Elastic Beanstalk Environments Should Have Enhanced Health Reporting Enabled

Overview

This check verifies that your AWS Elastic Beanstalk environments have enhanced health reporting enabled instead of basic health reporting. Enhanced health reporting provides detailed metrics about instance health, application performance, and environment status, enabling faster detection and resolution of issues.

Risk

Without enhanced health reporting:

• Delayed issue detection: Problems with instances or deployments may go unnoticed until they cause outages
• Hidden failures: Instance failures or problematic deployments can create unbalanced fleet configurations
• Degraded availability: Serving outdated application versions without awareness
• Increased costs: Error spikes and resource thrashing raise operational expenses
• Longer recovery time: Higher mean time to recovery (MTTR) due to limited visibility

Remediation Steps

Prerequisites

• Access to the AWS Console with permissions to modify Elastic Beanstalk environments
• The environment must use a supported platform version (most modern platforms support enhanced health)
• An IAM service role for Elastic Beanstalk (typically aws-elasticbeanstalk-service-role)

AWS Console Method

1. Open the Elastic Beanstalk console
2. In the region selector, choose US East (N. Virginia) us-east-1
3. In the navigation pane, choose Environments
4. Select the environment you want to update
5. In the left navigation, choose Configuration
6. Find the Monitoring category and choose Edit
7. Under Health reporting, set System to Enhanced
8. Choose Apply at the bottom of the page
9. Wait for the environment to update (this may take a few minutes)

AWS CLI (optional)

Enable enhanced health reporting on an existing environment:

aws elasticbeanstalk update-environment \
  --region us-east-1 \
  --environment-name <your-environment-name> \
  --option-settings Namespace=aws:elasticbeanstalk:healthreporting:system,OptionName=SystemType,Value=enhanced

Replace <your-environment-name> with your actual environment name.

List all environments to find environment names:

aws elasticbeanstalk describe-environments \
  --region us-east-1 \
  --query "Environments[*].[EnvironmentName,ApplicationName,Status]" \
  --output table

CloudFormation (optional)

Use this CloudFormation template to create or update an Elastic Beanstalk environment with enhanced health reporting enabled:

AWSTemplateFormatVersion: '2010-09-09'
Description: Elastic Beanstalk environment with enhanced health reporting

Parameters:
  ApplicationName:
    Type: String
    Description: Name of the Elastic Beanstalk application
  EnvironmentName:
    Type: String
    Description: Name of the Elastic Beanstalk environment
  SolutionStackName:
    Type: String
    Description: Elastic Beanstalk solution stack name
    Default: '64bit Amazon Linux 2023 v4.0.0 running Python 3.11'

Resources:
  ElasticBeanstalkEnvironment:
    Type: AWS::ElasticBeanstalk::Environment
    Properties:
      ApplicationName: !Ref ApplicationName
      EnvironmentName: !Ref EnvironmentName
      SolutionStackName: !Ref SolutionStackName
      OptionSettings:
        - Namespace: aws:elasticbeanstalk:healthreporting:system
          OptionName: SystemType
          Value: enhanced
        - Namespace: aws:elasticbeanstalk:environment
          OptionName: ServiceRole
          Value: aws-elasticbeanstalk-service-role

Outputs:
  EnvironmentEndpoint:
    Description: Environment endpoint URL
    Value: !GetAtt ElasticBeanstalkEnvironment.EndpointURL

Deploy the template:

aws cloudformation deploy \
  --region us-east-1 \
  --template-file template.yaml \
  --stack-name my-eb-environment \
  --parameter-overrides \
    ApplicationName=my-application \
    EnvironmentName=my-environment \
  --capabilities CAPABILITY_IAM

Terraform (optional)

Use this Terraform configuration to create an Elastic Beanstalk environment with enhanced health reporting:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variable "application_name" {
  description = "Name of the Elastic Beanstalk application"
  type        = string
}

variable "environment_name" {
  description = "Name of the Elastic Beanstalk environment"
  type        = string
}

variable "solution_stack_name" {
  description = "Elastic Beanstalk solution stack name"
  type        = string
  default     = "64bit Amazon Linux 2023 v4.0.0 running Python 3.11"
}

resource "aws_elastic_beanstalk_environment" "main" {
  name                = var.environment_name
  application         = var.application_name
  solution_stack_name = var.solution_stack_name

  setting {
    namespace = "aws:elasticbeanstalk:healthreporting:system"
    name      = "SystemType"
    value     = "enhanced"
  }

  setting {
    namespace = "aws:elasticbeanstalk:environment"
    name      = "ServiceRole"
    value     = "aws-elasticbeanstalk-service-role"
  }
}

output "environment_endpoint" {
  description = "Environment endpoint URL"
  value       = aws_elastic_beanstalk_environment.main.endpoint_url
}

Apply the configuration:

terraform init
terraform plan -var="application_name=my-app" -var="environment_name=my-env"
terraform apply -var="application_name=my-app" -var="environment_name=my-env"

Verification

After enabling enhanced health reporting, verify the change was applied:

1. In the Elastic Beanstalk console, select your environment
2. Check the Health page - you should see detailed health information including:
   • Overall environment health status (color-coded)
   • Individual instance health metrics
   • Request statistics and latency data
   • CPU and other resource utilization

CLI verification

Check the current health reporting configuration:

aws elasticbeanstalk describe-configuration-settings \
  --region us-east-1 \
  --application-name <your-application-name> \
  --environment-name <your-environment-name> \
  --query "ConfigurationSettings[0].OptionSettings[?Namespace=='aws:elasticbeanstalk:healthreporting:system' && OptionName=='SystemType'].Value" \
  --output text

The output should be enhanced.

View enhanced health status:

aws elasticbeanstalk describe-environment-health \
  --region us-east-1 \
  --environment-name <your-environment-name> \
  --attribute-names All

This command only works when enhanced health reporting is enabled.

Additional Resources

• AWS Elastic Beanstalk Enhanced Health Reporting
• Health Colors and Statuses
• Configuring Enhanced Health Reporting
• Elastic Beanstalk Service Role

Notes

• Platform requirements: Enhanced health reporting requires a platform version that supports it. Most modern platforms (Amazon Linux 2 and later) support enhanced health by default.
• Service role: The Elastic Beanstalk service role must have the necessary permissions. The default aws-elasticbeanstalk-service-role includes these permissions.
• Instance profile: EC2 instances need the AWSElasticBeanstalkWebTier or similar managed policy to report health data.
• Update duration: Enabling enhanced health reporting triggers an environment update, which may take several minutes.
• Cost considerations: Enhanced health reporting itself does not incur additional charges, but it does publish metrics to CloudWatch, which may affect CloudWatch costs at scale.
• Compliance frameworks: This control is mapped to C5 and KISA-ISMS-P compliance frameworks.