Links

AWS ElasticBeanstalk

Best practices and references below are based on published guidance from the cloud service provider and may reference native capabilities the cloud service provider offers. If you are not using the native security capabilities, the same security requirement can be met using other security capabilities your organization utilizes
AWS Detective Security Best Practices
AWS Preventative Security Best Practices
Detective security controls identify security violations after they have occurred. They can help you detect a potential security threat or incident.
Implement monitoring
Monitoring is an important part of maintaining the reliability, security, availability, and performance of your Elastic Beanstalk solutions. AWS provides several tools and services to help you monitor your AWS services.
The following are some examples of items to monitor:
  • Amazon CloudWatch metrics for Elastic Beanstalk – Set alarms for key Elastic Beanstalk metrics and for your application's custom metrics
  • AWS CloudTrail entries – Track actions that might impact availability, like UpdateEnvironment or TerminateEnvironment
Preventive security controls attempt to prevent incidents before they occur.
Implement least privilege access
Elastic Beanstalk provides AWS Identity and Access Management (IAM) managed policies for instance profiles, service roles, and IAM users. These managed policies specify all permissions that might be necessary for the correct operation of your environment and application.
Your application might not require all the permissions in our managed policies. You can customize them and grant only the permissions that are required for your environment's instances, the Elastic Beanstalk service, and your users to perform their tasks. This is particularly relevant to user policies, where different user roles might have different permission needs. Implementing least privilege access is fundamental in reducing security risk and the impact that could result from errors or malicious intent.
Update your platforms regularly
Elastic Beanstalk regularly releases new platform versions to update all of its platforms. New platform versions provide operating system, runtime, application server, and web server updates, and updates to Elastic Beanstalk components. Many of these platform updates include important security fixes. Ensure that your Elastic Beanstalk environments are running on a supported platform version (typically the latest version for your platform)
The easiest way to keep your environment's platform up to date is to configure the environment to use managed platform updates.
Enforce IMDSv2 on environment instances
Amazon Elastic Compute Cloud (Amazon EC2) instances in your Elastic Beanstalk environments use the instance metadata service (IMDS), an on-instance component, to securely access instance metadata. IMDS supports two methods for accessing data: IMDSv1 and IMDSv2. IMDSv2 uses session-oriented requests and mitigates several types of vulnerabilities that could be used to try to access the IMDS
IMDSv2 is more secure, so it's a good idea to enforce the use of IMDSv2 on your instances. To enforce IMDSv2, ensure that all components of your application support IMDSv2, and then disable IMDSv1

Asset Inventory

Design Guidance:

AWS::ElasticBeanstalk::Application

Application Name
Terraform

AWS::ElasticBeanstalk::ApplicationVersion

Application Name
Terraform

AWS::ElasticBeanstalk::ConfigurationTemplate

Application Name
Terraform
Option Settings-Namespace
Terraform
Option Settings-Option Name
Terraform
Option Settings-Resource Name
Terraform
Platform Arn
Terraform
Source Configuration-Application Name
Terraform

AWS::ElasticBeanstalk::Environment

Application Name
Terraform
Environment Name
Terraform
Option Settings-Namespace
Terraform
Option Settings-Resource Name
Terraform
Platform Arn
Terraform
Solution Stack Name
Terraform
Tags
Terraform
Template Name
Terraform
Version Label
Terraform

Data Minimization

AWS::ElasticBeanstalk::Application

Resource Lifecycle Config
Terraform

Utilize Role-based Access Control

Design Guidance:

AWS::ElasticBeanstalk::Application

Resource Lifecycle Config-Service Role
Terraform

Data Retention

Design Guidance:

AWS::ElasticBeanstalk::Application

Max Age Rule-Max Age In Days
Terraform

TLS

Design Guidance:

AWS::ElasticBeanstalk::Environment

Tier-Type
Terraform