Skip to main content

πŸ›‘οΈ AWS Elastic Beanstalk Environment does not have managed platform updates enabled🟒

  • Contextual name: πŸ›‘οΈ Environment does not have managed platform updates enabled🟒
  • ID: /ce/ca/aws/elastic-beanstalk/environment-updates
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: RELIABILITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS Elastic Beanstalk Environments that do not have Managed Platform Updates enabled.

Managed platform updates use an immutable deployment model to automatically upgrade an Elastic Beanstalk environment to a new platform version. During an immutable update, Elastic Beanstalk provisions a parallel set of EC2 instances running the new platform version while the existing instances continue to serve traffic. Once the new instances pass all health checks, the original instances are terminated, leaving only the updated environment in service. This approach ensures platform updates are applied without service interruption or in-place modification of existing instances.

Rationale​

Amazon Elastic Beanstalk regularly releases platform updates for Linux- and Windows-based environments. These updates include security patches, operating system fixes, performance improvements, and new platform features.

When Managed Platform Updates are enabled, Elastic Beanstalk applies these updates automatically during a user-defined maintenance window. Updates are performed using an immutable deployment strategy, ensuring that the environment can safely roll back to its original state if an update fails. This reduces operational risk while helping maintain a secure, stable, and up-to-date application environment.

... see more

Remediation​

Open File

Remediation​

Enable Managed Platform Updates the Elastic Beanstalk Environment​

Managed platform updates allow Elastic Beanstalk to automatically apply platform updates during a defined maintenance window using an immutable deployment strategy, helping ensure availability and safe rollback in the event of a failure.

From Command Line​

Run the update-environment command to enable managed platform updates and configure the maintenance window and update behavior for the selected environment:

aws elasticbeanstalk update-environment \
    --region {{region}} \
    --environment-name {{environment-name}} \
    --option-settings \
        Namespace=aws:elasticbeanstalk:managedactions,OptionName=ManagedActionsEnabled,Value=true \
        Namespace=aws:elasticbeanstalk:managedactions,OptionName=PreferredStartTime,Value={{day:hour:minute}} \
        Namespace=aws:elasticbeanstalk:managedactions,OptionName=ServiceRoleForManagedUpdates,Value={{ServiceRole}} \
        Namespace=aws:elasticbeanstalk:managedactions:platformupdate,OptionName=UpdateLevel,Value={{major | minor | patch}} \

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Infrastructure Modernization21no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-2 Flaw Remediation (L)(M)(H)2723no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-2(2) Automated Flaw Remediation Status (M)(H)8no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SI-2 Flaw Remediation (L)(M)(H)23no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SI-2 Flaw Remediation (L)(M)(H)223no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SI-2(2) Automated Flaw Remediation Status (M)(H)8no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-01: Improvements are identified from evaluations45no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties59no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities60no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-2 Flaw Remediation6620no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-2(2) Flaw Remediation _ Automated Flaw Remediation Status18no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-2(4) Flaw Remediation _ Automated Patch Management Tools8no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-2(5) Flaw Remediation _ Automatic Software and Firmware Updates28no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.6no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 6.3.3 All system components are protected from known vulnerabilities by installing applicable security patches/updates6no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 6.3.3 All system components are protected from known vulnerabilities by installing applicable security patches/updates6no data