Best practices and references below are based on published guidance from the cloud service provider and may reference native capabilities the cloud service provider offers. If you are not using the native security capabilities, the same security requirement can be met using other security capabilities your organization utilizes
AWS Detective Security Best Practices
AWS Preventative Security Best Practices
Detective security controls identify security violations after they have occurred. They can help you detect a potential security threat or incident.
Monitoring is an important part of maintaining the reliability, security, availability, and performance of your Elastic Beanstalk solutions. AWS provides several tools and services to help you monitor your AWS services.
The following are some examples of items to monitor:
- Amazon CloudWatch metrics for Elastic Beanstalk – Set alarms for key Elastic Beanstalk metrics and for your application's custom metrics
- AWS CloudTrail entries – Track actions that might impact availability, like
Preventive security controls attempt to prevent incidents before they occur.
Implement least privilege access
Your application might not require all the permissions in our managed policies. You can customize them and grant only the permissions that are required for your environment's instances, the Elastic Beanstalk service, and your users to perform their tasks. This is particularly relevant to user policies, where different user roles might have different permission needs. Implementing least privilege access is fundamental in reducing security risk and the impact that could result from errors or malicious intent.
Update your platforms regularly
Elastic Beanstalk regularly releases new platform versions to update all of its platforms. New platform versions provide operating system, runtime, application server, and web server updates, and updates to Elastic Beanstalk components. Many of these platform updates include important security fixes. Ensure that your Elastic Beanstalk environments are running on a supported platform version (typically the latest version for your platform)
Enforce IMDSv2 on environment instances
Amazon Elastic Compute Cloud (Amazon EC2) instances in your Elastic Beanstalk environments use the instance metadata service (IMDS), an on-instance component, to securely access instance metadata. IMDS supports two methods for accessing data: IMDSv1 and IMDSv2. IMDSv2 uses session-oriented requests and mitigates several types of vulnerabilities that could be used to try to access the IMDS
IMDSv2 is more secure, so it's a good idea to enforce the use of IMDSv2 on your instances. To enforce IMDSv2, ensure that all components of your application support IMDSv2, and then disable IMDSv1