chore(aws): enhance metadata for elasticbeanstalk service (#8934)

Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>
Co-authored-by: Sergio Garcia <hello@mistercloudsec.com>

Author: 3 people

prowler/CHANGELOG.md

@@ -19,7 +19,14 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS CloudWatch service metadata to new format [(#8848)](https://github.com/prowler-cloud/prowler/pull/8848)
 - Update AWS EMR service metadata to new format [(#9002)](https://github.com/prowler-cloud/prowler/pull/9002)
 - Update AWS EKS service metadata to new format [(#8890)](https://github.com/prowler-cloud/prowler/pull/8890)
+- Update AWS Elastic Beanstalk service metadata to new format [(#8934)](https://github.com/prowler-cloud/prowler/pull/8934)
 - Update AWS ElastiCache service metadata to new format [(#8933)](https://github.com/prowler-cloud/prowler/pull/8933)
+- Update AWS EFS service metadata to new format [(#8889)](https://github.com/prowler-cloud/prowler/pull/8889)
+- Update AWS EventBridge service metadata to new format [(#9003)](https://github.com/prowler-cloud/prowler/pull/9003)
+- Update AWS Firehose service metadata to new format [(#9004)](https://github.com/prowler-cloud/prowler/pull/9004)
+- Update AWS FMS service metadata to new format [(#9005)](https://github.com/prowler-cloud/prowler/pull/9005)
+- Update AWS FSx service metadata to new format [(#9006)](https://github.com/prowler-cloud/prowler/pull/9006)
+- Update AWS Glacier service metadata to new format [(#9007)](https://github.com/prowler-cloud/prowler/pull/9007)
 
 ---
 
@@ -75,12 +82,6 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS Directory Service service metadata to new format [(#8859)](https://github.com/prowler-cloud/prowler/pull/8859)
 - Update AWS CloudFront service metadata to new format [(#8829)](https://github.com/prowler-cloud/prowler/pull/8829)
 - Deprecate user authentication for M365 provider [(#8865)](https://github.com/prowler-cloud/prowler/pull/8865)
-- Update AWS EFS service metadata to new format [(#8889)](https://github.com/prowler-cloud/prowler/pull/8889)
-- Update AWS EventBridge service metadata to new format [(#9003)](https://github.com/prowler-cloud/prowler/pull/9003)
-- Update AWS Firehose service metadata to new format [(#9004)](https://github.com/prowler-cloud/prowler/pull/9004)
-- Update AWS FMS service metadata to new format [(#9005)](https://github.com/prowler-cloud/prowler/pull/9005)
-- Update AWS FSx service metadata to new format [(#9006)](https://github.com/prowler-cloud/prowler/pull/9006)
-- Update AWS Glacier service metadata to new format [(#9007)](https://github.com/prowler-cloud/prowler/pull/9007)
 
 
 ### Fixed

prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_cloudwatch_logging_enabled/elasticbeanstalk_environment_cloudwatch_logging_enabled.metadata.json

@@ -1,28 +1,34 @@
 {
   "Provider": "aws",
   "CheckID": "elasticbeanstalk_environment_cloudwatch_logging_enabled",
-  "CheckTitle": "Elastic Beanstalk environment should stream logs to CloudWatch",
+  "CheckTitle": "Elastic Beanstalk environment streams logs to CloudWatch Logs",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
+    "TTPs/Defense Evasion"
   ],
   "ServiceName": "elasticbeanstalk",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:elasticbeanstalk:{region}:{account-id}:environment/{environment-id}",
+  "ResourceIdTemplate": "",
   "Severity": "high",
   "ResourceType": "AwsElasticBeanstalkEnvironment",
-  "Description": "This control checks whether an Elastic Beanstalk environment is configured to send logs to CloudWatch Logs. The control fails if an Elastic Beanstalk environment isn't configured to send logs to CloudWatch Logs.",
-  "Risk": "Without log streaming to CloudWatch, it becomes difficult to monitor and troubleshoot your Elastic Beanstalk environments, which can lead to missed events or security incidents.",
-  "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/elastic-beanstalk-logs-to-cloudwatch.html",
+  "Description": "**Elastic Beanstalk environments** are configured to stream instance and proxy logs to **Amazon CloudWatch Logs** via the `StreamLogs` setting",
+  "Risk": "Without **centralized logging** to CloudWatch, logs may be lost during rotation or instance termination, delaying detection and response. Attackers can delete local logs to evade audits, hiding evidence of web attacks or config tampering and undermining **confidentiality**, **integrity**, and **availability**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.cloudwatchlogs.html",
+    "https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environments-cfg-logging.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/elasticbeanstalk-controls.html#elasticbeanstalk-3"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws elasticbeanstalk update-environment --environment-id <environment-id> --option-settings Namespace=aws:elasticbeanstalk:environment:proxy:logging,OptionName=StreamLogs,Value=true",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/elasticbeanstalk-controls.html#elasticbeanstalk-3",
-      "Terraform": ""
+      "CLI": "aws elasticbeanstalk update-environment --environment-name <example_resource_name> --option-settings Namespace=aws:elasticbeanstalk:cloudwatch:logs,OptionName=StreamLogs,Value=true",
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::ElasticBeanstalk::Environment\n    Properties:\n      ApplicationName: \"<example_resource_name>\"\n      PlatformArn: \"<platform_arn>\"\n      OptionSettings:\n        - Namespace: aws:elasticbeanstalk:cloudwatch:logs\n          OptionName: StreamLogs\n          Value: \"true\"  # Critical: Enables instance log streaming to CloudWatch Logs\n```",
+      "Other": "1. Open the AWS Elastic Beanstalk console and select your environment\n2. Go to Configuration > Updates, monitoring, and logging > Edit\n3. Under \"Instance log streaming to CloudWatch Logs\", set Log streaming to Activated\n4. Click Apply to save",
+      "Terraform": "```hcl\nresource \"aws_elastic_beanstalk_environment\" \"<example_resource_name>\" {\n  name         = \"<example_resource_name>\"\n  application  = \"<example_resource_name>\"\n  platform_arn = \"<platform_arn>\"\n\n  # Critical: Enables instance log streaming to CloudWatch Logs\n  setting {\n    namespace = \"aws:elasticbeanstalk:cloudwatch:logs\"\n    name      = \"StreamLogs\"\n    value     = \"true\"\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable log streaming to CloudWatch for your Elastic Beanstalk environment to monitor and retain logs.",
-      "Url": "https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.cloudwatchlogs.html#AWSHowTo.cloudwatchlogs.streaming"
+      "Text": "Enable streaming to **CloudWatch Logs**. Set sensible retention, avoid deletion on termination, and restrict access with least-privilege IAM. Add metric filters and alerts for early detection, and retain archives to support **forensics**, **accountability**, and **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/elasticbeanstalk_environment_cloudwatch_logging_enabled"
     }
   },
   "Categories": [

prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_enhanced_health_reporting/elasticbeanstalk_environment_enhanced_health_reporting.metadata.json

@@ -1,28 +1,33 @@
 {
   "Provider": "aws",
   "CheckID": "elasticbeanstalk_environment_enhanced_health_reporting",
-  "CheckTitle": "Elastic Beanstalk environments should have enhanced health reporting enabled",
+  "CheckTitle": "Elastic Beanstalk environment has enhanced health reporting enabled",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis"
   ],
   "ServiceName": "elasticbeanstalk",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:elasticbeanstalk:{region}:{account-id}:environment/{environment-id}",
+  "ResourceIdTemplate": "",
   "Severity": "low",
   "ResourceType": "AwsElasticBeanstalkEnvironment",
-  "Description": "This control checks whether enhanced health reporting is enabled for your AWS Elastic Beanstalk environments.",
-  "Risk": "Without enhanced health reporting, you may face delays in detecting and responding to issues in your Elastic Beanstalk environment, affecting application availability and performance.",
-  "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/beanstalk-enhanced-health-reporting-enabled.html",
+  "Description": "**Elastic Beanstalk environments** have health reporting set to `enhanced` instead of basic.",
+  "Risk": "Without **enhanced health**, issues are detected late, raising MTTR and enabling **service outages**. Hidden instance failures or bad deployments can create uneven fleets, degrading **availability** and potentially **integrity** (serving stale versions), while error spikes and thrash increase operational cost.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/health-enhanced-enable.html#health-enhanced-enable-console",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/elasticbeanstalk-controls.html#elasticbeanstalk-1"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws elasticbeanstalk update-environment --environment-id <environment-id> --option-settings Namespace=aws:elasticbeanstalk:healthreporting:system,OptionName=EnhancedHealthReporting,Value=enabled",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/elasticbeanstalk-controls.html#elasticbeanstalk-1",
-      "Terraform": ""
+      "CLI": "aws elasticbeanstalk update-environment --environment-name <environment-name> --option-settings Namespace=aws:elasticbeanstalk:healthreporting:system,OptionName=SystemType,Value=enhanced",
+      "NativeIaC": "```yaml\n# CloudFormation: enable enhanced health reporting for an Elastic Beanstalk environment\nResources:\n  <example_resource_name>:\n    Type: AWS::ElasticBeanstalk::Environment\n    Properties:\n      ApplicationName: <example_resource_name>\n      EnvironmentName: <example_resource_name>\n      SolutionStackName: <example_solution_stack>\n      OptionSettings:\n        - Namespace: aws:elasticbeanstalk:healthreporting:system\n          OptionName: SystemType  # Critical: selects the enhanced health reporting system\n          Value: enhanced          # Critical: sets health reporting to enhanced\n```",
+      "Other": "1. Open the AWS Elastic Beanstalk console and select your Region\n2. Go to Environments and choose your environment\n3. Select Configuration > Monitoring > Edit\n4. Under Health reporting, set System to Enhanced\n5. Click Apply to save the change",
+      "Terraform": "```hcl\n# Terraform: enable enhanced health reporting for an Elastic Beanstalk environment\nresource \"aws_elastic_beanstalk_environment\" \"<example_resource_name>\" {\n  name                = \"<example_resource_name>\"\n  application         = \"<example_resource_name>\"\n  solution_stack_name = \"<example_solution_stack>\"\n\n  setting {\n    namespace = \"aws:elasticbeanstalk:healthreporting:system\"\n    name      = \"SystemType\"  # Critical: selects the enhanced health reporting system\n    value     = \"enhanced\"    # Critical: sets health reporting to enhanced\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable enhanced health reporting in your Elastic Beanstalk environments for better monitoring and faster issue detection.",
-      "Url": "https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/health-enhanced-enable.html#health-enhanced-enable-console"
+      "Text": "Set health reporting to `enhanced` for all environments and make it a security baseline. Connect health signals to alerts for rapid response. Apply **least privilege** to required roles and use **defense in depth** with auto-healing, alarms, and runbooks to prevent prolonged degradation.",
+      "Url": "https://hub.prowler.com/check/elasticbeanstalk_environment_enhanced_health_reporting"
     }
   },
   "Categories": [

prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_managed_updates_enabled/elasticbeanstalk_environment_managed_updates_enabled.metadata.json

@@ -1,28 +1,34 @@
 {
   "Provider": "aws",
   "CheckID": "elasticbeanstalk_environment_managed_updates_enabled",
-  "CheckTitle": "Elastic Beanstalk managed platform updates should be enabled",
+  "CheckTitle": "Elastic Beanstalk environment has managed platform updates enabled",
   "CheckType": [
+    "Software and Configuration Checks/Patch Management",
     "Software and Configuration Checks/AWS Security Best Practices"
   ],
   "ServiceName": "elasticbeanstalk",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:elasticbeanstalk:{region}:{account-id}:environment/{environment-id}",
+  "ResourceIdTemplate": "",
   "Severity": "high",
   "ResourceType": "AwsElasticBeanstalkEnvironment",
-  "Description": "This control checks whether managed platform updates are enabled for an Elastic Beanstalk environment. The control fails if no managed platform updates are enabled.",
-  "Risk": "If managed platform updates are not enabled, the environment might miss critical security patches and updates, which can expose it to vulnerabilities.",
-  "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/elastic-beanstalk-managed-updates-enabled.html",
+  "Description": "**Elastic Beanstalk environments** with **managed platform updates** enabled (`ManagedActionsEnabled: true`) automatically apply platform patch/minor updates during a scheduled maintenance window.",
+  "Risk": "Without automatic platform updates, environments may run **vulnerable OS/runtime versions**, enabling exploitation of known CVEs, RCE, or privilege escalation.\n\nPatch drift also increases instability, harming **availability** and undermining application **integrity**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/elasticbeanstalk-controls.html#elasticbeanstalk-2",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ElasticBeanstalk/managed-platform-updates.html",
+    "https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environment-platform-update-managed.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws elasticbeanstalk update-environment --environment-id <environment-id> --option-settings Namespace=aws:elasticbeanstalk:environment:ManagedActions,OptionName=ManagedActionsEnabled,Value=true",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/elasticbeanstalk-controls.html#elasticbeanstalk-2",
-      "Terraform": ""
+      "CLI": "aws elasticbeanstalk update-environment --environment-name <environment-name> --option-settings Namespace=aws:elasticbeanstalk:managedactions,OptionName=ManagedActionsEnabled,Value=true",
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::ElasticBeanstalk::Environment\n    Properties:\n      ApplicationName: <example_resource_name>\n      SolutionStackName: <example_resource_name>\n      OptionSettings:\n        - Namespace: aws:elasticbeanstalk:managedactions\n          OptionName: ManagedActionsEnabled  # Critical: enables managed platform updates\n          Value: \"true\"                      # Critical: set to true to pass the check\n```",
+      "Other": "1. Open the AWS Management Console and go to Elastic Beanstalk\n2. Select your environment\n3. Choose Configuration\n4. In Managed updates, click Edit\n5. Turn Managed updates to Enabled\n6. Click Apply/Save",
+      "Terraform": "```hcl\nresource \"aws_elastic_beanstalk_environment\" \"<example_resource_name>\" {\n  name                = \"<example_resource_name>\"\n  application         = \"<example_resource_name>\"\n  solution_stack_name = \"<example_resource_name>\"\n\n  setting {\n    namespace = \"aws:elasticbeanstalk:managedactions\"\n    name      = \"ManagedActionsEnabled\"   # Critical: enables managed platform updates\n    value     = \"true\"                    # Critical: set to true to pass the check\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable managed platform updates for your Elastic Beanstalk environment to ensure the latest security patches and updates are applied.",
-      "Url": "https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environment-platform-update-managed.html"
+      "Text": "Enable **managed platform updates** with a set maintenance window and choose an update level (`patch` or `minor`). Ensure **enhanced health** is on and the update role follows **least privilege**. Validate in staging, roll out gradually, and stagger windows across environments to strengthen **defense in depth** and resilience.",
+      "Url": "https://hub.prowler.com/check/elasticbeanstalk_environment_managed_updates_enabled"
     }
   },
   "Categories": [