Elastic Beanstalk Managed Platform Updates Should Be Enabled
Overview
This check verifies that your AWS Elastic Beanstalk environments have managed platform updates enabled. When enabled, AWS automatically applies operating system patches, runtime updates, and security fixes during a maintenance window you define.
Risk
Without managed platform updates, your Elastic Beanstalk environments may run on outdated software with known security vulnerabilities. Attackers could exploit these vulnerabilities for remote code execution, privilege escalation, or data breaches. Additionally, unpatched systems can experience stability issues that affect application availability.
Severity: High
Remediation Steps
Prerequisites
- AWS account access with permissions to modify Elastic Beanstalk environments
- Enhanced health reporting must be enabled on the environment (managed updates require this)
AWS Console Method
- Sign in to the AWS Management Console and open the Elastic Beanstalk service
- Select your environment from the list
- In the left navigation, click Configuration
- Find the Managed updates card and click Edit
- Toggle Managed updates to Enabled
- Configure these settings:
- Maintenance window: Choose a day and time (in UTC) when updates can occur
- Update level: Select Minor and patch (recommended) or Patch only
- Instance replacement: Enable this to replace instances during updates for zero-downtime deployments
- Click Apply
The environment will update its configuration. Future platform updates will be applied automatically during your maintenance window.
AWS CLI (optional)
Enable managed updates on an existing environment:
aws elasticbeanstalk update-environment \
--region us-east-1 \
--environment-name <your-environment-name> \
--option-settings \
Namespace=aws:elasticbeanstalk:healthreporting:system,OptionName=SystemType,Value=enhanced \
Namespace=aws:elasticbeanstalk:managedactions,OptionName=ManagedActionsEnabled,Value=true \
Namespace=aws:elasticbeanstalk:managedactions,OptionName=PreferredStartTime,Value="Sun:10:00" \
Namespace=aws:elasticbeanstalk:managedactions:platformupdate,OptionName=UpdateLevel,Value=minor \
Namespace=aws:elasticbeanstalk:managedactions:platformupdate,OptionName=InstanceRefreshEnabled,Value=true
Replace <your-environment-name> with your actual environment name.
Using a JSON configuration file:
Create a file named managed-updates.json:
[
{
"Namespace": "aws:elasticbeanstalk:healthreporting:system",
"OptionName": "SystemType",
"Value": "enhanced"
},
{
"Namespace": "aws:elasticbeanstalk:managedactions",
"OptionName": "ManagedActionsEnabled",
"Value": "true"
},
{
"Namespace": "aws:elasticbeanstalk:managedactions",
"OptionName": "PreferredStartTime",
"Value": "Sun:10:00"
},
{
"Namespace": "aws:elasticbeanstalk:managedactions:platformupdate",
"OptionName": "UpdateLevel",
"Value": "minor"
},
{
"Namespace": "aws:elasticbeanstalk:managedactions:platformupdate",
"OptionName": "InstanceRefreshEnabled",
"Value": "true"
}
]
Then apply the configuration:
aws elasticbeanstalk update-environment \
--region us-east-1 \
--environment-name <your-environment-name> \
--option-settings file://managed-updates.json
CloudFormation (optional)
AWSTemplateFormatVersion: '2010-09-09'
Description: Elastic Beanstalk environment with managed platform updates enabled
Parameters:
ApplicationName:
Type: String
Description: Name of the Elastic Beanstalk application
EnvironmentName:
Type: String
Description: Name of the Elastic Beanstalk environment
SolutionStackName:
Type: String
Description: The Elastic Beanstalk solution stack name
Default: 64bit Amazon Linux 2023 v6.0.0 running Node.js 20
PreferredStartTime:
Type: String
Description: Preferred maintenance window start time (UTC)
Default: "Sun:10:00"
Resources:
ElasticBeanstalkEnvironment:
Type: AWS::ElasticBeanstalk::Environment
Properties:
ApplicationName: !Ref ApplicationName
EnvironmentName: !Ref EnvironmentName
SolutionStackName: !Ref SolutionStackName
OptionSettings:
# Enable enhanced health reporting (required for managed updates)
- Namespace: aws:elasticbeanstalk:healthreporting:system
OptionName: SystemType
Value: enhanced
# Enable managed platform updates
- Namespace: aws:elasticbeanstalk:managedactions
OptionName: ManagedActionsEnabled
Value: "true"
- Namespace: aws:elasticbeanstalk:managedactions
OptionName: PreferredStartTime
Value: !Ref PreferredStartTime
# Configure update level (minor or patch)
- Namespace: aws:elasticbeanstalk:managedactions:platformupdate
OptionName: UpdateLevel
Value: minor
# Enable instance replacement during updates
- Namespace: aws:elasticbeanstalk:managedactions:platformupdate
OptionName: InstanceRefreshEnabled
Value: "true"
Outputs:
EnvironmentURL:
Description: URL of the Elastic Beanstalk environment
Value: !GetAtt ElasticBeanstalkEnvironment.EndpointURL
Deploy the stack:
aws cloudformation deploy \
--region us-east-1 \
--template-file template.yaml \
--stack-name my-eb-environment \
--parameter-overrides \
ApplicationName=my-application \
EnvironmentName=my-environment
Terraform (optional)
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
variable "application_name" {
description = "Name of the Elastic Beanstalk application"
type = string
}
variable "environment_name" {
description = "Name of the Elastic Beanstalk environment"
type = string
}
variable "solution_stack_name" {
description = "The Elastic Beanstalk solution stack name"
type = string
default = "64bit Amazon Linux 2023 v6.0.0 running Node.js 20"
}
variable "preferred_start_time" {
description = "Preferred maintenance window start time (UTC)"
type = string
default = "Sun:10:00"
}
resource "aws_elastic_beanstalk_environment" "main" {
name = var.environment_name
application = var.application_name
solution_stack_name = var.solution_stack_name
# Enable enhanced health reporting (required for managed updates)
setting {
namespace = "aws:elasticbeanstalk:healthreporting:system"
name = "SystemType"
value = "enhanced"
}
# Enable managed platform updates
setting {
namespace = "aws:elasticbeanstalk:managedactions"
name = "ManagedActionsEnabled"
value = "true"
}
setting {
namespace = "aws:elasticbeanstalk:managedactions"
name = "PreferredStartTime"
value = var.preferred_start_time
}
# Configure update level (minor or patch)
setting {
namespace = "aws:elasticbeanstalk:managedactions:platformupdate"
name = "UpdateLevel"
value = "minor"
}
# Enable instance replacement during updates
setting {
namespace = "aws:elasticbeanstalk:managedactions:platformupdate"
name = "InstanceRefreshEnabled"
value = "true"
}
}
output "environment_url" {
description = "URL of the Elastic Beanstalk environment"
value = aws_elastic_beanstalk_environment.main.endpoint_url
}
Apply the configuration:
terraform init
terraform apply -var="application_name=my-application" -var="environment_name=my-environment"
Verification
After enabling managed updates, verify the configuration:
- In the AWS Console, go to Elastic Beanstalk > your environment > Configuration
- Check that the Managed updates card shows Enabled
- Confirm your maintenance window and update level are set correctly
CLI verification
aws elasticbeanstalk describe-configuration-settings \
--region us-east-1 \
--application-name <your-application-name> \
--environment-name <your-environment-name> \
--query "ConfigurationSettings[0].OptionSettings[?Namespace=='aws:elasticbeanstalk:managedactions' && OptionName=='ManagedActionsEnabled'].Value" \
--output text
This should return true.
Additional Resources
- AWS Elastic Beanstalk Managed Platform Updates
- Elastic Beanstalk Configuration Options
- Enhanced Health Reporting
Notes
- Enhanced health reporting is required: Managed updates only work when enhanced health reporting is enabled. The remediation steps above include this setting.
- Maintenance window timing: Choose a maintenance window during low-traffic periods. Times are in UTC.
- Update levels:
- Minor and patch: Applies both minor version updates and security patches (recommended)
- Patch only: Applies only security patches, keeping your minor version stable
- Instance replacement: When enabled, instances are replaced during updates rather than updated in place. This provides zero-downtime deployments but takes longer.
- Test in staging first: Always validate platform updates in a staging environment before enabling managed updates in production.
- Related compliance frameworks: C5, KISA-ISMS-P, NIS2, PCI