Enable Access Logs

01 Sign in to AWS Management Console.

02 Navigate to Amazon Elastic Beanstalk console at https://console.aws.amazon.com/elasticbeanstalk/.

03 In the navigation panel, under Elastic Beanstalk, choose Environments.

04 Click on the name of the Elastic Beanstalk environment that you want to examine, available in the Environment name column.

05 In the left navigation panel, under the name of the environment, choose Configuration.

06 On the selected environment configuration page, in the Load balancer section, check the Store logs configuration flag status. If the Store logs status is set to disabled, the selected Amazon Elastic Beanstalk environment is not configured to capture access logs for the load balancer associated with the application environment.

07 Repeat steps no. 4 – 6 to verify the access logging feature status for other Amazon Elastic Beanstalk environments available within the current AWS cloud region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

01 Run describe-applications command (OSX/Linux/UNIX) with custom query filters to list the names of all the Amazon Elastic Beanstalk applications deployed in the selected AWS cloud region:

aws elasticbeanstalk describe-applications
  --region us-east-1
  --query 'Applications[*].ApplicationName'

02 The command output should return an array with the requested application name(s):

[
  "cc-django-prod-application",
  "cc-wordpress-main-website",
  "cc-project5-web-application"
]

03 Run describe-environments command (OSX/Linux/UNIX) using the name of the Elastic Beanstalk application that you want to examine as the identifier parameter and custom query filters to describe the name of the Amazon Elastic Beanstalk environment created for the selected application:

aws elasticbeanstalk describe-environments
  --region us-east-1
  --application-name cc-django-prod-application
  --no-include-deleted
  --query 'Environments[*].EnvironmentName'

04 The command output should return the name of the requested environment:

[
  "cc-django-web-environment"
]

05 Run describe-configuration-settings command (OSX/Linux/UNIX) to describe the access logging feature configuration status available for the load balancer associated with the selected Amazon Elastic Beanstalk environment:

aws elasticbeanstalk describe-configuration-settings
  --region us-east-1
  --environment-name cc-django-web-environment
  --application-name cc-django-prod-application
  --query 'ConfigurationSettings[*].OptionSettings[?(OptionName==`AccessLogsS3Enabled`)].Value | []'

06 The command output should return the requested configuration status ("true" for enabled, "false" for disabled):

[
  "false"
]

07 Repeat steps no. 5 and 6 to check the access logging feature status for other Amazon Elastic Beanstalk environments created for the selected application.

08 Repeat steps no. 3 – 7 for each Amazon Elastic Beanstalk application deployed in the selected AWS cloud region.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the entire audit process for other regions.

01 Sign in to AWS Management Console.

02 Before you enable access logging for your Elastic Beanstalk environment load balancer, you must create an Amazon S3 bucket where the load balancer will store the logs. The S3 bucket must be in the same AWS region as your load balancer, and must have a bucket policy that grants Elastic Load Balancing permission to write the access logs to the bucket. To create the required S3 bucket, navigate to Amazon S3 console at https://console.aws.amazon.com/s3/ and choose Buckets from the left navigation panel.

03 On the S3 buckets page, click on the Create bucket button to initiate the setup process.

04 On the Create bucket setup page, perform the following operations:

1. For General configuration, provide a unique name for the new bucket in the Bucket name box and choose the appropriate AWS cloud region from the Region dropdown list.
2. For Bucket settings for Block Public Access, choose Block all public access to ensure that public access to the new bucket and its objects is blocked.
3. For Default encryption, select Enable under Server-side encryption, to enable Default Encryption for the new S3 bucket.
4. Choose Create bucket to create your new Amazon S3 bucket.

05 Click on the name of the newly created S3 bucket, select the Permissions tab, and insert the following S3 bucket policy in the Bucket policy section (replace the placeholders with the corresponding information):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::elb-account-id:root"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::s3-bucket-name/bucket-prefix/AWSLogs/aws-account-id/*"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::s3-bucket-name/bucket-prefix/AWSLogs/aws-account-id/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::s3-bucket-name"
    }
  ]
}

06 Navigate to Amazon Elastic Beanstalk console at https://console.aws.amazon.com/elasticbeanstalk/.

07 In the navigation panel, under Elastic Beanstalk, choose Environments.

08 Click on the name of the Elastic Beanstalk environment that you want to reconfigure, available in the Environment name column.

09 In the left navigation panel, under the name of your environment, choose Configuration.

10 In the Load balancer section, choose Edit to modify the configuration of the load balancer associated with the selected environment.

