AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Ensure Persistent Logs Are Enabled For Elastic Beanstalk Environments
More Info:
Ensure that AWS Elastic Beanstalk (EB) environment logs are retained and uploaded to Amazon S3 in order to keep the logging data for future audits, historical purposes or to track and analyze the EB application environment behavior for a long period of time.
Risk Level
Medium
Address
Operational Maturity, Reliability
Compliance Standards
HIPAA, PCIDSS, GDPR, SOC2
Triage and Remediation
Remediation
To remediate the misconfiguration “Ensure Persistent Logs Are Enabled For Elastic Beanstalk Environments” for AWS using AWS console, you can follow the below steps:
- Login to the AWS Management Console.
- Navigate to the Elastic Beanstalk service.
- Select the Elastic Beanstalk environment for which you want to enable persistent logs.
- Click on the “Configuration” option from the left-hand menu.
- Scroll down to the “Software” section and click on the “Edit” button.
- Scroll down to the “Instance log streaming” section and click on the “Edit” button.
- Select the “Enable log file rotation” checkbox to enable persistent logs for the Elastic Beanstalk environment.
- Set the “Retention” value to the desired number of days for which you want to retain the logs.
- Click on the “Apply” button to save the changes.
- Wait for a few minutes for the changes to take effect.
After following these steps, persistent logs will be enabled for the Elastic Beanstalk environment, and logs will be retained for the specified number of days.
To enable persistent logs for Elastic Beanstalk environments in AWS using AWS CLI, follow these steps:
- Open the AWS CLI and run the following command to enable Elastic Beanstalk logging:
aws elasticbeanstalk update-environment --environment-name <environment-name> --option-settings Namespace=aws:elasticbeanstalk:healthreporting:system,OptionName=SystemType,Value="enhanced"
Note: Replace <environment-name> with the actual name of the Elastic Beanstalk environment.
- Next, run the following command to enable log rotation for the environment:
aws elasticbeanstalk update-environment --environment-name <environment-name> --option-settings Namespace=aws:elasticbeanstalk:environment:log-rotation,OptionName=LogPublicationControl,Value=true
- Finally, run the following command to configure the log retention period (in days):
aws elasticbeanstalk update-environment --environment-name <environment-name> --option-settings Namespace=aws:elasticbeanstalk:environment:log-rotation,OptionName=RetentionInDays,Value=<number-of-days>
Note: Replace <number-of-days> with the desired number of days for log retention.
After following these steps, persistent logs will be enabled for the Elastic Beanstalk environment in AWS.
To remediate the misconfiguration of ensuring persistent logs are enabled for Elastic Beanstalk environments in AWS using Python, you can follow the below steps:
- Import the required libraries:
import boto3
- Create an AWS Elastic Beanstalk client object:
eb_client = boto3.client('elasticbeanstalk')
- Get a list of Elastic Beanstalk environments:
env_list = eb_client.describe_environments()['Environments']
- Loop through the list of environments and check if persistent logs are enabled. If not, update the environment to enable persistent logs:
for env in env_list:
env_name = env['EnvironmentName']
env_desc = eb_client.describe_configuration_settings(ApplicationName='your_application_name', EnvironmentName=env_name)
option_settings = env_desc['ConfigurationSettings'][0]['OptionSettings']
for option in option_settings:
if option['OptionName'] == 'aws:elasticbeanstalk:environment:log-rotation':
if option['Value'] != 'true':
eb_client.update_environment(EnvironmentName=env_name, OptionSettings=[{'Namespace': 'aws:elasticbeanstalk:environment:log-rotation', 'OptionName': 'Enabled', 'Value': 'true'}])
print(f'Enabled persistent logs for Elastic Beanstalk environment {env_name}.')
This script will loop through all the Elastic Beanstalk environments in your AWS account and enable persistent logs for any environment where it is not already enabled.