π‘οΈ AWS Elastic Beanstalk Environment does not have logs enabledπ’
- Contextual name: π‘οΈ Environment does not have logs enabledπ’
- ID:
/ce/ca/aws/elastic-beanstalk/environment-logs - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY,RELIABILITY
Logicβ
- π§ prod.logic.yamlπ’
Similar Policiesβ
- AWS Security Hub: [ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch
- Cloud Conformity: Elastic Beanstalk Persistent Logs
Descriptionβ
Descriptionβ
This policy identifies AWS Elastic Beanstalk environments that are not configured to capture and retain application and system logs. Elastic Beanstalk supports automatic log delivery by uploading rotated logs to Amazon S3 or streaming logs in near real time to Amazon CloudWatch Logs.
Rationaleβ
By default, Elastic Beanstalk stores logs generated by EC2 instances in an Amazon S3 bucket managed by the service. However, many log files, such as bundle and trail logs, are deleted after creation unless log retention is explicitly configured. Enabling log rotation to Amazon S3 ensures that logs are retained and available for later analysis through the Elastic Beanstalk Management Console or the EB CLI. Additionally, streaming logs to Amazon CloudWatch Logs provides real-time visibility for monitoring, troubleshooting, and incident response.
Impactβ
Enabling log retention and streaming may result in additional costs associated with Amazon S3 storage and Amazon CloudWatch Logs ingestion and retention.
Auditβ
... see more
Remediationβ
Remediationβ
Enable log streaming to Amazon CloudWatch Logs and log rotation to Amazon S3β
Configure the Elastic Beanstalk environment to retain logs by enabling log rotation to Amazon S3 and stream logs in near real time to Amazon CloudWatch Logs.
From Command Lineβ
Run the
update-environmentcommand using the name of the Elastic Beanstalk environment you want to reconfigure.aws elasticbeanstalk update-environment \
--region us-east-1 \
--environment-name CcProdWebsite-env \
--option-settings \
Namespace=aws:elasticbeanstalk:hostmanager,OptionName=LogPublicationControl,Value=true \
Namespace=aws:elasticbeanstalk:cloudwatch:logs,OptionName=RetentionInDays,Value=90 \
Namespace=aws:elasticbeanstalk:cloudwatch:logs,OptionName=StreamLogs,Value=true
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| πΌ AWS Foundational Security Best Practices v1.0.0 β πΌ [ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch | 1 | no data | |||
| πΌ AWS Well-Architected β πΌ REL06-BP05 Analyze logs | 1 | no data | |||
| πΌ AWS Well-Architected β πΌ SEC04-BP02 Capture logs, findings, and metrics in standardized locations | 3 | no data | |||
| πΌ Cloudaware Framework β πΌ Logging and Monitoring Configuration | 71 | no data | |||
| πΌ PCI DSS v3.2.1 β πΌ 10.6.2 Review logs of all other system components periodically based on the organization's policies and risk management strategy, as determined by the organization's annual risk assessment. | 7 | no data | |||
| πΌ PCI DSS v4.0.1 β πΌ 10.4.2 Logs of all other system components are reviewed periodically. | 1 | 7 | no data | ||
| πΌ PCI DSS v4.0 β πΌ 10.4.2 Logs of all other system components are reviewed periodically. | 1 | 7 | no data |