11 On the Modify Application Load Balancer configuration page, perform the following operations:

1. In the Access log files section, select Enabled under Store logs to enable the access logging feature.
2. Select the name of the Amazon S3 bucket created earlier in the remediation process from the S3 bucket dropdown list.
3. For Prefix, provide the prefix defined for your Amazon S3 bucket (must match the prefix used for the bucket policy).
4. Choose Apply to save the configuration changes. Once the changes are successfully implemented, the Amazon Elastic Beanstalk environment status should change to "Environment update completed successfully.".

12 Repeat steps no. 2 – 11 to enable access logging for other Elastic Beanstalk environments available within the current AWS cloud region.

13 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

01 Before you enable access logging for your environment load balancer, you must create an Amazon S3 bucket where the load balancer will store the log files. The S3 bucket must be in the same AWS region as your load balancer, and must have a bucket policy that grants Elastic Load Balancing permission to write the access logs to the bucket. To create the required Amazon S3 bucket, run create-bucket command (OSX/Linux/UNIX):

aws s3api create-bucket
  --region us-east-1
  --bucket cc-eb-environment-logs-bucket
  --acl private

02 The command output should return the name of the newly created S3 bucket:

{
  "Location": "/cc-eb-environment-logs-bucket"
}

03 Define the bucket policy that grants Amazon Elastic Load Balancing (ELB) permission to write the access logs to the new bucket. Paste the following policy document to a JSON file named bucket-policy.json (replace the placeholders with the corresponding information):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::elb-account-id:root"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::s3-bucket-name/bucket-prefix/AWSLogs/aws-account-id/*"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::s3-bucket-name/bucket-prefix/AWSLogs/aws-account-id/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::s3-bucket-name"
    }
  ]
}

04 Run put-bucket-policy command (OSX/Linux/UNIX) to attach the bucket policy defined at the previous step to your new Amazon S3 bucket:

aws s3api put-bucket-policy
  --bucket cc-eb-environment-logs-bucket
  --policy file://bucket-policy.json

05 Run put-public-access-block command (OSX/Linux/UNIX) to enable the Amazon S3 Public Access Block feature for the specified S3 bucket (the command should not return an output):

aws s3api put-public-access-block
  --region us-east-1
  --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
  --bucket cc-eb-environment-logs-bucket

06 Define the access logging feature configuration for your Amazon Elastic Beanstalk environment load balancer. Paste the following configuration document to a JSON file named access-logging-config.json (replace the placeholders with the corresponding information):

[
  {
    "OptionName": "AccessLogsS3Enabled",
    "ResourceName": "AWSEBV2LoadBalancer",
    "Namespace": "aws:elbv2:loadbalancer",
    "Value": "true"
  },
  {
    "OptionName": "AccessLogsS3Bucket",
    "ResourceName": "AWSEBV2LoadBalancer",
    "Namespace": "aws:elbv2:loadbalancer",
    "Value": "s3-bucket-name"
  },
  {
    "OptionName": "AccessLogsS3Prefix",
    "ResourceName": "AWSEBV2LoadBalancer",
    "Namespace": "aws:elbv2:loadbalancer",
    "Value": "s3-bucket-prefix"
  }
]

07 Run update-environment command (OSX/Linux/UNIX) using the name of the Amazon Elastic Beanstalk environment that you want to update as the identifier parameter, to enable access logging for the load balancer associated with the selected application environment, using the configuration file defined at the previous step:

aws elasticbeanstalk update-environment
  --region us-east-1
  --environment-name cc-django-web-environment
  --application-name cc-django-prod-application
  --option-settings file://access-logging-config.json

08 The command output should return the metadata available for the reconfigured application environment:

{
  "ApplicationName": "cc-django-prod-application",
  "EnvironmentName": "cc-django-web-environment",
  "VersionLabel": "Django Application V2",
  "Status": "Updating",
  "EnvironmentArn":
  "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/cc-django-prod-application/cc-django-web-environment",
  "PlatformArn": "arn:aws:elasticbeanstalk:us-east-1::platform/Python 3.7 running on 64bit Amazon Linux 2/3.1.4",
  "EndpointURL": "awseb-AWSEB-ABCDABCDABCD-12345678.us-east-1.elb.amazonaws.com",
  "SolutionStackName": "64bit Amazon Linux 2 v3.1.4 running Python 3.7",
  "EnvironmentId": "e-abcdabcdab",
  "CNAME": "cc-django-web-environment.eba-abcdabcd.us-east-1.elasticbeanstalk.com",
  "AbortableOperationInProgress": true,
  "Tier": {
    "Version": "1.0",
    "Type": "Standard",
    "Name": "WebServer"
  },
  "Health": "Grey",
  "DateUpdated": "2021-01-25T10:00:00.000Z",
  "DateCreated": "2021-01-25T10:00:00.000Z"
}

09 Repeat steps no. 1 – 8 to enable and configure access logging for other Elastic Beanstalk environments deployed in the selected AWS cloud region.

10 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 9 to perform the entire remediation process for other regions.