ElasticBeanstalk.2: Managed platform updates are disabled

What does AWS Security Hub ElasticBeanstalk.2 check?

ElasticBeanstalk.2 fails when an Elastic Beanstalk environment does not have managed platform updates enabled. Managed updates apply newer platform versions automatically within a maintenance window.

Why does ElasticBeanstalk.2 matter?

Beanstalk platforms bundle the OS, language runtime and web server, and security patches for them land regularly. An environment that never takes managed updates drifts onto outdated, vulnerable platform versions that have to be patched by hand — which in practice means they often are not. Managed updates apply patch and minor versions inside a scheduled window so the environment stays current without anyone babysitting a deploy.

How do I fix ElasticBeanstalk.2?

1. Audit each environment's aws:elasticbeanstalk:managedactions and :managedactions:platformupdate option settings.
2. Enable ManagedActionsEnabled, set a PreferredStartTime maintenance window and choose an UpdateLevel (patch or minor).
3. Apply via update-environment or the saved configuration, and ensure the service role required for managed actions exists.
4. Bake the settings into .ebextensions or a saved configuration so new environments inherit them.

# Enable auto minor version upgrade on every RDS instance that has it disabled.
for id in $(aws rds describe-db-instances \
    --query 'DBInstances[?AutoMinorVersionUpgrade==`false`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$id" \
    --auto-minor-version-upgrade --no-apply-immediately
done

# Move a deprecated Lambda function to a supported runtime.
aws lambda update-function-configuration --function-name auth-token-issuer \
  --runtime nodejs20.x

# Upgrade an out-of-support EKS control plane one minor version at a time (then catch up node groups).
aws eks update-cluster-version --name prod-payments --kubernetes-version 1.29