cis-aws-compute-10.2
This skill provides audit and remediation guidance for enabling CloudWatch Logs streaming in AWS Elastic Beanstalk environments. Use this control to verify that persistent application and system logs are automatically streamed to CloudWatch for monitoring, archival, and compliance purposes across all Elastic Beanstalk environments and regions.
git clone --depth 1 https://github.com/CyberStrikeus/CyberStrike /tmp/cis-aws-compute-10.2 && cp -r /tmp/cis-aws-compute-10.2/.cyberstrike/skill/CIS_benchmarks/Cloud_Providers/AWS/CIS_AWS_Compute_Services_Benchmark_v1.1.0/cis-aws-compute-10.2 ~/.claude/skills/cis-aws-compute-10.2SKILL.md
# 10.2 Ensure Persistent logs is setup and configured to S3 (Manual) ## Description Elastic Beanstalk can be configured to automatically stream logs to the CloudWatch service. ## Rationale With CloudWatch Logs, you can monitor and archive your Elastic Beanstalk application, system, and custom log files from Amazon EC2 instances of your environments. ## Impact N/A ## Audit Procedure ### Using AWS Console 1. Login to AWS Console using https://console.aws.amazon.com/elasticbeanstalk 2. On the left hand side click `Environments` 3. Click on the `Environment name` that you want to review 4. Under the `environment_name-env` in the left column click `Configuration` 5. Scroll down under Configurations 6. Under category look for `Softwares` 7. Confirm `Log streaming: enabled` 8. If status options reads `Log streaming: disabled` refer to the remediation below. 9. Repeat steps 3-8 for each environment within the current region. 10. Then repeat the Audit process for all other regions. ### Using AWS CLI N/A - This control is manual and console-based. ## Expected Result `Log streaming: enabled` is displayed under the Softwares category in the environment Configuration. ## Remediation ### Using AWS Console 1. Login to AWS Console using https://console.aws.amazon.com/elasticbeanstalk 2. On the left hand side click `Environments` 3. Click on the `Environment name` that you want to update 4. Under the `environment_name-env` in the left column click `Configuration` 5. Scroll down under Configurations 6. Under category look for `Software` 7. Click on Edit 8. On the Modify software page: ``` Instance log streaming to CloudWatch Logs Log streaming - click the Enabled checkbox Set the required retention based on Organization requirements Lifecycle - Keep logs after terminating environment ``` 9. Click Apply 10. Repeat steps 3-8 for each environment within the current region that needs Managed updates set. ### Using AWS CLI N/A - This control is manual and console-based. ## Default Value Log streaming to CloudWatch is not enabled by default. ## References 1. https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.cloudwatchlogs.html ## CIS Controls | Controls Version | Control | IG 1 | IG 2 | IG 3 | | ---------------- | -------------------------- | ---- | ---- | ---- | | v8 | 8.2 Collect Audit Logs | X | X | X | | v7 | 6.2 Activate audit logging | X | X | X | ## Profile Level 1 | Manual
Ensure Managed Platform updates is configured
Ensure access logs are enabled
Ensure that HTTPS is enabled on load balancer
Ensure customer-managed keys are used to encrypt AWS Fargate ephemeral storage data for Amazon ECS
Ensure AWS Config is Enabled for Lambda and Serverless
Ensure Lambda functions do not allow unknown cross account access via permission policies
Ensure that the runtime environment versions used for your Lambda functions do not have end of support dates
Ensure encryption in transit is enabled for Lambda environment variables