AWS Elastic Beanstalk Application In VPC

Risk Level: Low (generally tolerable level of risk)

Ensure that your Amazon Elastic Beanstalk (EB) applications are deployed using EC2-VPC platform instead of EC2-Classic platform and are running within a VPC, for better flexibility and control over security, better traffic routing and availability.

Security

When an AWS Elastic Beanstalk application is launched without specifying a VPC in the Network setting, it is launched as a part of EC2 Classic in old accounts supporting EC2-Classic platform. The accounts that support EC2 Classic are old AWS accounts created before 2013.12.04. Launching and running AWS Elastic Beanstalk applications in VPCs, using EC2-VPC instead of EC2-Classic can have multiple advantages such as better network infrastructure (network isolation, private subnets and private IP addresses), more flexibility and control for access security (network ACLs and security group outbound/egress traffic filtering), access to newer and powerful EC2 instance types (C4/C5/C5d, M4/M5/M5d, R4, H1, etc) and the capability to run Elastic Beanstalk environment instances on single-tenant hardware.

Audit

To determine if your Amazon Elastic Beanstalk applications are running within a VPC, perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Elastic Beanstalk (EB) dashboard at https://console.aws.amazon.com/elasticbeanstalk/.

03 Click on the AWS EB application environment that you want to examine.

04 In the left navigation panel choose Configuration to access the environment settings.

05 Inside Configuration overview section, within Network box, check the network configuration available for the selected EB application. If there are no network configuration details listed in the Network box and the following message is displayed: "This environment is not part of a VPC.", the selected Amazon Elastic Beanstalk application is not running within a Virtual Private Cloud (VPC) and may run instead on the EC2-Classic platform (if your AWS account was created before 2013.12.04).

06 Repeat steps no. 3 – 5 to check the network configuration for other Amazon EB applications provisioned in the current region.

07 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Run describe-environments command (OSX/Linux/UNIX) using custom query filters to list the names of the Elastic Beanstalk application environments available in the selected AWS region:

aws elasticbeanstalk describe-environments
	--region us-east-1
	--output table
	--query 'Environments[*].EnvironmentName'

02 The command output should return a table with the requested EB resource names:

----------------------
|DescribeEnvironments|
+--------------------+
| cc-webdev-app-env  |
| cc-production-env  |
+--------------------+

03 Execute again describe-environments command (OSX/Linux/UNIX) using custom query filters to list the name of the selected Elastic Beanstalk environment application:

aws elasticbeanstalk describe-environments
	--region us-east-1
	--environment-names cc-webdev-app-env
	--query 'Environments[*].ApplicationName'

04 The command output should return the name of the requested Elastic Beanstalk application:

[
    "cc-webdev-app"
]

05 Run describe-configuration-settings command (OSX/Linux/UNIX) using the name of the EB environment plus the name of the application as identifiers and custom query filters to describe the network configuration for the selected Elastic Beanstalk resource:

aws elasticbeanstalk describe-configuration-settings
	--region us-east-1
	--environment-name cc-webdev-app-env
	--application-name cc-webdev-app
	--query 'ConfigurationSettings[*].OptionSettings[?OptionName==`VPCId`].Value | []'

06 The command output should return the requested network configuration details, or an empty array if a VPC network configuration cannot be found:

[]

If the describe-configuration-settings command output returns an empty array (i.e. []), as shown in the output example above, the selected Amazon Elastic Beanstalk application is not running within a Virtual Private Cloud (VPC) and there is a chance that it may run instead on the EC2-Classic platform.

07 Repeat steps no. 3 – 6 to verify the network configuration for other AWS Elastic Beanstalk applications deployed in the current region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the audit process for other regions.

Remediation / Resolution

To migrate your AWS Elastic Beanstalk application to a Virtual Private Cloud, you must re-create the application environment within a VPC. To launch your new Elastic Beanstalk environment, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Elastic Beanstalk (EB) dashboard at https://console.aws.amazon.com/elasticbeanstalk/.

03 Choose the AWS EB application environment that you want to recreate (see Audit section part I to identify the right EB resource).

04 Click on the Actions drop down list from the dashboard top menu and select Save Configuration option.

05 On Save Configuration page, provide a unique name and a description for the selected environment configuration, then click Save to save it.

06 On Saved Configurations page, select the newly created configuration file, then click Launch environment to start the setup process using the existing configuration.

07 On Select environment tier page, choose the appropriate tier to deploy your new environment, then click Select.

08 On Create a web server environment page, perform the following actions:

Within Environment information section, provide the name and the domain name for your new Elastic Beanstalk environment.
Inside Base configuration section, choose the source of your Elastic Beanstalk application code from the Application code setting.
Click Configure more options button to access the page with the application environment settings.

09 On Configure <environment_name> page, perform the following:

Choose the Network box and click on the Modify button.
On Modify network page, select the VPC to deploy your new EB application environment from the VPC dropdown list and choose the subnet(s) for the instances that run your Elastic Beanstalk application from the Instance subnets section. If required, select Public IP address option to assign a public IP address to each EC2 instances in your environment. Once the network configuration is set, click Save to apply it to the main configuration.
To add the necessary database to your EB application environment, choose the Database box and click on the Modify button.
On Modify database page, within Restore a snapshot section, choose the necessary snapshot from the Snapshot dropdown list to restore an existing database snapshot. Within Database settings section, make sure that the access details (username and password) are set for the selected database. Click Save to apply the changes to the main configuration.
Once the configuration is ready, click Create environment button to launch your new Elastic Beanstalk application to the selected AWS Virtual Private Cloud. The deployment should take a few minutes.
As soon as the new application environment is deployed, you can sync the data between the two Elastic Beanstalk environments and make use of Swap Environment URLs feature. Swapping the environment URL will modify the DNS configuration, which may also take a few minutes to update. Your application will continue to run while the changes are propagated.

10 Repeat steps no. 3 – 9 to re-create and deploy other Amazon Elastic Beanstalk application environments to a VPC, available in the current region.

11 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 First, run describe-application-versions command (OSX/Linux/UNIX) using the name of the existing Elastic Beanstalk application to ensure that the necessary application version exists (see Audit section part II to identify the application name):

aws elasticbeanstalk describe-application-versions
	--region us-east-1
	--application-name cc-webdev-app
	--version-label "1.1"

02 The command output should return the metadata for the requested EB application version:

{
    "ApplicationVersions": [
        {
            "ApplicationName": "cc-webdev-app",
            "VersionLabel": "1.1",
            "DateCreated": "2013-07-15T09:32:10.540Z",
 
            ...
 
            "SourceBundle": {
                "S3Bucket": "elasticbeanstalk-us-east-1",
                "S3Key": "GenericSampleApplication"
            }
        }
    ]
}

03 Run create-configuration-template command (OSX/Linux/UNIX) using the name of the AWS EB application checked at the previous step as parameter to create the configuration template for the new Elastic Beanstalk application environment:

aws elasticbeanstalk create-configuration-template
	--region us-east-1
	--application-name cc-webdev-app
	--template-name cc-new-config-template
	--solution-stack-name "64bit Amazon Linux 2018.03 v2.7.1 running PHP 7.1"

04 The command output should return the new configuration template metadata:

{
    "ApplicationName": "cc-webdev-app",
    "PlatformArn": "arn:aws:elasticbeanstalk:us-east-1::platform/PHP 7.1 running on 64bit Amazon Linux/2.7.1",
    "TemplateName": "cc-new-config-template",
    "DateCreated": "2018-07-20T15:03:08Z",
    "DateUpdated": "2018-07-20T15:03:08Z",
    "SolutionStackName": "64bit Amazon Linux 2018.03 v2.7.1 running PHP 7.1"
}

05 Execute create-environment command (OSX/Linux/UNIX) to launch a new Elastic Beanstalk application environment for the existing application using the specified configuration. The configuration includes the details for the Virtual Private Cloud (VPC) that will host the new application environment:

aws elasticbeanstalk create-environment
	--region us-east-1
	--application-name cc-webdev-app
	--template-name cc-new-config-template
	--version-label "1.1"
	--environment-name cc-new-webdev-app
	--option-settings ResourceName="AWSEBSecurityGroup",Namespace="aws:ec2:vpc",OptionName="VPCId",Value="vpc-12345678" ResourceName="AWSEBSecurityGroup",Namespace="aws:ec2:vpc",OptionName="Subnets",Value="subnet-abcd1234 subnet-1234abcd"

06 The command output should return the metadata for the new Amazon Elastic Beanstalk application environment:

{
    "ApplicationName": "cc-webdev-app",
    "EnvironmentName": "cc-new-webdev-app",
    "VersionLabel": "1.1",
    "Status": "Launching",
    "EnvironmentArn": "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/cc-webdev-app/cc-new-webdev-app",
    "PlatformArn": "arn:aws:elasticbeanstalk:us-east-1::platform/PHP 7.1 running on 64bit Amazon Linux/2.7.1",
    "SolutionStackName": "64bit Amazon Linux 2018.03 v2.7.1 running PHP 7.1",
    "EnvironmentId": "e-aabbccddeeff",
    "Health": "Grey",
    "Tier": {
        "Version": "1.0",
        "Type": "Standard",
        "Name": "WebServer"
    },
    "DateUpdated": "2018-07-20T16:03:48.132Z",
    "DateCreated": "2018-07-20T16:03:48.132Z"
}

07 Repeat steps no. 1 – 6 to re-create and deploy other Amazon Elastic Beanstalk application environments to a Virtual Private Cloud, available in the current region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 7 to perform the remediation process for other regions.

References

AWS Command Line Interface (CLI) Documentation
Creating Elastic Beanstalk Environments with the AWS CLI
elasticbeanstalk
describe-environments
describe-configuration-settings
describe-application-versions
create-configuration-template
create-environment

Publication date Jul 25, 2018

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related ElasticBeanstalk rules