v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 6.2 Ensure Persistent logs is setup and configured to S3

Description

Elastic Beanstalk can be configured to automatically stream logs to the CloudWatch service.

With CloudWatch Logs, you can monitor and archive your Elastic Beanstalk application, system, and custom log files from Amazon EC2 instances of your environments.

Remediation

From the Console:

  1. Login to AWS Console using https://console.aws.amazon.com/elasticbeanstalk.
  2. On the left hand side click Environments.
  3. Click on the Environment name that you want to update.
  4. Under the environment_name-env in the left column click Configuration.
  5. Scroll down under Configurations.
  6. Under category look for Software.
  7. Click on Edit.
  8. On the Modify software page.
Instance log streaming to CloudWatch Logs
Log streaming - click the Enabled checkbox
Set the required retention based on Organization requirements
Lifecycle - Keep logs after terminating environment
  1. Click Apply.
  2. Repeat steps 3-8 for each environment within the current region that needs Managed updates set.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_compute_service_v100_6_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_compute_service_v100_6_2 --share

SQL

This control uses a named query:

elastic_beanstalk_environment_logs_to_cloudwatch

Tags

category = Compliance
cis = true
cis_item_id = 6.2
cis_level = 1
cis_section_id = 6
cis_type = manual
cis_version = v1.0.0
plugin = aws
service = AWS/ElasticBeanstalk