Skip to main content
emnode / learn
Compliance Low severity

AWS Security Hub · ElasticBeanstalk

ElasticBeanstalk.3: Beanstalk logs are not streamed to CloudWatch

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub ElasticBeanstalk.3 check?

ElasticBeanstalk.3 fails when an Elastic Beanstalk environment does not stream its instance logs to CloudWatch Logs, configured through the aws:elasticbeanstalk:cloudwatch:logs option namespace.

Why does ElasticBeanstalk.3 matter?

Beanstalk instances are ephemeral — they are replaced on deploys, scaling and health events, and their local log files vanish with them. If logs only live on the instance, the record of what happened before a crash or a security incident is gone the moment the instance is terminated. Streaming to CloudWatch puts the logs somewhere durable, centralised and queryable.

How do I fix ElasticBeanstalk.3?

  1. Inspect the environment's current logging option settings with describe-configuration-settings.
  2. Set StreamLogs to true, choose DeleteOnTerminate and a RetentionInDays value, then apply with update-environment.
  3. Grant the instance profile the CloudWatch Logs permissions it needs to push log events.
  4. Bake the option settings into .ebextensions so new environments stream logs by default.

Remediation script · bash

# .ebextensions/cloudwatch-logs.config — commit this so every new env is compliant.
cat > .ebextensions/cloudwatch-logs.config <<'EOF'
option_settings:
  aws:elasticbeanstalk:cloudwatch:logs:
    StreamLogs: true
    DeleteOnTerminate: false
    RetentionInDays: 90
EOF

# Or remediate an existing environment in place with one call.
aws elasticbeanstalk update-environment \
  --environment-name payments-prod \
  --option-settings \
    Namespace=aws:elasticbeanstalk:cloudwatch:logs,OptionName=StreamLogs,Value=true \
    Namespace=aws:elasticbeanstalk:cloudwatch:logs,OptionName=DeleteOnTerminate,Value=false \
    Namespace=aws:elasticbeanstalk:cloudwatch:logs,OptionName=RetentionInDays,Value=90

# Confirm the log groups now exist before closing the finding.
aws logs describe-log-groups \
  --log-group-name-prefix /aws/elasticbeanstalk/payments-prod/ \
  --query 'logGroups[].logGroupName' --output table

Full walkthrough (console steps, edge cases and verification) in the lesson Stream Elastic Beanstalk logs to CloudWatch.

Full lesson Stream Elastic Beanstalk logs to CloudWatch Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for ElasticBeanstalk controls ↗ Check your own account for ElasticBeanstalk.3 →

More ElasticBeanstalk controls