Profile Applicability:

  • Level 1

Description:

Elastic Beanstalk is a managed service that simplifies application deployment on AWS. It provides built-in logging features, which can be directed to CloudWatch Logs for easy monitoring and troubleshooting. This SOP ensures that logs generated by the Elastic Beanstalk environment (such as application logs, web server logs, and system logs) are streamed to CloudWatch Logs, providing centralized, real-time monitoring of the application's health and performance.

Rationale:

By streaming logs to CloudWatch, you gain the following benefits:

  • Centralized Log Management: Logs from your Elastic Beanstalk environment are aggregated in one location for easier access and monitoring.

  • Real-Time Monitoring: CloudWatch Logs provides real-time log streaming and visibility into your application’s behavior.

  • Improved Troubleshooting: Streamed logs enable quicker identification of issues, such as errors, performance bottlenecks, and failures.

  • Compliance: Centralized logging can help meet security and compliance requirements, including auditing access and tracking changes over time.

Impact:

Pros:

  • Centralized Logging: Easier management and access to logs for debugging, performance monitoring, and compliance auditing.

  • Enhanced Troubleshooting: Logs can be viewed in real-time, making it easier to identify and resolve issues quickly.

  • CloudWatch Integration: Logs are directly integrated with CloudWatch metrics, alarms, and dashboards for better monitoring and alerting.

Cons:

  • Cost: CloudWatch charges based on the volume of logs stored and processed. Therefore, a large volume of logs may increase costs.

  • Performance Overhead: Streaming logs to CloudWatch may introduce a slight performance overhead on the environment, depending on the frequency of log generation.

Default Value:

By default, Elastic Beanstalk environments do not stream logs to CloudWatch. Logging must be explicitly enabled in the environment configuration.

Pre-requisites:

  • IAM Permissions:

    • elasticbeanstalk:DescribeEnvironment

    • elasticbeanstalk:UpdateEnvironment

    • logs:CreateLogGroup

    • logs:CreateLogStream

    • logs:PutLogEvents

  • CloudWatch Logs should be set up and available in the region.

  • Elastic Beanstalk Environment created and running.

Remediation:

Test plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Elastic Beanstalk under Services.

  3. Select the Elastic Beanstalk environment for which you want to enable CloudWatch logging.

  4. In the Elastic Beanstalk Console, select Configuration in the left-hand menu.

  5. Under the Software section, select Edit.

  6. Scroll down to the Log options section.

  7. Enable CloudWatch Logs by selecting Stream logs to CloudWatch.

  8. Select the CloudWatch Log Group (or create a new one if necessary).

  9. Save the configuration and redeploy the environment if needed.

Using AWS CLI:

To check the current log streaming status, run:

aws elasticbeanstalk describe-environment-settings --environment-name <environment-name> --option-settings Namespace=aws:elasticbeanstalk:cloudwatch,OptionName=LogStream,Value=Enabled

To enable log streaming to CloudWatch, run:

aws elasticbeanstalk update-environment --environment-name <environment-name> --option-settings Namespace=aws:elasticbeanstalk:cloudwatch,OptionName=LogStream,Value=Enabled

To verify the log stream is working, check CloudWatch logs:

aws logs describe-log-groups --log-group-name-prefix "/aws/elasticbeanstalk"

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Elastic Beanstalk.

  2. In the Elastic Beanstalk Console, select the environment you want to configure.

  3. Select Configuration from the left-hand menu.

  4. Under Software, click Edit.

  5. Scroll down to Log options, check the Stream logs to CloudWatch option, and select the appropriate CloudWatch Log Group.

  6. Save the changes and redeploy the environment if necessary.

Using AWS CLI:

To enable log streaming to CloudWatch, run the following command:

aws elasticbeanstalk update-environment --environment-name <environment-name> --option-settings Namespace=aws:elasticbeanstalk:cloudwatch,OptionName=LogStream,Value=Enabled

After enabling log streaming, verify that the logs are streaming by checking CloudWatch logs:

aws logs describe-log-groups --log-group-name-prefix "/aws/elasticbeanstalk"

Backout Plan:

Using AWS Console:

  1. If enabling CloudWatch logging causes any issues (e.g., performance degradation or excessive log storage costs), navigate back to the Log options section.

  2. Uncheck Stream logs to CloudWatch to disable the log streaming.

  3. Save changes and redeploy the environment if necessary.

Using AWS CLI:

To disable log streaming to CloudWatch, run:

aws elasticbeanstalk update-environment --environment-name <environment-name> --option-settings Namespace=aws:elasticbeanstalk:cloudwatch,OptionName=LogStream,Value=Disabled

Verify that the log streaming has been disabled by checking CloudWatch logs:

aws logs describe-log-groups --log-group-name-prefix "/aws/elasticbeanstalk"

Note:

  • Log Retention: Make sure to set appropriate log retention settings in CloudWatch to avoid storing logs indefinitely. You can configure retention policies based on your needs.

  • CloudWatch Alarms: You may want to create CloudWatch Alarms to notify you if specific error thresholds are exceeded based on the streamed logs.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

6.7

Implement monitoring and logging controls for application health and performance.

v8

6.8

Define and maintain role-based access control for monitoring and logging systems.

v8

6.4

Implement application layer filtering to enhance the visibility of application health.