Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable AWS X-Ray Daemon

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that tracing with AWS X-Ray is enabled for all the instances running within your Amazon Elastic Beanstalk environment in order to help identify issues and opportunities for performance optimization. To relay trace data from your web application to AWS X-Ray, you can run the X-Ray daemon on your Elastic Beanstalk environment's instances.

Operational
excellence
Performance
efficiency

AWS X-Ray is a distributed tracing system that helps you analyze and debug web applications. It traces requests as they travel through the application's services and resources, providing an end-to-end view of how your application is performing. You can leverage the capabilities of Amazon Elastic Beanstalk with the tracing, visualization, and debug capabilities of AWS X-Ray to monitor and debug your web applications running at scale on AWS cloud.


Audit

To determine if AWS X-Ray daemon is enabled for your Amazon Elastic Beanstalk environment instances, perform the following operations:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Elastic Beanstalk console at https://console.aws.amazon.com/elasticbeanstalk/.

03 In the navigation panel, under Elastic Beanstalk, choose Environments.

04 Click on the name of the Elastic Beanstalk environment that you want to examine, available in the Environment name column.

05 In the left navigation panel, under the name of the environment, choose Configuration.

06 On the selected environment configuration page, in the Software section, check the X-Ray daemon configuration attribute status. If the X-Ray daemon attribute status is set to disabled, the tracing feature is not enabled for the EC2 instances within the selected environment, therefore the AWS X-Ray support to identify web performance bottlenecks and help troubleshoot errors, is not currently enabled.

07 Repeat steps no. 4 – 6 to verify the X-Ray daemon status for other Amazon Elastic Beanstalk environments available within the current AWS cloud region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-applications command (OSX/Linux/UNIX) with custom query filters to list the names of all the Amazon Elastic Beanstalk applications deployed in the selected AWS cloud region:

aws elasticbeanstalk describe-applications
  --region us-east-1
  --query 'Applications[*].ApplicationName'

02 The command output should return an array with the requested application name(s):

[
  "cc-project5-web-application",
  "cc-wordpress-main-website",
  "cc-django-prod-application"
]

03 Run describe-environments command (OSX/Linux/UNIX) using the name of the Elastic Beanstalk application that you want to examine as the identifier parameter and custom query filters to describe the identifier (name) of the Amazon Elastic Beanstalk environment created for the selected application:

aws elasticbeanstalk describe-environments
  --region us-east-1
  --application-name cc-project5-web-application
  --no-include-deleted
  --query 'Environments[*].EnvironmentName'

04 The command output should return the requested environment identifier (name):

[
  "cc-project5-web-environment"
]

05 Run describe-configuration-settings command (OSX/Linux/UNIX) to describe the X-Ray tracing feature configuration status available for the selected Amazon Elastic Beanstalk environment:

aws elasticbeanstalk describe-configuration-settings
  --region us-east-1
  --environment-name cc-project5-web-environment
  --application-name cc-project5-web-application
  --query 'ConfigurationSettings[*].OptionSettings[?(OptionName==`XRayEnabled`)].Value | []'

06 The command output should return the requested configuration status ("true" for enabled, "false" for disabled):

[
  "false"
]

If the describe-configuration-settings command output returns "false", the tracing feature is not enabled for the Amazon EC2 instances within the selected environment, therefore the AWS X-Ray support to identify web performance bottlenecks and help troubleshoot errors, is not currently enabled.

07 Repeat steps no. 5 and 6 to verify the X-Ray daemon status for other Amazon Elastic Beanstalk environments created for the selected application.

08 Repeat steps no. 3 – 7 for each Amazon Elastic Beanstalk application deployed in the selected AWS cloud region.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the entire audit process for other regions.

Remediation / Resolution

To enable tracing with AWS X-Ray for your Amazon Elastic Beanstalk environments, perform the following operations:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Elastic Beanstalk console at https://console.aws.amazon.com/elasticbeanstalk/.

03 In the navigation panel, under Elastic Beanstalk, choose Environments.

04 Click on the name of the Elastic Beanstalk environment that you want to reconfigure, available in the Environment name column.

05 In the left navigation panel, under the name of your environment, choose Configuration.

06 In the Software section, choose Edit to modify the selected environment configuration.

07 On the Modify software configuration page, in the AWS X-Ray section, toggle the Enabled button to enable tracing with AWS X-Ray for all the EC2 instances running within the selected Elastic Beanstalk environment. Choose Apply to save the configuration changes. Once the tracing is enabled, the AWS X-Ray daemon is installed on the available instances and runs as a service. After the changes are successfully implemented, the Amazon Elastic Beanstalk environment status should change to "Environment update completed successfully.".

08 Repeat steps no. 4 – 7 to enable X-Ray tracing for other Elastic Beanstalk environments available within the current AWS cloud region.

09 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run update-environment command (OSX/Linux/UNIX) using the name of the Amazon Elastic Beanstalk environment that you want to update as the identifier parameter, to enable tracing with AWS X-Ray for all the EC2 instances running within the selected application environment. Once the tracing is enabled, the AWS X-Ray daemon is installed on the available instances and runs as a service:

aws elasticbeanstalk update-environment
  --region us-east-1
  --environment-name cc-project5-web-environment
  --application-name cc-project5-web-application
  --option-settings Namespace="aws:elasticbeanstalk:xray",OptionName="XRayEnabled",Value="true"

02 The command output should return the metadata available for the reconfigured application environment:

{
  "ApplicationName": "cc-project5-web-application",
  "EnvironmentName": "cc-project5-web-environment",
  "VersionLabel": "Web Application V2",
  "Status": "Updating",
  "EnvironmentArn":
  "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/cc-project5-web-application/cc-project5-web-environment",
  "PlatformArn": "arn:aws:elasticbeanstalk:us-east-1::platform/PHP 7.4 running on 64bit Amazon Linux 2/3.1.4",
  "EndpointURL": "awseb-AWSEB-ABCDABCDABCD-12345678.us-east-1.elb.amazonaws.com",
  "SolutionStackName": "64bit Amazon Linux 2 v3.1.4 running PHP 7.4",
  "EnvironmentId": "e-abcdabcdab",
  "CNAME": "cc-project5-web-environment.eba-abcdabcd.us-east-1.elasticbeanstalk.com",
  "AbortableOperationInProgress": true,
  "Tier": {
    "Version": "1.0",
    "Type": "Standard",
    "Name": "WebServer"
  },
  "Health": "Grey",
  "DateUpdated": "2021-01-25T10:00:00.000Z",
  "DateCreated": "2021-01-25T10:00:00.000Z"
}

03 Repeat steps no. 1 and 2 to enable X-Ray tracing for other Elastic Beanstalk environments deployed in the selected AWS cloud region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 4 to perform the entire remediation process for other regions.

References

Publication date Feb 6, 2021