Description:

AWS Elastic Beanstalk is an AWS-managed service for web applications. It is a Platform as a Service (PaaS) as it allows users to directly use a pre-configured server for their application. It is an easy-to-use service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS. You can simply upload your code and Elastic Beanstalk automatically handles the deployment, from capacity provisioning, load balancing, auto-scaling to application health monitoring. Managed updates automatically apply updates to your AWS Elastic Beanstalk environment when they are released.

Rationale:

AWS Elastic Beanstalk gives you the facility to updates your applications these features will help you to configure your environment to automatically upgrade to the latest version of a platform during the scheduled maintenance window. Elastic Beanstalk (EB) regularly releases updates for Linux and Windows server-based platforms that run the application on an EB environment.

Impact:

Enable the Managed Updates will improve your applications on new platform features it also contains patches, security fixes, software updates. Without taking any EC2 instances out of service update the applications.

Default Value:

When you created a new Elastic Beanstalk environment without any configuration by default Elastic Beanstalk Managed Updates is disabled

Audit:

Step 1: Sign in to AWS Management Console and go to Elastic Beanstalk (EB) dashboard at https://console.aws.amazon.com/elasticbeanstalk/.

Step 2: In the Elastic Beanstalk dashboard click on Environments in the left navigation pane

Step 3: Choose  the EB application environment that you want to audit

Step 4: Click on Configuration in the left navigation pane

Step 5: In the Configuration, overview scroll down and go to Managed updates

Via CLI Audit

To view information about an environment

1aws elasticbeanstalk describe-environments \ 2  --region <region_name> \ 3  --output table 4  --query 'Environments[*].EnvironmentName' 

Filters to the selected Elastic Beanstalk environment application

1aws elasticbeanstalk describe-environments \ 2  --region < region> \ 3  --environment-names < give_EB_environment> 4  --query 'Environments[*].ApplicationName' 

To view configuration settings for an environment

1aws elasticbeanstalk describe-configuration-settings \ 2  --region < region_name> 3  --environment-name <give_name EB environment> 4  --application-name < give the application name> 5  --query 'ConfigurationSettings[*].OptionSettings[?OptionName==`ManagedActionsEnabled`] | []' 

Remediation:

Pre-Requisite:

Before the Implementation step, you must take a backup or snapshot of the instances in which your application run and also ensure that your application is not run a retired version of any web application.

Implementation Steps:

Step 1: Sign in to AWS Management Console and go to Elastic Beanstalk (EB) dashboard at https://console.aws.amazon.com/elasticbeanstalk/.

Step 2: In the Elastic Beanstalk dashboard click on Environments in the left navigation pane

Step 3: Choose  the EB application environment that you want to audit

Step 4: Click on Configuration in the left navigation pane

Step 5: In the Configuration, overview scroll down and go to Managed updates and click on edit button

Step 6: Click on the check box to Enable the Managed updates and then choose day and time for weekly update window select update level either Minor and Patch or Patch only

Step 7: Click on Apply button

Via CLI

To update an environment to a new version

1aws elasticbeanstalk update-environment \ 2--environment-name my-env --version-label v2 

To set an environment variable

1aws elasticbeanstalk update-environment \ 2 --environment-name my-env --option-settings \ 3 Namespace=aws:elasticbeanstalk:application:environment,\ 4 OptionName=PARAM1,Value=ParamValue 5 

To configure option setting a file

1aws elasticbeanstalk update-environment \ 2--environment-name my-env --option-setting \ 3file://options.json 

Backout Plan:

Follow the Implementation steps 1-6 and check the Enabled check box in Managed updated and click on Apply button

Reference: