AWS Config Rule: Elastic Beanstalk Logs to CloudWatch

Description: Checks if AWS Elastic Beanstalk environments are configured to send logs to Amazon CloudWatch Logs. The rule is NON_COMPLIANT if the value of `StreamLogs` is false.

Trigger type: Configuration changes

AWS Region: All supported AWS regions except Middle East (Bahrain), China (Beijing), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Israel (Tel Aviv), Europe (Spain), China (Ningxia), Europe (Zurich) Region

In order to enable log streaming for your AWS Elastic Beanstalk running environment, you will need to first head on over to the Elastic Beanstalk console and ensure your region is selected correctly.

In the list of environments, choose the name of the non-compliant environment you want to remediate. From here, choose Configuration from left hand side menu.

Here, you are able to edit the section entitled "Updates, monitoring, and logging".

Locate the Instance log streaming to CloudWatch logs section, then tick the Activated checkbox to enable streaming and set retention to 14 or higher. This value is the minimum recommended by the best practices.

Check the following screenshot for further reference:

Remember to save the changes by clicking Apply at the bottom of the page.

StackZone can remediate this AWS Config Rule for you by allowing StackZone to automatically enable and send ElasticBeanstak logs to CloudWatch.

To enable this remediation, head on over to Provisioning > Baseline Services > AWS Config Rules Regional > PCI-DSS and enable Elastic Beanstalk Logs to CloudWatch Remediation

Note: this AWS-managed remediation is released as experimental because it was found not to work in certain conditions.

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here