ElasticBeanstalk.1: Environments should have enhanced health reporting

What does AWS Security Hub ElasticBeanstalk.1 check?

ElasticBeanstalk.1 fails when an Elastic Beanstalk environment uses basic health reporting instead of enhanced. Enhanced reporting runs an on-instance agent that reports detailed application and system metrics.

Why does ElasticBeanstalk.1 matter?

Basic health reporting only watches the load balancer and a coarse colour status, so a degrading application — rising latency, climbing error rates, failing requests — can look green until it falls over. Enhanced reporting's on-instance agent surfaces per-instance CPU, latency and HTTP status detail, giving you the signal to catch and act on a problem before it becomes an outage.

How do I fix ElasticBeanstalk.1?

1. Audit which environments are on basic versus enhanced with describe-environments and describe-configuration-settings.
2. Set SystemType to enhanced in the aws:elasticbeanstalk:healthreporting:system option settings and apply with update-environment.
3. Ensure the environment's instance profile and platform support enhanced reporting (the required service role must exist).
4. Bake the setting into a saved configuration so new environments default to enhanced.

# Remediate one environment: set SystemType to enhanced.
aws elasticbeanstalk update-environment \
  --environment-name orders-api-prod \
  --option-settings \
    Namespace=aws:elasticbeanstalk:healthreporting:system,OptionName=SystemType,Value=enhanced

# Verify the setting took effect.
aws elasticbeanstalk describe-configuration-settings \
  --application-name orders-api \
  --environment-name orders-api-prod \
  --query 'ConfigurationSettings[0].OptionSettings[?OptionName==`SystemType`].Value' \
  --output text

# Confirm the environment is reporting detailed health (not stuck Grey).
aws elasticbeanstalk describe-environment-health \
  --environment-name orders-api-prod \
  --attribute-names All \
  --query '{Status:Status,Color:Color,Causes:Causes}'