Control: 6.2 Ensure Persistent logs is setup and configured to S3
Description
Elastic Beanstalk can be configured to automatically stream logs to the CloudWatch service.
With CloudWatch Logs, you can monitor and archive your Elastic Beanstalk application, system, and custom log files from Amazon EC2 instances of your environments.
Remediation
From the Console:
- Login to AWS Console using https://console.aws.amazon.com/elasticbeanstalk.
- On the left hand side click
Environments
. - Click on the
Environment name
that you want to update. - Under the
environment_name-env
in the left column clickConfiguration
. - Scroll down under Configurations.
- Under category look for
Software
. - Click on Edit.
- On the Modify software page.
Instance log streaming to CloudWatch LogsLog streaming - click the Enabled checkboxSet the required retention based on Organization requirementsLifecycle - Keep logs after terminating environment
- Click Apply.
- Repeat steps 3-8 for each environment within the current region that needs Managed updates set.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_compute_service_v100_6_2
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_compute_service_v100_6_2 --share
SQL
This control uses a named query:
with beanstalk_environment_logs_enabled as ( select distinct e.arn from aws_elastic_beanstalk_environment as e, jsonb_array_elements(e.configuration_settings) as c, jsonb_array_elements(c -> 'OptionSettings') as s where s ->> 'OptionName' = 'StreamLogs' and s ->> 'Value' = 'true' group by arn)select e.arn as resource, case when l.arn is not null then 'ok' else 'alarm' end as status, case when l.arn is not null then title || ' send logs to AWS CloudWatch.' else title || ' does not send logs to AWS CloudWatch.' end as reason , region, account_idfrom aws_elastic_beanstalk_environment as e left join beanstalk_environment_logs_enabled as l on e.arn = l.arn;