Control: Elastic Beanstalk environment should have managed updates enabled
Description
This control checks whether managed platform updates in an AWS Elastic Beanstalk environment is enabled. The rule is COMPLIANT if the value for ManagedActionsEnabled is set to true. The rule is NON_COMPLIANT if the value for ManagedActionsEnabled is set to false, or if a parameter is provided and its value does not match the existing configurations.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.elastic_beanstalk_environment_managed_updates_enabled
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.elastic_beanstalk_environment_managed_updates_enabled --share
SQL
This control uses a named query:
with beanstalk_environment_logs_enabled as ( select distinct e.arn from aws_elastic_beanstalk_environment as e, jsonb_array_elements(e.configuration_settings) as c, jsonb_array_elements(c -> 'OptionSettings') as s where s ->> 'OptionName' = 'ManagedActionsEnabled' and s ->> 'Value' = 'true' group by arn)select e.arn as resource, case when l.arn is not null then 'ok' else 'alarm' end as status, case when l.arn is not null then title || ' managed actions Enabled.' else title || ' managed actions disabled.' end as reason, region, account_idfrom aws_elastic_beanstalk_environment as e left join beanstalk_environment_logs_enabled as l on e.arn = l.arn;