Control: Elastic Beanstalk should stream logs to CloudWatch
This control checks whether an Elastic Beanstalk environment is configured to send logs to CloudWatch Logs. The control fails if an Elastic Beanstalk environment isn't configured to send logs to CloudWatch Logs. Optionally, you can provide a custom value for the RetentionInDays parameter if you want the control to pass only if logs are retained for the specified number of days before expiration.
Run the control in your terminal:
powerpipe control run aws_compliance.control.elastic_beanstalk_environment_logs_to_cloudwatch
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.elastic_beanstalk_environment_logs_to_cloudwatch --share
This control uses a named query:
with beanstalk_environment_logs_enabled as ( select distinct e.arn from aws_elastic_beanstalk_environment as e, jsonb_array_elements(e.configuration_settings) as c, jsonb_array_elements(c -> 'OptionSettings') as s where s ->> 'OptionName' = 'StreamLogs' and s ->> 'Value' = 'true' group by arn)select e.arn as resource, case when l.arn is not null then 'ok' else 'alarm' end as status, case when l.arn is not null then title || ' send logs to AWS CloudWatch.' else title || ' does not send logs to AWS CloudWatch.' end as reason , region, account_idfrom aws_elastic_beanstalk_environment as e left join beanstalk_environment_logs_enabled as l on e.arn = l.arn;