AWS ElasticBeanstalk Managed Platform Updates Not Configured

This plugin ensures AWS Elastic Beanstalk environments are configured to use managed updates.

Risk Level: Medium

Description

This plugin ensures AWS Elastic Beanstalk environments are configured to use managed updates. Environments for an application should be configured to allow platform managed updates in order to receive fixes and new features with the software release. With managed platform updates, environments automatically update itself to the latest version of a platform during a scheduled interval. 

About the Service

Elastic Beanstalk: This service by AWS, is used to develop and deploy web applications on familiar servers like Apache, Nginx etc. You simply have to upload the code. Infrastructural complexities such as deployment, environment handling, autoscaling etc. are managed by Elastic Beanstalk itself.  With Elastic Beanstalk, developers can be more productive by focusing on developing business logic rather than managing servers, databases and firewalls.

Impact

Elastic Beanstalk can develop and deploy web applications with its environments. With time, the libraries, server or the development environments used by your application are updated. These updates generally fix security issues or add a new feature. PingSafe recommends enabling managed updates so that such updates are not missed by the AWS Elastic Beanstalk environment.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the Amazon Elastic Beanstalk Console. You can use this link (https://console.aws.amazon.com/elasticbeanstalk) to navigate directly if already logged in. 
  3. Select Environments from the left pane.
  4. From the list of environments, select the one you want to investigate by clicking on its Environment Name.
  5. Select Configuration under the name of the environment from the left pane.
  6. Scroll down to the Managed Updates section. If it is set to disabled, the environment will not be upgraded automatically.
  7. Repeat steps 3 to 6 for all the environments you want to investigate.

Steps for Remediation

Update the environments configurations to enable platform managed updates.

  1. Log In to your AWS Console.
  2. Open the Amazon Elastic Beanstalk Console. You can use this link (https://console.aws.amazon.com/elasticbeanstalk) to navigate directly if already logged in. 
  3. Select Environments from the left pane.
     
  4. From the list of environments, select the one you want to investigate by clicking on its Environment Name.
  5. Select Configuration under the name of the environment from the left pane.
  6. Scroll down to the Managed Updates section and click on the Edit button.
  7. Click on the checkbox corresponding to Enabled and finally, click on Apply to save the changes. You can also add an instance where the changes will be reflected.
  8. Repeat steps 3 to 7 for all the vulnerable environments.