Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Elastic Beanstalk Enhanced Health Reporting

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ElasticBeanstalk-001

Ensure that the Enhanced Health Reporting feature is enabled for all Amazon Elastic Beanstalk (EB) environments provisioned in your AWS account. Enhanced Health Reporting is the AWS Elastic Beanstalk feature that allows the service to gather additional information about the resources available within your EB environments. Once the feature is enabled, the EB service analyzes all the information gathered to provide a better picture of the overall environment health and to help you identify any issues that can cause your web application(s) to become unavailable. Enhanced Health Reporting describes EB environment health using four colors: Green, Yellow, Red and Grey and seven health statuses that provide the best indication of the current state of your environment health: OK – no issues, Warning – moderate number of request failures, Degraded – high number of request failures, Severe – a very high number of request failures, Info – instance operation in progress, Pending – instance operation in progress within command timeout, Unknown – insufficient amount of health data received.

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Operational
excellence

With Enhanced Health Reporting feature enabled you have access to advanced monitoring which is extremely useful for production environments because is crucial to know if your web application is available and is responding to requests.

Audit

To identify AWS EB environments with Enhanced Health Reporting feature disabled, perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Elastic Beanstalk (EB) dashboard at https://console.aws.amazon.com/elasticbeanstalk/.

03 Choose the EB application environment that you want to examine.

04 In the left navigation panel choose Configuration to access the environment settings.

05 Inside Web Tier section, within Health configuration box, check Health reporting attribute status. If the configuration attribute status is set to Basic, the Enhanced Health Reporting feature is not currently enabled for the selected AWS Elastic Beanstalk application environment.

06 Repeat steps no. 3 – 5 to check the health reporting configuration for other Amazon EB environments provisioned in the current region.

07 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Run describe-environments command (OSX/Linux/UNIX) using custom query filters to list the names of the Elastic Beanstalk application environments available in the selected AWS region: 

aws elasticbeanstalk describe-environments
  --region us-east-1
  --output table
  --query 'Environments[*].EnvironmentName'

02 The command output should return a table with the requested EB environment names: 

----------------------
|DescribeEnvironments|
+--------------------+
|  CcProduction-env  |
|  CcWebAppV8-env    |
|  CcSandBoxV8-env   |
+--------------------+

03 Execute again describe-environments command (OSX/Linux/UNIX) using the name of the EB application environment that you want to examine as identifier to expose the health reporting configuration status set for the selected environment: 

aws elasticbeanstalk describe-environments
  --region us-east-1
  --environment-names CcProduction-env
  --query 'Environments[*].HealthStatus'

04 The command output should return the Enhanced Health Reporting status or an empty array if the feature is not enabled: 

[]

If the describe-environments command output returns an empty array, i.e. [] (as shown in the output example above), the Enhanced Health Reporting feature is not currently enabled for the selected Amazon Elastic Beanstalk application environment.

05 Repeat step no. 3 and 4 to verify the health reporting configuration for other AWS EB environments created in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To enable Enhanced Health Reporting feature for your running Amazon Elastic Beanstalk (EB) application environments, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Elastic Beanstalk (EB) dashboard at https://console.aws.amazon.com/elasticbeanstalk/.

03 Choose the EB resource that you want to reconfigure (see Audit section part I to identify the right application environment).

04 In the left navigation panel choose Configuration to access the environment settings.

05 Inside Web Tier section, within Health configuration box, click the edit configuration button to access the environment health monitoring setting page.

06 On the setting page, within Health Reporting section, select Enhanced from the System type dropdown list to enable Enhanced Health Reporting feature. Click Apply to confirm the changes.

07 Once the configuration is successfully updated, the following message will be displayed: "SystemType: Changing health reporting system type setting replaces all of your current instances.". Click Save to apply the changes.

08 Repeat steps no. 3 – 7 to enable Enhanced Health Reporting for other Amazon EB application environments launched in the current region.

09 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run update-environment command (OSX/Linux/UNIX) using the name of the Elastic Beanstalk environment that you want to reconfigure (see Audit section part II to identify the right EB resource) to enable Enhanced Health Reporting for the selected application environment: 

aws elasticbeanstalk update-environment
  --region us-east-1
  --environment-name CcProduction-env
  --option-settings Namespace=aws:elasticbeanstalk:healthreporting:system,OptionName=SystemType,Value=enhanced

02 The command output should return the update-environment command request metadata: 

{
    "ApplicationName": "cc-prod-web-app",
    "EnvironmentName": "CcProduction-env",
    "VersionLabel": "Web Application",
    "Status": "Updating",
    "EnvironmentArn": "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/cc-prod-web-app/CcProduction-env",
    "PlatformArn": "arn:aws:elasticbeanstalk:us-east-1::platform/PHP 7.1 running on 64bit Amazon Linux/2.5.0",
    "SolutionStackName": "64bit Amazon Linux 2017.03 v2.5.0 running PHP 7.1",

    ...

    "AbortableOperationInProgress": true,
    "Tier": {
        "Version": "3",
        "Type": "Standard",
        "Name": "WebServer"
    },
    "Health": "Grey",
    "DateUpdated": "2017-10-22T11:29:31.669Z",
    "DateCreated": "2017-10-22T08:23:52.267Z"
}

03 Repeat step no. 1 and 2 to enable Enhanced Health Reporting for other AWS Elastic Beanstalk environments available in the current region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 3 to perform the entire process for other regions.

References

Publication date Nov 1, 2017

Related ElasticBeanstalk rules