Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Elastic Beanstalk Environment Notifications

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

You can configure your Amazon Elastic Beanstalk environment to use Amazon Simple Notification Service (SNS) to notify you of important events that affect your web application. You can configure an email address to receive emails from Amazon Elastic Beanstalk when an error occurs, or when your application environment's health changes.

Security
Reliability

Monitoring is an essential part of maintaining the availability, reliability, and performance of your Amazon Elastic Beanstalk applications. When a notable event occurs within your application environment, Elastic Beanstalk sends a message to the configured email address via Amazon SNS to keep you up-to-date on everything that's going on within your environment. Notable events include environment creation errors, environment changes, and instance health events.


Audit

To determine if alert notifications are enabled for your Amazon Elastic Beanstalk environments, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Elastic Beanstalk console at https://console.aws.amazon.com/elasticbeanstalk/.

03 In the navigation panel, under Elastic Beanstalk, choose Environments.

04 Click on the name of the Elastic Beanstalk environment that you want to examine, available in the Environment name column.

05 In the left navigation panel, under the name of the environment, choose Configuration.

06 On the selected environment configuration page, in the Notifications section, check the Email configuration attribute value. If the Email attribute does not have a value, the selected Amazon Elastic Beanstalk environment is not configured to send email notifications for important events.

07 Repeat steps no. 4 – 6 to verify the email notifications configuration for other Amazon Elastic Beanstalk environments available within the current AWS cloud region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-applications command (OSX/Linux/UNIX) with custom query filters to list the names of all the Amazon Elastic Beanstalk applications deployed in the selected AWS cloud region:

aws elasticbeanstalk describe-applications
  --region us-east-1
  --query 'Applications[*].ApplicationName'

02 The command output should return an array with the requested application name(s):

[
  "cc-project5-web-application",
  "cc-nodejs-main-application"
]

03 Run describe-environments command (OSX/Linux/UNIX) using the name of the Elastic Beanstalk application that you want to examine as the identifier parameter and custom query filters to describe the name of the Amazon Elastic Beanstalk environment created for the selected application:

aws elasticbeanstalk describe-environments
  --region us-east-1
  --application-name cc-project5-web-application
  --no-include-deleted
  --query 'Environments[*].EnvironmentName'

04 The command output should return the name of the requested environment:

[
  "cc-project5-web-environment"
]

05 Run describe-configuration-settings command (OSX/Linux/UNIX) to describe the notification endpoint (i.e. email address) configured to receive notifications from the selected Amazon Elastic Beanstalk environment:

aws elasticbeanstalk describe-configuration-settings
  --region us-east-1
  --environment-name cc-project5-web-environment
  --application-name cc-project5-web-application
  --query 'ConfigurationSettings[*].OptionSettings[?(OptionName==`Notification Endpoint`)].Value | []'

06 The command output should return the requested notification endpoint:

[]

If the describe-configuration-settings command output returns an empty array (i.e. []), as shown in the output example above, there is no Amazon SNS topic associated with the application environment, therefore the selected Amazon Elastic Beanstalk environment is not configured to send email notifications for important events.

07 Repeat steps no. 5 and 6 to check the email notifications configuration for other Amazon Elastic Beanstalk environments created for the selected application.

08 Repeat steps no. 3 – 7 for each Amazon Elastic Beanstalk application deployed in the selected AWS region.

09 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the entire audit process for other regions.

Remediation / Resolution

To enable email notifications for your existing Amazon Elastic Beanstalk environments, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Elastic Beanstalk console at https://console.aws.amazon.com/elasticbeanstalk/.

03 In the navigation panel, under Elastic Beanstalk, choose Environments.

04 Click on the name of the Elastic Beanstalk environment that you want to reconfigure, available in the Environment name column.

05 In the left navigation panel, under the name of your environment, choose Configuration.

06 In the Notifications section, choose Edit to modify the configuration of the environment notifications feature.

07 Inside the Email notifications section, enter an email address in the Email box, to receive email notifications for important events from your application environment. Choose Apply to save the configuration changes. When you enter an email address for notifications, Elastic Beanstalk creates an Amazon SNS topic for your environment and adds a subscription. Amazon SNS sends an email to the subscribed address to confirm the subscription. To complete the setup process, you must click the link in the confirmation email to activate the subscription and receive notifications. Once the changes are successfully implemented, the Amazon Elastic Beanstalk environment status should change to "Environment update completed successfully.".

08 Repeat steps no. 4 – 7 to enable email notifications for other Elastic Beanstalk environments available within the current AWS cloud region.

09 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run update-environment command (OSX/Linux/UNIX) using the name of the Amazon Elastic Beanstalk environment that you want to update as the identifier parameter, to enable email notifications for the selected Amazon Elastic Beanstalk application environment. When you configure an email address for notifications, Elastic Beanstalk service creates an Amazon SNS topic for your environment and adds a subscription. Amazon SNS sends an email to the subscribed address to confirm the subscription. To complete the setup process, you must click the link in the confirmation email to activate the subscription and receive notifications:

aws elasticbeanstalk update-environment
  --region us-east-1
  --environment-name cc-project5-web-environment
  --application-name cc-project5-web-application
  --option-settings Namespace="aws:elasticbeanstalk:sns:topics",OptionName="Notification Endpoint",Value="alerts@cloudconformity.com"

02 The command output should return the metadata available for the modified application environment:

{
  "ApplicationName": "cc-project5-web-application",
  "EnvironmentName": "cc-project5-web-environment",
  "VersionLabel": "Project5 Web Application",
  "Status": "Updating",
  "EnvironmentArn":
  "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/cc-project5-web-application/cc-project5-web-environment",
  "PlatformArn": "arn:aws:elasticbeanstalk:us-east-1::platform/PHP 7.4 running on 64bit Amazon Linux 2/3.1.4",
  "EndpointURL": "awseb-AWSEB-ABCDABCDABCD-12345678.us-east-1.elb.amazonaws.com",
  "SolutionStackName": "64bit Amazon Linux 2 v3.1.4 running PHP 7.4",
  "EnvironmentId": "e-abcdabcdab",
  "CNAME": "cc-project5-web-environment.eba-abcdabcd.us-east-1.elasticbeanstalk.com",
  "AbortableOperationInProgress": true,
  "Tier": {
    "Version": "1.0",
    "Type": "Standard",
    "Name": "WebServer"
  },
  "Health": "Grey",
  "DateUpdated": "2021-01-25T10:00:00.000Z",
  "DateCreated": "2021-01-25T10:00:00.000Z"
}

03 Repeat steps no. 1 and 2 to enable email notifications for other Amazon Elastic Beanstalk environments deployed in the selected AWS cloud region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the entire remediation process for other regions.

References

Publication date Feb 6, 2021