More Info:

Ensure that AWS Elastic Beanstalk (EB) environment logs are retained and uploaded to Amazon S3 in order to keep the logging data for future audits, historical purposes or to track and analyze the EB application environment behavior for a long period of time.

Risk Level

Medium

Address

Operational Maturity, Reliability

Compliance Standards

HIPAA, PCIDSS, GDPR, SOC2

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Ensure Persistent Logs Are Enabled For Elastic Beanstalk Environments” for AWS using AWS console, you can follow the below steps:
  1. Login to the AWS Management Console.
  2. Navigate to the Elastic Beanstalk service.
  3. Select the Elastic Beanstalk environment for which you want to enable persistent logs.
  4. Click on the “Configuration” option from the left-hand menu.
  5. Scroll down to the “Software” section and click on the “Edit” button.
  6. Scroll down to the “Instance log streaming” section and click on the “Edit” button.
  7. Select the “Enable log file rotation” checkbox to enable persistent logs for the Elastic Beanstalk environment.
  8. Set the “Retention” value to the desired number of days for which you want to retain the logs.
  9. Click on the “Apply” button to save the changes.
  10. Wait for a few minutes for the changes to take effect.
After following these steps, persistent logs will be enabled for the Elastic Beanstalk environment, and logs will be retained for the specified number of days.

To enable persistent logs for Elastic Beanstalk environments in AWS using AWS CLI, follow these steps:
  1. Open the AWS CLI and run the following command to enable Elastic Beanstalk logging:
aws elasticbeanstalk update-environment --environment-name <environment-name> --option-settings Namespace=aws:elasticbeanstalk:healthreporting:system,OptionName=SystemType,Value="enhanced"
Note: Replace <environment-name> with the actual name of the Elastic Beanstalk environment.
  1. Next, run the following command to enable log rotation for the environment:
aws elasticbeanstalk update-environment --environment-name <environment-name> --option-settings Namespace=aws:elasticbeanstalk:environment:log-rotation,OptionName=LogPublicationControl,Value=true
  1. Finally, run the following command to configure the log retention period (in days):
aws elasticbeanstalk update-environment --environment-name <environment-name> --option-settings Namespace=aws:elasticbeanstalk:environment:log-rotation,OptionName=RetentionInDays,Value=<number-of-days>
Note: Replace <number-of-days> with the desired number of days for log retention.After following these steps, persistent logs will be enabled for the Elastic Beanstalk environment in AWS.
To remediate the misconfiguration of ensuring persistent logs are enabled for Elastic Beanstalk environments in AWS using Python, you can follow the below steps:
  1. Import the required libraries:
import boto3
  1. Create an AWS Elastic Beanstalk client object:
eb_client = boto3.client('elasticbeanstalk')
  1. Get a list of Elastic Beanstalk environments:
env_list = eb_client.describe_environments()['Environments']
  1. Loop through the list of environments and check if persistent logs are enabled. If not, update the environment to enable persistent logs:
for env in env_list:
    env_name = env['EnvironmentName']
    env_desc = eb_client.describe_configuration_settings(ApplicationName='your_application_name', EnvironmentName=env_name)
    option_settings = env_desc['ConfigurationSettings'][0]['OptionSettings']
    for option in option_settings:
        if option['OptionName'] == 'aws:elasticbeanstalk:environment:log-rotation':
            if option['Value'] != 'true':
                eb_client.update_environment(EnvironmentName=env_name, OptionSettings=[{'Namespace': 'aws:elasticbeanstalk:environment:log-rotation', 'OptionName': 'Enabled', 'Value': 'true'}])
                print(f'Enabled persistent logs for Elastic Beanstalk environment {env_name}.')
This script will loop through all the Elastic Beanstalk environments in your AWS account and enable persistent logs for any environment where it is not already enabled.

Additional Reading: