Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Elastic Beanstalk Managed Platform Updates

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ElasticBeanstalk-002

Ensure that all your Amazon Elastic Beanstalk (EB) application environments have platform updates enabled in order to receive bug fixes, software updates and new features. Managed platform updates perform immutable environment updates. These automatic updates promote your Elastic Beanstalk environment to a new platform version. Immutable updates update your application environment without taking any EC2 instances out of service or modifying your environment. In an immutable platform update, the EB service deploys as many instances as are currently running with the new platform version. The new EC2 instances begin to take requests alongside those running the old version and if the new set of instances passes all health checks, AWS EB shuts down (terminates) the old set of instances, leaving only the instances with the new configuration.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Operational
excellence

It is crucial to keep your Elastic Beanstalk (EB) application environments up to date. AWS EB regularly releases updates for Linux and Windows Server based platforms that run applications on an EB environment. These updates contain patches, security fixes, software updates that improve usability and/or performance and new platform features.

Note: The AWS EB managed platform updates are not currently available for .NET applications on Windows Server platform.

Audit

To identify Elastic Beanstalk environments that don’t receive automatic (managed) platform updates, perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Elastic Beanstalk (EB) dashboard at https://console.aws.amazon.com/elasticbeanstalk/.

03 Choose the EB application environment that you want to examine.

04 In the left navigation panel choose Configuration to access the environment settings.

05 Inside Web Tier section, within Managed Updates configuration box, check Managed Updates attribute status. If the configuration attribute status is set to disabled, the selected Amazon Elastic Beanstalk application environment does not receive automatic platform updates (i.e. bug fixes, software updates, new features, etc).

06 Repeat steps no. 3 – 5 to check the managed updates configuration for other Amazon EB environments provisioned in the current region.

07 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Run describe-environments command (OSX/Linux/UNIX) using custom query filters to list the names of the Elastic Beanstalk application environments available in the selected AWS region: 

aws elasticbeanstalk describe-environments
  --region us-east-1
  --output table
  --query 'Environments[*].EnvironmentName'

02 The command output should return a table with the requested EB environment names: 

----------------------
|DescribeEnvironments|
+--------------------+
|  CcWebAppEB-env    |
|  CcSandBoxEB-env   |
+--------------------+

03 Execute again describe-environments command (OSX/Linux/UNIX) using custom query filters to list the name of the selected Elastic Beanstalk environment application: 

aws elasticbeanstalk describe-environments
  --region us-east-1
  --environment-names CcWebAppEB-env
  --query 'Environments[*].ApplicationName'

04 The command output should return the requested EB application name: 

[
    "cc-web-app"
]

05 Run describe-configuration-settings command (OSX/Linux/UNIX) using the name of the EB environment and the name of the application as identifiers and custom query filters to expose the managed platform updates configuration set: 

aws elasticbeanstalk describe-configuration-settings
  --region us-east-1
  --environment-name CcWebAppEB-env
  --application-name cc-web-app
  --query 'ConfigurationSettings[*].OptionSettings[?OptionName==`ManagedActionsEnabled`] | []'

06 The command output should return the requested EB automatic platform updates configuration set: 

[
    {
        "OptionName": "ManagedActionsEnabled",
        "Namespace": "aws:elasticbeanstalk:managedactions",
        "Value": "false"
    }
]

If the Value attribute value set for the ManagedActionsEnabled option name is false, (as shown in the output example above), the selected AWS Elastic Beanstalk application environment does not receive any automatic platform updates.

07 Repeat step no. 5 and 6 to verify the automatic updates configuration for other Amazon EB application environments available in the current region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 7 to perform the entire audit process for other regions.

Remediation / Resolution

To enable managed platform updates for your existing Amazon Elastic Beanstalk (EB) application environments, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Elastic Beanstalk (EB) dashboard at https://console.aws.amazon.com/elasticbeanstalk/.

03 Choose the EB resource that you want to reconfigure (see Audit section part I to identify the right application environment).

04 In the left navigation panel choose Configuration to access the environment settings.

05 Inside Web Tier section, within Managed Updates configuration box, click the edit configuration button to access the environment platform updates setting page.

06 On the Managed Platform Updates page, perform the following:

  1. Select Enable managed updates checkbox to enable automatic updates.
  2. Choose a preferred maintenance window for running updates from Window start configuration section.
  3. Choose an update level from the Update level dropdown list.
  4. And select Instance replacement checkbox if you want to enable weekly instance replacement.
  5. Click Apply to confirm the changes and enable managed platform updates for the selected Elastic Beanstalk application environment.

07 Repeat steps no. 3 – 6 to enable automatic (managed) platform updates for other Amazon EB application environments launched in the current region.

08 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run update-environment command (OSX/Linux/UNIX) using the name of the Elastic Beanstalk environment that you want to reconfigure (see Audit section part II to identify the right EB environment) to enable managed platform updates for the selected application environment: 

aws elasticbeanstalk update-environment
  --region us-east-1
  --environment-name CcWebAppEB-env
  --option-settings Namespace=aws:elasticbeanstalk:managedactions,OptionName=ManagedActionsEnabled,Value=true

02 The command output should return the update-environment command request metadata: 

{
    "ApplicationName": "cc-web-app",
    "EnvironmentName": "CcWebAppEB-env",
    "VersionLabel": "Web Application",
    "Status": "Updating",
    "EnvironmentArn": "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/cc-web-app/CcWebAppEB-env",
    "PlatformArn": "arn:aws:elasticbeanstalk:us-east-1::platform/PHP 7.1 running on 64bit Amazon Linux/2.5.0",
    "SolutionStackName": "64bit Amazon Linux 2017.03 v2.5.0 running PHP 7.1",

    ...

    "AbortableOperationInProgress": true,
    "Tier": {
        "Version": "2.1",
        "Type": "Standard",
        "Name": "WebServer"
    },
    "Health": "Grey",
    "DateUpdated": "2017-10-24T10:26:35.669Z",
    "DateCreated": "2017-10-24T09:22:59.267Z"
}

03 Repeat step no. 1 and 2 to enable automatic platform updates for other AWS Elastic Beanstalk environments available in the current region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 3 to perform the process for other regions.

References

Publication date Oct 25, 2017

Related ElasticBeanstalk rules