Ensure Persistent Logs Are Enabled For Elastic Beanstalk Environments

More Info:

Ensure that AWS Elastic Beanstalk (EB) environment logs are retained and uploaded to Amazon S3 in order to keep the logging data for future audits, historical purposes or to track and analyze the EB application environment behavior for a long period of time.

Risk Level

Medium

Address

Operational Maturity, Reliability

Compliance Standards

HIPAA, PCIDSS, GDPR, SOC2

Triage and Remediation

Remediation

Using Console

Using CLI

To enable persistent logs for Elastic Beanstalk environments in AWS using AWS CLI, follow these steps:

Open the AWS CLI and run the following command to enable Elastic Beanstalk logging:

aws elasticbeanstalk update-environment --environment-name <environment-name> --option-settings Namespace=aws:elasticbeanstalk:healthreporting:system,OptionName=SystemType,Value="enhanced"

Note: Replace <environment-name> with the actual name of the Elastic Beanstalk environment.

Next, run the following command to enable log rotation for the environment:

aws elasticbeanstalk update-environment --environment-name <environment-name> --option-settings Namespace=aws:elasticbeanstalk:environment:log-rotation,OptionName=LogPublicationControl,Value=true

Finally, run the following command to configure the log retention period (in days):

aws elasticbeanstalk update-environment --environment-name <environment-name> --option-settings Namespace=aws:elasticbeanstalk:environment:log-rotation,OptionName=RetentionInDays,Value=<number-of-days>

Note: Replace <number-of-days> with the desired number of days for log retention.After following these steps, persistent logs will be enabled for the Elastic Beanstalk environment in AWS.

Using Python

To remediate the misconfiguration of ensuring persistent logs are enabled for Elastic Beanstalk environments in AWS using Python, you can follow the below steps:

Import the required libraries:

import boto3

Create an AWS Elastic Beanstalk client object:

eb_client = boto3.client('elasticbeanstalk')

Get a list of Elastic Beanstalk environments:

env_list = eb_client.describe_environments()['Environments']

Loop through the list of environments and check if persistent logs are enabled. If not, update the environment to enable persistent logs:

for env in env_list:
    env_name = env['EnvironmentName']
    env_desc = eb_client.describe_configuration_settings(ApplicationName='your_application_name', EnvironmentName=env_name)
    option_settings = env_desc['ConfigurationSettings'][0]['OptionSettings']
    for option in option_settings:
        if option['OptionName'] == 'aws:elasticbeanstalk:environment:log-rotation':
            if option['Value'] != 'true':
                eb_client.update_environment(EnvironmentName=env_name, OptionSettings=[{'Namespace': 'aws:elasticbeanstalk:environment:log-rotation', 'OptionName': 'Enabled', 'Value': 'true'}])
                print(f'Enabled persistent logs for Elastic Beanstalk environment {env_name}.')

This script will loop through all the Elastic Beanstalk environments in your AWS account and enable persistent logs for any environment where it is not already enabled.

Additional Reading:

https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/incident-response.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Ensure Persistent Logs Are Enabled For Elastic Beanstalk Environments

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: