Description
This policy identifies AWS Elastic Beanstalk environments that are not configured to capture and retain application and system logs. Elastic Beanstalk supports automatic log delivery by uploading rotated logs to Amazon S3 or streaming logs in near real time to Amazon CloudWatch Logs.
Rationaleβ
By default, Elastic Beanstalk stores logs generated by EC2 instances in an Amazon S3 bucket managed by the service. However, many log files, such as bundle and trail logs, are deleted after creation unless log retention is explicitly configured. Enabling log rotation to Amazon S3 ensures that logs are retained and available for later analysis through the Elastic Beanstalk Management Console or the EB CLI. Additionally, streaming logs to Amazon CloudWatch Logs provides real-time visibility for monitoring, troubleshooting, and incident response.
Impactβ
Enabling log retention and streaming may result in additional costs associated with Amazon S3 storage and Amazon CloudWatch Logs ingestion and retention.
Auditβ
This policy flags an AWS Elastic Beanstalk Environment as INCOMPLIANT if its related AWS Elastic Beanstalk Configuration Set. does not include the following Option Settings:
- aws:elasticbeanstalk:hostmanager LogPublicationControl true, and
- aws:elasticbeanstalk:cloudwatch:logs StreamLogs true.
An Elastic Beanstalk environment is marked as INAPPLICABLE if its Status is not Ready.