01 Before you enable access logging for your environment load balancer, you must create an Amazon S3 bucket where the load balancer will store the log files. The S3 bucket must be in the same AWS region as your load balancer, and must have a bucket policy that grants Elastic Load Balancing permission to write the access logs to the bucket. To create the required Amazon S3 bucket, run create-bucket command (OSX/Linux/UNIX):
aws s3api create-bucket
--region us-east-1
--bucket cc-eb-environment-logs-bucket
--acl private
02 The command output should return the name of the newly created S3 bucket:
{
"Location": "/cc-eb-environment-logs-bucket"
}
03 Define the bucket policy that grants Amazon Elastic Load Balancing (ELB) permission to write the access logs to the new bucket. Paste the following policy document to a JSON file named bucket-policy.json (replace the placeholders with the corresponding information):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::elb-account-id
:root"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::s3-bucket-name
/bucket-prefix
/AWSLogs/aws-account-id
/*"
},
{
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::s3-bucket-name
/bucket-prefix
/AWSLogs/aws-account-id
/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::s3-bucket-name
"
}
]
}
04 Run put-bucket-policy command (OSX/Linux/UNIX) to attach the bucket policy defined at the previous step to your new Amazon S3 bucket:
aws s3api put-bucket-policy
--bucket cc-eb-environment-logs-bucket
--policy file://bucket-policy.json
05 Run put-public-access-block command (OSX/Linux/UNIX) to enable the Amazon S3 Public Access Block feature for the specified S3 bucket (the command should not return an output):
aws s3api put-public-access-block
--region us-east-1
--public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
--bucket cc-eb-environment-logs-bucket
06 Define the access logging feature configuration for your Amazon Elastic Beanstalk environment load balancer. Paste the following configuration document to a JSON file named access-logging-config.json (replace the placeholders with the corresponding information):
[
{
"OptionName": "AccessLogsS3Enabled",
"ResourceName": "AWSEBV2LoadBalancer",
"Namespace": "aws:elbv2:loadbalancer",
"Value": "true"
},
{
"OptionName": "AccessLogsS3Bucket",
"ResourceName": "AWSEBV2LoadBalancer",
"Namespace": "aws:elbv2:loadbalancer",
"Value": "s3-bucket-name
"
},
{
"OptionName": "AccessLogsS3Prefix",
"ResourceName": "AWSEBV2LoadBalancer",
"Namespace": "aws:elbv2:loadbalancer",
"Value": "s3-bucket-prefix
"
}
]
07 Run update-environment command (OSX/Linux/UNIX) using the name of the Amazon Elastic Beanstalk environment that you want to update as the identifier parameter, to enable access logging for the load balancer associated with the selected application environment, using the configuration file defined at the previous step:
aws elasticbeanstalk update-environment
--region us-east-1
--environment-name cc-django-web-environment
--application-name cc-django-prod-application
--option-settings file://access-logging-config.json
08 The command output should return the metadata available for the reconfigured application environment:
{
"ApplicationName": "cc-django-prod-application",
"EnvironmentName": "cc-django-web-environment",
"VersionLabel": "Django Application V2",
"Status": "Updating",
"EnvironmentArn":
"arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/cc-django-prod-application/cc-django-web-environment",
"PlatformArn": "arn:aws:elasticbeanstalk:us-east-1::platform/Python 3.7 running on 64bit Amazon Linux 2/3.1.4",
"EndpointURL": "awseb-AWSEB-ABCDABCDABCD-12345678.us-east-1.elb.amazonaws.com",
"SolutionStackName": "64bit Amazon Linux 2 v3.1.4 running Python 3.7",
"EnvironmentId": "e-abcdabcdab",
"CNAME": "cc-django-web-environment.eba-abcdabcd.us-east-1.elasticbeanstalk.com",
"AbortableOperationInProgress": true,
"Tier": {
"Version": "1.0",
"Type": "Standard",
"Name": "WebServer"
},
"Health": "Grey",
"DateUpdated": "2021-01-25T10:00:00.000Z",
"DateCreated": "2021-01-25T10:00:00.000Z"
}
09 Repeat steps no. 1 – 8 to enable and configure access logging for other Elastic Beanstalk environments deployed in the selected AWS cloud region.
10 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 9 to perform the entire remediation process for other regions.