Security best practices for Elastic Beanstalk - Amazon Elastic Beanstalk
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security best practices for Elastic Beanstalk

Amazon Elastic Beanstalk provides several security features to consider as you develop and implement your own security policies. The following best practices are general guidelines and don’t represent a complete security solution. Because these best practices might not be appropriate or sufficient for your environment, treat them as helpful considerations, not prescriptions.

For other Elastic Beanstalk security topics, see Amazon Elastic Beanstalk security.

Preventive security best practices

Preventive security controls attempt to prevent incidents before they occur.

Implement least privilege access

Elastic Beanstalk provides Amazon Identity and Access Management (IAM) managed policies for instance profiles, service roles, and IAM users. These managed policies specify all permissions that might be necessary for the correct operation of your environment and application.

Your application might not require all the permissions in our managed policies. You can customize them and grant only the permissions that are required for your environment's instances, the Elastic Beanstalk service, and your users to perform their tasks. This is particularly relevant to user policies, where different user roles might have different permission needs. Implementing least privilege access is fundamental in reducing security risk and the impact that could result from errors or malicious intent.

Update your platforms regularly

Elastic Beanstalk regularly releases new platform versions to update all of its platforms. New platform versions provide operating system, runtime, application server, and web server updates, and updates to Elastic Beanstalk components. Many of these platform updates include important security fixes. Ensure that your Elastic Beanstalk environments are running on a supported platform version (typically the latest version for your platform). For details, see Updating your Elastic Beanstalk environment's platform version.

The easiest way to keep your environment's platform up to date is to configure the environment to use managed platform updates.

Enforce IMDSv2 on environment instances

Amazon Elastic Compute Cloud (Amazon EC2) instances in your Elastic Beanstalk environments use the instance metadata service (IMDS), an on-instance component, to securely access instance metadata. IMDS supports two methods for accessing data: IMDSv1 and IMDSv2. IMDSv2 uses session-oriented requests and mitigates several types of vulnerabilities that could be used to try to access the IMDS. For details about the advantages of IMDSv2, see enhancements to add defense in depth to the EC2 Instance Metadata Service.

IMDSv2 is more secure, so it's a good idea to enforce the use of IMDSv2 on your instances. To enforce IMDSv2, ensure that all components of your application support IMDSv2, and then disable IMDSv1. For more information, see Configuring the instance metadata service on your environment's instances.

Detective security best practices

Detective security controls identify security violations after they have occurred. They can help you detect a potential security threat or incident.

Implement monitoring

Monitoring is an important part of maintaining the reliability, security, availability, and performance of your Elastic Beanstalk solutions. Amazon provides several tools and services to help you monitor your Amazon services.

The following are some examples of items to monitor:

Enable Amazon Config

Amazon Config provides a detailed view of the configuration of Amazon resources in your account. You can see how resources are related, get a history of configuration changes, and see how relationships and configurations change over time.

You can use Amazon Config to define rules that evaluate resource configurations for data compliance. Amazon Config rules represent the ideal configuration settings for your Elastic Beanstalk resources. If a resource violates a rule and is flagged as noncompliant, Amazon Config can alert you using an Amazon Simple Notification Service (Amazon SNS) topic. For details, see Finding and tracking Elastic Beanstalk resources with Amazon Config.