AWS ElasticBeanstalk
Best practices and references below are based on published guidance from the cloud service provider and may reference native capabilities the cloud service provider offers. If you are not using the native security capabilities, the same security requirement can be met using other security capabilities your organization utilizes
AWS Detective Security Best Practices
AWS Preventative Security Best Practices
Detective security controls identify security violations after they have occurred. They can help you detect a potential security threat or incident.
Implement monitoring
Monitoring is an important part of maintaining the reliability, security, availability, and performance of your Elastic Beanstalk solutions. AWS provides several tools and services to help you monitor your AWS services.
The following are some examples of items to monitor:
- Amazon CloudWatch metrics for Elastic Beanstalk – Set alarms for key Elastic Beanstalk metrics and for your application's custom metrics
- AWS CloudTrail entries – Track actions that might impact availability, like
UpdateEnvironmentorTerminateEnvironment
Preventive security controls attempt to prevent incidents before they occur.
Implement least privilege access
Elastic Beanstalk provides AWS Identity and Access Management (IAM) managed policies for instance profiles, service roles, and IAM users. These managed policies specify all permissions that might be necessary for the correct operation of your environment and application.
Your application might not require all the permissions in our managed policies. You can customize them and grant only the permissions that are required for your environment's instances, the Elastic Beanstalk service, and your users to perform their tasks. This is particularly relevant to user policies, where different user roles might have different permission needs. Implementing least privilege access is fundamental in reducing security risk and the impact that could result from errors or malicious intent.
Update your platforms regularly
Elastic Beanstalk regularly releases new platform versions to update all of its platforms. New platform versions provide operating system, runtime, application server, and web server updates, and updates to Elastic Beanstalk components. Many of these platform updates include important security fixes. Ensure that your Elastic Beanstalk environments are running on a supported platform version (typically the latest version for your platform)
The easiest way to keep your environment's platform up to date is to configure the environment to use managed platform updates.
Enforce IMDSv2 on environment instances
Amazon Elastic Compute Cloud (Amazon EC2) instances in your Elastic Beanstalk environments use the instance metadata service (IMDS), an on-instance component, to securely access instance metadata. IMDS supports two methods for accessing data: IMDSv1 and IMDSv2. IMDSv2 uses session-oriented requests and mitigates several types of vulnerabilities that could be used to try to access the IMDS
IMDSv2 is more secure, so it's a good idea to enforce the use of IMDSv2 on your instances. To enforce IMDSv2, ensure that all components of your application support IMDSv2, and then disable IMDSv1
Design Guidance:
Application Name |
Application Name |
Application Name | ||
Option Settings-Namespace | ||
Option Settings-Option Name | ||
Option Settings-Resource Name | ||
Platform Arn | ||
Source Configuration-Application Name |
Application Name | ||
Environment Name | ||
Option Settings-Namespace | ||
Option Settings-Resource Name | ||
Platform Arn | ||
Solution Stack Name | ||
Tags | ||
Template Name | ||
Version Label |
Resource Lifecycle Config |
Design Guidance:
Resource Lifecycle Config-Service Role |
Design Guidance:
Max Age Rule-Max Age In Days |
Design Guidance:
Tier-Type |
Last modified 7mo ago