More Info:

Ensure that all your Amazon Elastic Beanstalk (EB) application environments have platform updates enabled in order to receive bug fixes, software updates and new features. Managed platform updates perform immutable environment updates.

Risk Level

Medium

Address

Operational Maturity, Reliability, Security

Compliance Standards

ISO27001, HIPAA

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Ensure Managed Platform Updates Are Enabled For Elastic Beanstalk Environment” in AWS using AWS console, follow the below steps:
  1. Login to AWS Management Console.
  2. Navigate to Elastic Beanstalk service.
  3. Select the environment for which you want to enable the managed platform updates.
  4. Click on the “Configuration” option from the left-hand menu.
  5. Scroll down to the “Managed platform updates” section and click on “Edit”.
  6. Select the “Enable managed platform updates” checkbox.
  7. Choose the “All platform updates” option from the dropdown.
  8. Click on the “Apply” button to save the changes.
  9. Wait for the environment to update with the latest platform version.
By following the above steps, you will be able to remediate the misconfiguration “Ensure Managed Platform Updates Are Enabled For Elastic Beanstalk Environment” for AWS using AWS console.

To remediate the misconfiguration “Ensure Managed Platform Updates Are Enabled For Elastic Beanstalk Environment” for AWS using AWS CLI, follow the below steps:
  1. Open the terminal and install the AWS CLI if it is not already installed.
  2. Configure the AWS CLI using the aws configure command by providing the Access Key ID, Secret Access Key, Default region name, and output format.
  3. Execute the below command to enable managed platform updates for the Elastic Beanstalk environment: 
aws elasticbeanstalk update-environment --environment-name <environment-name> --option-settings Namespace=aws:elasticbeanstalk:managedactions,OptionName=ManagedActionsEnabled,Value=true
Note: Replace <environment-name> with the name of the Elastic Beanstalk environment for which you want to enable managed platform updates.
  1. Verify the changes by executing the below command:
aws elasticbeanstalk describe-environments --environment-names <environment-name> --query "Environments[*].OptionSettings[?Namespace=='aws:elasticbeanstalk:managedactions' && OptionName=='ManagedActionsEnabled'].Value" --output text
Note: Replace <environment-name> with the name of the Elastic Beanstalk environment for which you have enabled managed platform updates.The output of the above command should be true, which indicates that managed platform updates are enabled for the Elastic Beanstalk environment.
To remediate the misconfiguration “Ensure Managed Platform Updates Are Enabled For Elastic Beanstalk Environment” for AWS using Python, you can use the AWS SDK for Python (Boto3) to enable managed platform updates for your Elastic Beanstalk environment. Here are the step-by-step instructions:
  1. Install Boto3:
pip install boto3
  1. Import the Boto3 library and create an Elastic Beanstalk client:
import boto3

eb_client = boto3.client('elasticbeanstalk')
  1. Retrieve the list of environments in your account:
response = eb_client.describe_environments()
environments = response['Environments']
  1. Loop through the list of environments and enable managed platform updates for each one:
for environment in environments:
    environment_name = environment['EnvironmentName']
    environment_id = environment['EnvironmentId']
    environment_settings = eb_client.describe_configuration_settings(
        ApplicationName='your_application_name',
        EnvironmentName=environment_name
    )
    for setting in environment_settings['ConfigurationSettings'][0]['OptionSettings']:
        if setting['OptionName'] == 'ManagedActionsEnabled':
            if setting['Value'] == 'false':
                eb_client.update_environment(
                    EnvironmentId=environment_id,
                    OptionSettings=[
                        {
                            'Namespace': 'aws:elasticbeanstalk:managedactions',
                            'OptionName': 'ManagedActionsEnabled',
                            'Value': 'true'
                        }
                    ]
                )
                print(f"Managed platform updates enabled for environment {environment_name}")
This code will loop through all the Elastic Beanstalk environments in your account, check if managed platform updates are already enabled, and enable them if they are not. Note that you will need to replace your_application_name with the name of your Elastic Beanstalk application.

Additional Reading: