Description:
AWS Elastic Beanstalk is an AWS-managed service for web applications. It is a Platform as a Service (PaaS) as it allows users to directly use a pre-configured server for their application. It is an easy-to-use service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS. You can simply upload your code and Elastic Beanstalk automatically handles the deployment, from capacity provisioning, load balancing, auto-scaling to application health monitoring. Managed updates automatically apply updates to your AWS Elastic Beanstalk environment when they are released.
Rationale:
AWS Elastic Beanstalk gives you the facility to updates your applications these features will help you to configure your environment to automatically upgrade to the latest version of a platform during the scheduled maintenance window. Elastic Beanstalk (EB) regularly releases updates for Linux and Windows server-based platforms that run the application on an EB environment.
Impact:
Enable the Managed Updates will improve your applications on new platform features it also contains patches, security fixes, software updates. Without taking any EC2 instances out of service update the applications.
Default Value:
When you created a new Elastic Beanstalk environment without any configuration by default Elastic Beanstalk Managed Updates is disabled
Audit:
Step 1: Sign in to AWS Management Console and go to Elastic Beanstalk (EB) dashboard at https://console.aws.amazon.com/elasticbeanstalk/.
Step 2: In the Elastic Beanstalk dashboard click on Environments in the left navigation pane
Step 3: Choose the EB application environment that you want to audit
Step 4: Click on Configuration in the left navigation pane
Step 5: In the Configuration, overview scroll down and go to Managed updates
Via CLI Audit
To view information about an environment
1aws elasticbeanstalk describe-environments \ 2 --region <region_name> \ 3 --output table 4 --query 'Environments[*].EnvironmentName'
Filters to the selected Elastic Beanstalk environment application
1aws elasticbeanstalk describe-environments \ 2 --region < region> \ 3 --environment-names < give_EB_environment> 4 --query 'Environments[*].ApplicationName'
To view configuration settings for an environment
1aws elasticbeanstalk describe-configuration-settings \ 2 --region < region_name> 3 --environment-name <give_name EB environment> 4 --application-name < give the application name> 5 --query 'ConfigurationSettings[*].OptionSettings[?OptionName==`ManagedActionsEnabled`] | []'
Remediation:
Pre-Requisite:
Before the Implementation step, you must take a backup or snapshot of the instances in which your application run and also ensure that your application is not run a retired version of any web application.
Implementation Steps:
Step 1: Sign in to AWS Management Console and go to Elastic Beanstalk (EB) dashboard at https://console.aws.amazon.com/elasticbeanstalk/.
Step 2: In the Elastic Beanstalk dashboard click on Environments in the left navigation pane
Step 3: Choose the EB application environment that you want to audit
Step 4: Click on Configuration in the left navigation pane
Step 5: In the Configuration, overview scroll down and go to Managed updates and click on edit button
Step 6: Click on the check box to Enable the Managed updates and then choose day and time for weekly update window select update level either Minor and Patch or Patch only
Step 7: Click on Apply button
Via CLI
To update an environment to a new version
1aws elasticbeanstalk update-environment \ 2--environment-name my-env --version-label v2
To set an environment variable
1aws elasticbeanstalk update-environment \ 2 --environment-name my-env --option-settings \ 3 Namespace=aws:elasticbeanstalk:application:environment,\ 4 OptionName=PARAM1,Value=ParamValue 5
To configure option setting a file
1aws elasticbeanstalk update-environment \ 2--environment-name my-env --option-setting \ 3file://options.json
Backout Plan:
Follow the Implementation steps 1-6 and check the Enabled check box in Managed updated and click on Apply button
Reference: