Ensure that AWS Elastic Beanstalk (EB) environment logs are retained and uploaded to Amazon S3 in order to keep the logging data for future audits, historical purposes or to track and analyze the EB application environment behavior for a long period of time.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
The log files generated by AWS Elastic Beanstalk are all stored within an S3 bucket configured by the service when the environment is created. Most of these log files (trail and bundle logs) are removed from the S3 bucket 15 minutes after these are created, so in order to retain the logs you can configure your EB environment to publish logs to Amazon S3 automatically after these have been rotated. The retained (persistent) logs can be easily retrieved using the EB Management Console or the EB CLI. You can also configure your Elastic Beanstalk environment to stream logs to Amazon CloudWatch in real time.
To determine if your Elastic Beanstalk environments publish log data to Amazon S3 or stream it to Amazon CloudWatch (optional), perform the following:
Remediation / Resolution
To enable Elastic Beanstalk log file rotation to Amazon S3 and stream log data in real time to Amazon CloudWatch (optional), perform the following:
- AWS Documentation
- Viewing Logs from Your Elastic Beanstalk Environment's Amazon EC2 Instances
- Using Elastic Beanstalk with Amazon CloudWatch Logs
- The AWS Elastic Beanstalk Environment Management Console
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Elastic Beanstalk Persistent Logs
Risk level: Medium