
 | namespace | Namespace (e.g. `cp` or `cloudposse`) | string | `global` | no |
 | security_groups | AWS security group ids | list | - | yes |
+| allowed_cidr_blocks | A list of CIDR blocks allowed to connect | list | ["0.0.0.0/0"] | no |
 | ssh_user | Default SSH user for this AMI. e.g. `ec2user` for Amazon Linux and `ubuntu` for Ubuntu systems | string | - | yes |
 | stage | Stage (e.g. `prod`, `dev`, `staging`) | string | `default` | no |
 | subnets | AWS subnet ids | list | `<list>` | no |
diff --git a/main.tf b/main.tf
index af7ac59..b30611f 100644
--- a/main.tf
+++ b/main.tf
@@ -47,9 +47,7 @@ resource "aws_security_group" "default" {
     from_port = 22
     to_port   = 22
 
-    cidr_blocks = [
-      "0.0.0.0/0",
-    ]
+    cidr_blocks = ["${var.allowed_cidr_blocks}"]
   }
 
   ingress {
diff --git a/variables.tf b/variables.tf
index 620495d..fc74bb1 100644
--- a/variables.tf
+++ b/variables.tf
@@ -59,6 +59,15 @@ variable "security_groups" {
   description = "AWS security group ids"
 }
 
+variable "allowed_cidr_blocks" {
+  type        = "list"
+  description = "A list of CIDR blocks allowed to connect"
+
+  default = [
+    "0.0.0.0/0",
+  ]
+}
+
 variable "user_data_file" {
   default     = "user_data.sh"
   description = "User data file"